v13.18.0

changelog.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## 2026-04-14 - 13.18.0 - feat(email)
+add persistent smartmta storage and runtime-managed email domain syncing
+
+- replace the email storage shim with a filesystem-backed SmartMtaStorageManager for DKIM and queue persistence
+- sync managed email domains from the database into runtime email config and update the active email server on create, update, delete, and restart
+- switch email queue, metrics, ops, and DNS integrations to smartmta public APIs including persisted queue stats and DKIM record generation
+
+## 2026-04-14 - 13.17.9 - fix(monitoring)
+align domain activity metrics with id-keyed route data
+
+- Use route id as a fallback canonical key when matching route metrics to configured domains in MetricsManager.
+- Add a regression test covering domain activity aggregation for routes identified only by id.
+- Update the network activity UI to show formatted total connection counts in the active connections card.
+- Bump @push.rocks/smartproxy from ^27.7.3 to ^27.7.4.
+
+## 2026-04-14 - 13.17.8 - fix(opsserver)
+align certificate status handling with the updated smartproxy response format
+
+- update opsserver certificate lookup to read expiresAt, source, and isValid from smartproxy responses
+- bump @push.rocks/smartproxy to ^27.7.3
+- enable verbose output for the test script
+
+## 2026-04-14 - 13.17.7 - fix(repo)
+no changes to commit
+
+
+## 2026-04-14 - 13.17.6 - fix(dns,routes)
+keep DoH socket-handler routes runtime-only and prune stale persisted entries
+
+- stops persisting generated DNS-over-HTTPS routes that depend on live socket handlers
+- removes stale persisted runtime-only DoH routes from RouteDoc during startup
+- applies runtime DNS routes alongside DB-backed routes through RouteConfigManager
+- updates DnsManager warning to clarify that dnsNsDomains is still required for nameserver and DoH bootstrap
+- adds tests covering runtime DoH route application, stale route pruning, and updated DNS warning behavior
+
+## 2026-04-13 - 13.17.5 - fix(vpn,target-profiles)
+normalize target profile route references and stabilize VPN host-IP client routing behavior
+
+- Normalize legacy target profile route name references to route IDs, reject ambiguous names, and display labeled route references in the UI.
+- Skip wildcard VPN domains when generating WireGuard AllowedIPs and log a deduplicated warning instead of attempting DNS resolution.
+- Normalize persisted VPN client host-IP settings, include routing fields in runtime updates, and restart in hybrid mode when a host-IP client requires it.
+- Add a repair migration for previously missed TargetProfile target host-to-ip document updates.
+
+## 2026-04-13 - 13.17.3 - fix(ops-view-routes)
+sync route filter toggle selection via component changeSubject
+
+- Replaces the inline change handler on the route filter toggle with a subscription to the component's changeSubject in firstUpdated.
+- Ensures switching between user and system routes updates the view reliably and is cleaned up through existing rxSubscriptions management.
+
 ## 2026-04-13 - 13.17.2 - fix(monitoring)
 exclude unconfigured routes from domain activity aggregation
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.17.2",
+  "version": "13.18.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -12,7 +12,7 @@
   "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "scripts": {
-    "test": "(tstest test/ --logfile --timeout 60)",
+    "test": "(tstest test/ --verbose --logfile --timeout 60)",
     "start": "(node ./cli.js)",
     "startTs": "(node cli.ts.js)",
     "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
@@ -27,7 +27,8 @@
     "@git.zone/tsrun": "^2.0.2",
     "@git.zone/tstest": "^3.6.3",
     "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^25.6.0"
+    "@types/node": "^25.6.0",
+    "typescript": "^6.0.2"
   },
   "dependencies": {
     "@api.global/typedrequest": "^3.3.0",
@@ -50,11 +51,11 @@
     "@push.rocks/smartlog": "^3.2.2",
     "@push.rocks/smartmetrics": "^3.0.3",
     "@push.rocks/smartmigration": "1.2.0",
-    "@push.rocks/smartmta": "^5.3.1",
-    "@push.rocks/smartnetwork": "^4.5.2",
+    "@push.rocks/smartmta": "^5.3.3",
+    "@push.rocks/smartnetwork": "^4.6.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^27.6.0",
+    "@push.rocks/smartproxy": "^27.7.4",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
@@ -62,12 +63,12 @@
     "@push.rocks/smartunique": "^3.0.9",
     "@push.rocks/smartvpn": "1.19.2",
     "@push.rocks/taskbuffer": "^8.0.2",
-    "@serve.zone/catalog": "^2.12.3",
+    "@serve.zone/catalog": "^2.12.4",
     "@serve.zone/interfaces": "^5.3.0",
     "@serve.zone/remoteingress": "^4.15.3",
     "@tsclass/tsclass": "^9.5.0",
     "@types/qrcode": "^1.5.6",
-    "lru-cache": "^11.3.3",
+    "lru-cache": "^11.3.5",
     "qrcode": "^1.5.4",
     "uuid": "^13.0.0"
   },

pnpm-lock.yaml

@@ -69,11 +69,11 @@ importers:
         specifier: 1.2.0
         version: 1.2.0(@push.rocks/smartbucket@4.6.0)(@push.rocks/smartdata@7.1.7(socks@2.8.7))
       '@push.rocks/smartmta':
-        specifier: ^5.3.1
-        version: 5.3.1
+        specifier: ^5.3.3
+        version: 5.3.3
       '@push.rocks/smartnetwork':
-        specifier: ^4.5.2
-        version: 4.5.2
+        specifier: ^4.6.0
+        version: 4.6.0
       '@push.rocks/smartpath':
         specifier: ^6.0.0
         version: 6.0.0
@@ -81,8 +81,8 @@ importers:
         specifier: ^4.2.3
         version: 4.2.3
       '@push.rocks/smartproxy':
-        specifier: ^27.6.0
-        version: 27.6.0
+        specifier: ^27.7.4
+        version: 27.7.4
       '@push.rocks/smartradius':
         specifier: ^1.1.1
         version: 1.1.1
@@ -105,8 +105,8 @@ importers:
         specifier: ^8.0.2
         version: 8.0.2
       '@serve.zone/catalog':
-        specifier: ^2.12.3
-        version: 2.12.3(@tiptap/pm@2.27.2)
+        specifier: ^2.12.4
+        version: 2.12.4(@tiptap/pm@2.27.2)
       '@serve.zone/interfaces':
         specifier: ^5.3.0
         version: 5.3.0
@@ -120,8 +120,8 @@ importers:
         specifier: ^1.5.6
         version: 1.5.6
       lru-cache:
-        specifier: ^11.3.3
-        version: 11.3.3
+        specifier: ^11.3.5
+        version: 11.3.5
       qrcode:
         specifier: ^1.5.4
         version: 1.5.4
@@ -147,6 +147,9 @@ importers:
       '@types/node':
         specifier: ^25.6.0
         version: 25.6.0
+      typescript:
+        specifier: ^6.0.2
+        version: 6.0.2
 
 packages:
 
@@ -365,9 +368,6 @@ packages:
   '@design.estate/dees-element@2.2.4':
     resolution: {integrity: sha512-O9cA6flBMMd+pBwMQrZXwAWel9yVxgokolb+Em6gvkXxPJ0P/B5UDn4Vc2d4ts3ta55PTBm+l2dPeDVGx/bl7Q==}
 
-  '@design.estate/dees-wcctools@3.8.0':
-    resolution: {integrity: sha512-CC14iVKUrguzD9jIrdPBd9fZ4egVJEZMxl5y8iy0l7WLumeoYvGsoXj5INVkRPLRVLqziIdi4Je1hXqHt2NU+g==}
-
   '@design.estate/dees-wcctools@3.9.0':
     resolution: {integrity: sha512-0vZBaGBEGIbl8hx+8BezIIea3U5T7iSHHF9VqlJZGf+nOFIW4zBAxcCljH8YzZ1Yayp6BEjxp/pQXjHN2YB3Jg==}
 
@@ -1251,8 +1251,8 @@ packages:
   '@push.rocks/smartmongo@5.1.1':
     resolution: {integrity: sha512-OFzEjTlXQ0zN9KYewhJRJxxX8bdVO7sl5H4RRd0F0PyU4FEXesLF8Sm4rsCFtQW1ifGQEBOcoruRkoiWz918Ug==}
 
-  '@push.rocks/smartmta@5.3.1':
-    resolution: {integrity: sha512-cEuXO56i/zL9eZS79eAesEW16ikdBJKLlEv9pLKkt2cmaHBWADGHjeOzJmsszQ9CSFcuhd41aHYVGMZXVvsG2g==}
+  '@push.rocks/smartmta@5.3.3':
+    resolution: {integrity: sha512-QxNob2yosDOhHMMjfUiQHfx8z+/UQQUdZY4ECATg3/xAMwnychR41IEVp6h7Qz3RjoJqS3NjRBThm9/jT02Gxg==}
     engines: {node: '>=14.0.0'}
     cpu: [x64, arm64]
     os: [darwin, linux, win32]
@@ -1260,8 +1260,8 @@ packages:
   '@push.rocks/smartmustache@3.0.2':
     resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}
 
-  '@push.rocks/smartnetwork@4.5.2':
-    resolution: {integrity: sha512-lbMMyc2f/WWd5+qzZyF1ynXndjCtasxPWmj/d8GUuis9rDrW7sLIT1PlAPC2F6Qsy4H/K32JrYU+01d/6sWObg==}
+  '@push.rocks/smartnetwork@4.6.0':
+    resolution: {integrity: sha512-ubaO/Qp8r30A+qwk33M/0+nQi+o8gNHEI9zq3jv1MwqiLxhiV1hnbr4CL9AUcvs4EhwUBiw0EswKjCJROwDqvQ==}
 
   '@push.rocks/smartnftables@1.1.0':
     resolution: {integrity: sha512-7JNzerlW20HEl2wKMBIHltwneCQRpXiD2lJkXZZc02ctnfjgFejXVDIeWomhPx6PZ0Z6zmqdF6rrFDtDHyqqfA==}
@@ -1287,8 +1287,8 @@ packages:
   '@push.rocks/smartpromise@4.2.3':
     resolution: {integrity: sha512-Ycg/TJR+tMt+S3wSFurOpEoW6nXv12QBtKXgBcjMZ4RsdO28geN46U09osPn9N9WuwQy1PkmTV5J/V4F9U8qEw==}
 
-  '@push.rocks/smartproxy@27.6.0':
-    resolution: {integrity: sha512-1mPzabUKhlC0EdeI7Hjee/aiptTsOLftbq8oWBTlIg9JhCQwkIs5UNGTJV/VvlEflJKnay8TbzLzlr95gUr/1w==}
+  '@push.rocks/smartproxy@27.7.4':
+    resolution: {integrity: sha512-WY9Jp6Jtqo5WbW29XpATuxzGyLs8LGkAlrycgMN/IdYfvgtEB2HWuztBZCDLFMuD3Qnv4vVdci9s0nF0ZPyJcQ==}
 
   '@push.rocks/smartpuppeteer@2.0.5':
     resolution: {integrity: sha512-yK/qSeWVHIGWRp3c8S5tfdGP6WCKllZC4DR8d8CQlEjszOSBmHtlTdyyqOMBZ/BA4kd+eU5f3A1r4K2tGYty1g==}
@@ -1591,8 +1591,8 @@ packages:
   '@selderee/plugin-htmlparser2@0.11.0':
     resolution: {integrity: sha512-P33hHGdldxGabLFjPPpaTxVolMrzrcegejx+0GxjrIb9Zv48D8yAIA/QTDR2dFl7Uz7urX8aX6+5bCZslr+gWQ==}
 
-  '@serve.zone/catalog@2.12.3':
-    resolution: {integrity: sha512-/QLFjFcy/ig6cdr4517smSc/VCutW/qF/8lCM3v7tpQ5yLApjqiL314Dyvk9zzSwHpw69IeuM9EmPOeTuCY0iQ==}
+  '@serve.zone/catalog@2.12.4':
+    resolution: {integrity: sha512-GRfJZ0yQxChUy7Gp4mxhuN5y4GXZMOEk0W7rJiyZbezA938q+pFTplb9ahSaEHjiUht1MmTu/5WtoJFwgAP8SQ==}
 
   '@serve.zone/interfaces@5.3.0':
     resolution: {integrity: sha512-venO7wtDR9ixzD9NhdERBGjNKbFA5LL0yHw4eqGh0UpmvtXVc3SFG0uuHDilOKMZqZ8bttV88qVsFy1aSTJrtA==}
@@ -3023,6 +3023,9 @@ packages:
   libmime@5.3.7:
     resolution: {integrity: sha512-FlDb3Wtha8P01kTL3P9M+ZDNDWPKPmKHWaU/cG/lg5pfuAwdflVpZE+wm9m7pKmC5ww6s+zTxBKS1p6yl3KpSw==}
 
+  libmime@5.3.8:
+    resolution: {integrity: sha512-ZrCY+Q66mPvasAfjsQ/IgahzoBvfE1VdtGRpo1hwRB1oK3wJKxhKA3GOcd2a6j7AH5eMFccxK9fBoCpRZTf8ng==}
+
   libqp@2.1.1:
     resolution: {integrity: sha512-0Wd+GPz1O134cP62YU2GTOPNA7Qgl09XwCqM5zpBv87ERCXdfDtyKXvV7c9U22yWJh44QZqBocFnXN11K96qow==}
 
@@ -3085,8 +3088,11 @@ packages:
     resolution: {integrity: sha512-ozCC6gdQ+glXOQsveKD0YsDy8DSQFjDTz4zyzEHNV5+JP5D62LmfDZ6o1cycFx9ouG940M5dE8C8CTewdj2YWQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  lru-cache@11.3.3:
-    resolution: {integrity: sha512-JvNw9Y81y33E+BEYPr0U7omo+U9AySnsMsEiXgwT6yqd31VQWTLNQqmT4ou5eqPFUrTfIDFta2wKhB1hyohtAQ==}
+  lru-cache@10.4.3:
+    resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}
+
+  lru-cache@11.3.5:
+    resolution: {integrity: sha512-NxVFwLAnrd9i7KUBxC4DrUhmgjzOs+1Qm50D3oF1/oL+r1NpZ4gA7xvG0/zJ8evR7zIKn4vLf7qTNduWFtCrRw==}
     engines: {node: 20 || >=22}
 
   lru-cache@7.18.3:
@@ -3096,8 +3102,8 @@ packages:
   lucide@1.8.0:
     resolution: {integrity: sha512-JjV/QnadgFLj1Pyu9IKl0lknrolFEzo04B64QcYLLeRzZl/iEHpdbSrRRKbyXcv45SZNv+WGjIUCT33e7xHO6Q==}
 
-  mailparser@3.9.6:
-    resolution: {integrity: sha512-EJYTDWMrOS1kddK1mTsRkrx2Ngh2nYsg54SRMWVVWGVEGbHH4tod8tqqU9hIRPgGQVboSjFubDn9cboSitbM3Q==}
+  mailparser@3.9.8:
+    resolution: {integrity: sha512-7jSlFGXiianVnhnb6wdutJFloD34488nrHY7r6FNqwXAhZ7YiJDYrKKTxZJ0oSrXcAPHm8YoYnh97xyGtrBQ3w==}
 
   make-dir@3.1.0:
     resolution: {integrity: sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==}
@@ -3434,8 +3440,8 @@ packages:
     resolution: {integrity: sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==}
     engines: {node: '>= 6.13.0'}
 
-  nodemailer@8.0.4:
-    resolution: {integrity: sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==}
+  nodemailer@8.0.5:
+    resolution: {integrity: sha512-0PF8Yb1yZuQfQbq+5/pZJrtF6WQcjTd5/S4JOHs9PGFxuTqoB/icwuB44pOdURHJbRKX1PPoJZtY7R4VUoCC8w==}
     engines: {node: '>=6.0.0'}
 
   normalize-newline@4.1.0:
@@ -4937,18 +4943,6 @@ snapshots:
       - supports-color
       - vue
 
-  '@design.estate/dees-wcctools@3.8.0':
-    dependencies:
-      '@design.estate/dees-domtools': 2.5.4
-      '@design.estate/dees-element': 2.2.4
-      '@push.rocks/smartdelay': 3.0.5
-      lit: 3.3.2
-    transitivePeerDependencies:
-      - '@nuxt/kit'
-      - react
-      - supports-color
-      - vue
-
   '@design.estate/dees-wcctools@3.9.0':
     dependencies:
       '@design.estate/dees-domtools': 2.5.4
@@ -5169,7 +5163,7 @@ snapshots:
       '@push.rocks/smartjson': 6.0.0
       '@push.rocks/smartlog': 3.2.2
       '@push.rocks/smartmongo': 5.1.1(socks@2.8.7)
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartrequest': 5.0.1
@@ -5972,7 +5966,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartdns': 7.9.0
       '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartstring': 4.1.0
       '@push.rocks/smarttime': 4.2.3
       '@push.rocks/smartunique': 3.0.9
@@ -6420,7 +6414,7 @@ snapshots:
       - supports-color
       - vue
 
-  '@push.rocks/smartmta@5.3.1':
+  '@push.rocks/smartmta@5.3.3':
     dependencies:
       '@push.rocks/smartfile': 13.1.2
       '@push.rocks/smartfs': 1.5.0
@@ -6429,8 +6423,8 @@ snapshots:
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartrust': 1.3.2
       '@tsclass/tsclass': 9.5.0
-      lru-cache: 11.3.3
-      mailparser: 3.9.6
+      lru-cache: 10.4.3
+      mailparser: 3.9.8
       uuid: 13.0.0
     transitivePeerDependencies:
       - supports-color
@@ -6439,7 +6433,7 @@ snapshots:
     dependencies:
       handlebars: 4.7.9
 
-  '@push.rocks/smartnetwork@4.5.2':
+  '@push.rocks/smartnetwork@4.6.0':
     dependencies:
       '@push.rocks/smartdns': 7.9.0
       '@push.rocks/smartrust': 1.3.2
@@ -6500,7 +6494,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartfs': 1.5.0
       '@push.rocks/smartjimp': 1.2.0
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartpuppeteer': 2.0.5(typescript@6.0.2)
@@ -6521,7 +6515,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.3': {}
 
-  '@push.rocks/smartproxy@27.6.0':
+  '@push.rocks/smartproxy@27.7.4':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.2
@@ -6923,12 +6917,12 @@ snapshots:
       domhandler: 5.0.3
       selderee: 0.11.0
 
-  '@serve.zone/catalog@2.12.3(@tiptap/pm@2.27.2)':
+  '@serve.zone/catalog@2.12.4(@tiptap/pm@2.27.2)':
     dependencies:
       '@design.estate/dees-catalog': 3.78.2(@tiptap/pm@2.27.2)
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
-      '@design.estate/dees-wcctools': 3.8.0
+      '@design.estate/dees-wcctools': 3.9.0
     transitivePeerDependencies:
       - '@nuxt/kit'
       - '@tiptap/pm'
@@ -8603,6 +8597,13 @@ snapshots:
       libbase64: 1.3.0
       libqp: 2.1.1
 
+  libmime@5.3.8:
+    dependencies:
+      encoding-japanese: 2.2.0
+      iconv-lite: 0.7.2
+      libbase64: 1.3.0
+      libqp: 2.1.1
+
   libqp@2.1.1: {}
 
   lightweight-charts@5.1.0:
@@ -8659,22 +8660,24 @@ snapshots:
 
   lowercase-keys@3.0.0: {}
 
-  lru-cache@11.3.3: {}
+  lru-cache@10.4.3: {}
+
+  lru-cache@11.3.5: {}
 
   lru-cache@7.18.3: {}
 
   lucide@1.8.0: {}
 
-  mailparser@3.9.6:
+  mailparser@3.9.8:
     dependencies:
       '@zone-eu/mailsplit': 5.4.8
       encoding-japanese: 2.2.0
       he: 1.2.0
       html-to-text: 9.0.5
       iconv-lite: 0.7.2
-      libmime: 5.3.7
+      libmime: 5.3.8
       linkify-it: 5.0.0
-      nodemailer: 8.0.4
+      nodemailer: 8.0.5
       punycode.js: 2.3.1
       tlds: 1.261.0
 
@@ -9179,7 +9182,7 @@ snapshots:
 
   node-forge@1.4.0: {}
 
-  nodemailer@8.0.4: {}
+  nodemailer@8.0.5: {}
 
   normalize-newline@4.1.0:
     dependencies:
@@ -9304,7 +9307,7 @@ snapshots:
 
   path-scurry@2.0.2:
     dependencies:
-      lru-cache: 11.3.3
+      lru-cache: 11.3.5
       minipass: 7.1.3
 
   path-to-regexp@8.4.2: {}

test/test.dcrouter.email.ts

@@ -143,6 +143,9 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
 
   // Verify unified email server was initialized
   expect(router.emailServer).toBeTruthy();
+  expect((router.emailServer as any).options.hostname).toEqual('mail.example.com');
+  expect((router.emailServer as any).options.persistRoutes).toEqual(false);
+  expect((router.emailServer as any).options.queue.storageType).toEqual('disk');
 
   // Stop the router
   await router.stop();

test/test.dns-runtime-routes.node.ts

@@ -0,0 +1,230 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/classes.dcrouter.js';
+import { RouteConfigManager } from '../ts/config/index.js';
+import { DcRouterDb, DomainDoc, RouteDoc } from '../ts/db/index.js';
+import { DnsManager } from '../ts/dns/manager.dns.js';
+import { logger } from '../ts/logger.js';
+import * as plugins from '../ts/plugins.js';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-dns-runtime-routes-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-test-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const route of await RouteDoc.findAll()) {
+    await route.delete();
+  }
+  for (const domain of await DomainDoc.findAll()) {
+    await domain.delete();
+  }
+};
+
+tap.test('RouteConfigManager applies runtime DoH routes without persisting them', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const dcRouter = new DcRouter({
+    dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
+    dnsScopes: ['example.com'],
+    smartProxyConfig: { routes: [] },
+    dbConfig: { enabled: false },
+  });
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(
+    () => smartProxy as any,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    () => (dcRouter as any).generateDnsRoutes(),
+  );
+
+  await routeManager.initialize([], [], []);
+  await routeManager.applyRoutes();
+
+  const persistedRoutes = await RouteDoc.findAll();
+  expect(persistedRoutes.length).toEqual(0);
+  expect(appliedRoutes.length).toEqual(2);
+
+  for (const routeSet of appliedRoutes) {
+    const dnsQueryRoute = routeSet.find((route) => route.name === 'dns-over-https-dns-query');
+    const resolveRoute = routeSet.find((route) => route.name === 'dns-over-https-resolve');
+
+    expect(dnsQueryRoute).toBeDefined();
+    expect(resolveRoute).toBeDefined();
+    expect(typeof dnsQueryRoute.action.socketHandler).toEqual('function');
+    expect(typeof resolveRoute.action.socketHandler).toEqual('function');
+  }
+});
+
+tap.test('RouteConfigManager removes stale persisted DoH socket-handler routes on startup', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const staleDnsQueryRoute = new RouteDoc();
+  staleDnsQueryRoute.id = 'stale-doh-query';
+  staleDnsQueryRoute.route = {
+    name: 'dns-over-https-dns-query',
+    match: {
+      ports: [443],
+      domains: ['ns1.example.com'],
+      path: '/dns-query',
+    },
+    action: {
+      type: 'socket-handler' as any,
+    } as any,
+  };
+  staleDnsQueryRoute.enabled = true;
+  staleDnsQueryRoute.createdAt = Date.now();
+  staleDnsQueryRoute.updatedAt = Date.now();
+  staleDnsQueryRoute.createdBy = 'test';
+  staleDnsQueryRoute.origin = 'dns';
+  await staleDnsQueryRoute.save();
+
+  const staleResolveRoute = new RouteDoc();
+  staleResolveRoute.id = 'stale-doh-resolve';
+  staleResolveRoute.route = {
+    name: 'dns-over-https-resolve',
+    match: {
+      ports: [443],
+      domains: ['ns1.example.com'],
+      path: '/resolve',
+    },
+    action: {
+      type: 'socket-handler' as any,
+    } as any,
+  };
+  staleResolveRoute.enabled = true;
+  staleResolveRoute.createdAt = Date.now();
+  staleResolveRoute.updatedAt = Date.now();
+  staleResolveRoute.createdBy = 'test';
+  staleResolveRoute.origin = 'dns';
+  await staleResolveRoute.save();
+
+  const validRoute = new RouteDoc();
+  validRoute.id = 'valid-forward-route';
+  validRoute.route = {
+    name: 'valid-forward-route',
+    match: {
+      ports: [443],
+      domains: ['app.example.com'],
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: '127.0.0.1', port: 8443 }],
+      tls: { mode: 'terminate' as const },
+    },
+  } as any;
+  validRoute.enabled = true;
+  validRoute.createdAt = Date.now();
+  validRoute.updatedAt = Date.now();
+  validRoute.createdBy = 'test';
+  validRoute.origin = 'api';
+  await validRoute.save();
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(() => smartProxy as any);
+  await routeManager.initialize([], [], []);
+
+  expect((await RouteDoc.findByName('dns-over-https-dns-query'))).toEqual(null);
+  expect((await RouteDoc.findByName('dns-over-https-resolve'))).toEqual(null);
+
+  const remainingRoutes = await RouteDoc.findAll();
+  expect(remainingRoutes.length).toEqual(1);
+  expect(remainingRoutes[0].route.name).toEqual('valid-forward-route');
+
+  expect(appliedRoutes.length).toEqual(1);
+  expect(appliedRoutes[0].length).toEqual(1);
+  expect(appliedRoutes[0][0].name).toEqual('valid-forward-route');
+});
+
+tap.test('DnsManager warning keeps dnsNsDomains in scope', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const originalLog = logger.log.bind(logger);
+  const warningMessages: string[] = [];
+
+  (logger as any).log = (level: 'error' | 'warn' | 'info' | 'success' | 'debug', message: string, context?: Record<string, any>) => {
+    if (level === 'warn') {
+      warningMessages.push(message);
+    }
+    return originalLog(level, message, context || {});
+  };
+
+  try {
+    const existingDomain = new DomainDoc();
+    existingDomain.id = 'existing-domain';
+    existingDomain.name = 'example.com';
+    existingDomain.source = 'dcrouter';
+    existingDomain.authoritative = true;
+    existingDomain.createdAt = Date.now();
+    existingDomain.updatedAt = Date.now();
+    existingDomain.createdBy = 'test';
+    await existingDomain.save();
+
+    const dnsManager = new DnsManager({
+      dnsNsDomains: ['ns1.example.com'],
+      dnsScopes: ['example.com'],
+      dnsRecords: [{ name: 'www.example.com', type: 'A', value: '127.0.0.1' }],
+      smartProxyConfig: { routes: [] },
+    });
+
+    await dnsManager.start();
+
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords constructor config')
+        && message.includes('dnsNsDomains is still required for nameserver and DoH bootstrap'),
+      ),
+    ).toEqual(true);
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords/dnsNsDomains constructor config'),
+      ),
+    ).toEqual(false);
+  } finally {
+    (logger as any).log = originalLog;
+  }
+});
+
+tap.test('cleanup test db', async () => {
+  await clearTestState();
+  const testDb = await testDbPromise;
+  await testDb.cleanup();
+});
+
+export default tap.start();

test/test.email-domain-manager.node.ts

@@ -0,0 +1,193 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { EmailDomainManager } from '../ts/email/index.js';
+import { DcRouterDb, DomainDoc } from '../ts/db/index.js';
+import { EmailDomainDoc } from '../ts/db/documents/classes.email-domain.doc.js';
+import type { IUnifiedEmailServerOptions } from '@push.rocks/smartmta';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-email-domain-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-email-domain-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const emailDomain of await EmailDomainDoc.findAll()) {
+    await emailDomain.delete();
+  }
+  for (const domain of await DomainDoc.findAll()) {
+    await domain.delete();
+  }
+};
+
+const createDomainDoc = async (id: string, name: string, source: 'dcrouter' | 'provider') => {
+  const doc = new DomainDoc();
+  doc.id = id;
+  doc.name = name;
+  doc.source = source;
+  doc.authoritative = source === 'dcrouter';
+  doc.createdAt = Date.now();
+  doc.updatedAt = Date.now();
+  doc.createdBy = 'test';
+  await doc.save();
+  return doc;
+};
+
+const createBaseEmailConfig = (): IUnifiedEmailServerOptions => ({
+  ports: [2525],
+  hostname: 'mail.example.com',
+  domains: [
+    {
+      domain: 'static.example.com',
+      dnsMode: 'external-dns',
+    },
+  ],
+  routes: [],
+});
+
+tap.test('EmailDomainManager syncs managed domains into runtime config and email server', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('provider-domain', 'example.com', 'provider');
+  const updateCalls: Array<{ domains?: any[] }> = [];
+
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+    emailServer: {
+      updateOptions: (options: { domains?: any[] }) => {
+        updateCalls.push(options);
+      },
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+  await manager.start();
+
+  const created = await manager.createEmailDomain({
+    linkedDomainId: linkedDomain.id,
+    subdomain: 'mail',
+    dkimSelector: 'selector1',
+    rotateKeys: true,
+    rotationIntervalDays: 30,
+  });
+
+  const domainsAfterCreate = dcRouterStub.options.emailConfig.domains;
+  expect(domainsAfterCreate.length).toEqual(2);
+  expect(domainsAfterCreate.some((domain) => domain.domain === 'static.example.com')).toEqual(true);
+
+  const managedDomain = domainsAfterCreate.find((domain) => domain.domain === 'mail.example.com');
+  expect(managedDomain).toBeTruthy();
+  expect(managedDomain?.dnsMode).toEqual('external-dns');
+  expect(managedDomain?.dkim?.selector).toEqual('selector1');
+  expect(updateCalls.at(-1)?.domains?.some((domain) => domain.domain === 'mail.example.com')).toEqual(true);
+
+  await manager.updateEmailDomain(created.id, {
+    rotateKeys: false,
+    rateLimits: {
+      outbound: {
+        messagesPerMinute: 10,
+      },
+    },
+  });
+
+  const domainsAfterUpdate = dcRouterStub.options.emailConfig.domains;
+  const updatedManagedDomain = domainsAfterUpdate.find((domain) => domain.domain === 'mail.example.com');
+  expect(updatedManagedDomain?.dkim?.rotateKeys).toEqual(false);
+  expect(updatedManagedDomain?.rateLimits?.outbound?.messagesPerMinute).toEqual(10);
+
+  await manager.deleteEmailDomain(created.id);
+  expect(dcRouterStub.options.emailConfig.domains.map((domain) => domain.domain)).toEqual(['static.example.com']);
+});
+
+tap.test('EmailDomainManager rejects domains already present in static config', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('static-domain', 'static.example.com', 'provider');
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+
+  let error: Error | undefined;
+  try {
+    await manager.createEmailDomain({ linkedDomainId: linkedDomain.id });
+  } catch (err: unknown) {
+    error = err as Error;
+  }
+
+  expect(error?.message).toEqual('Email domain already configured for static.example.com');
+});
+
+tap.test('EmailDomainManager start merges persisted managed domains after restart', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('local-domain', 'managed.example.com', 'dcrouter');
+  const stored = new EmailDomainDoc();
+  stored.id = 'managed-email-domain';
+  stored.domain = 'mail.managed.example.com';
+  stored.linkedDomainId = linkedDomain.id;
+  stored.subdomain = 'mail';
+  stored.dkim = {
+    selector: 'default',
+    keySize: 2048,
+    rotateKeys: false,
+    rotationIntervalDays: 90,
+  };
+  stored.dnsStatus = {
+    mx: 'unchecked',
+    spf: 'unchecked',
+    dkim: 'unchecked',
+    dmarc: 'unchecked',
+  };
+  stored.createdAt = new Date().toISOString();
+  stored.updatedAt = new Date().toISOString();
+  await stored.save();
+
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+  await manager.start();
+
+  const managedDomain = dcRouterStub.options.emailConfig.domains.find((domain) => domain.domain === 'mail.managed.example.com');
+  expect(managedDomain?.dnsMode).toEqual('internal-dns');
+});
+
+tap.test('cleanup', async () => {
+  const testDb = await testDbPromise;
+  await clearTestState();
+  await testDb.cleanup();
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.metricsmanager.route-keys.node.ts

@@ -0,0 +1,120 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { MetricsManager } from '../ts/monitoring/classes.metricsmanager.js';
+
+const emptyProtocolDistribution = {
+  h1Active: 0,
+  h1Total: 0,
+  h2Active: 0,
+  h2Total: 0,
+  h3Active: 0,
+  h3Total: 0,
+  wsActive: 0,
+  wsTotal: 0,
+  otherActive: 0,
+  otherTotal: 0,
+};
+
+function createProxyMetrics(args: {
+  connectionsByRoute: Map<string, number>;
+  throughputByRoute: Map<string, { in: number; out: number }>;
+  domainRequestsByIP: Map<string, Map<string, number>>;
+  requestsTotal?: number;
+}) {
+  return {
+    connections: {
+      active: () => 0,
+      total: () => 0,
+      byRoute: () => args.connectionsByRoute,
+      byIP: () => new Map<string, number>(),
+      topIPs: () => [],
+      domainRequestsByIP: () => args.domainRequestsByIP,
+      topDomainRequests: () => [],
+      frontendProtocols: () => emptyProtocolDistribution,
+      backendProtocols: () => emptyProtocolDistribution,
+    },
+    throughput: {
+      instant: () => ({ in: 0, out: 0 }),
+      recent: () => ({ in: 0, out: 0 }),
+      average: () => ({ in: 0, out: 0 }),
+      custom: () => ({ in: 0, out: 0 }),
+      history: () => [],
+      byRoute: () => args.throughputByRoute,
+      byIP: () => new Map<string, { in: number; out: number }>(),
+    },
+    requests: {
+      perSecond: () => 0,
+      perMinute: () => 0,
+      total: () => args.requestsTotal || 0,
+    },
+    totals: {
+      bytesIn: () => 0,
+      bytesOut: () => 0,
+      connections: () => 0,
+    },
+    backends: {
+      byBackend: () => new Map<string, any>(),
+      protocols: () => new Map<string, string>(),
+      topByErrors: () => [],
+      detectedProtocols: () => [],
+    },
+  };
+}
+
+tap.test('MetricsManager joins domain activity to id-keyed route metrics', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map([
+      ['route-id-only', 4],
+    ]),
+    throughputByRoute: new Map([
+      ['route-id-only', { in: 1200, out: 2400 }],
+    ]),
+    domainRequestsByIP: new Map([
+      ['192.0.2.10', new Map([
+        ['alpha.example.com', 3],
+        ['beta.example.com', 1],
+      ])],
+    ]),
+    requestsTotal: 4,
+  });
+
+  const smartProxy = {
+    getMetrics: () => proxyMetrics,
+    routeManager: {
+      getRoutes: () => [
+        {
+          id: 'route-id-only',
+          match: {
+            ports: [443],
+            domains: ['alpha.example.com', 'beta.example.com'],
+          },
+          action: {
+            type: 'forward',
+            targets: [{ host: '127.0.0.1', port: 8443 }],
+          },
+        },
+      ],
+    },
+  };
+
+  const manager = new MetricsManager({ smartProxy } as any);
+  const stats = await manager.getNetworkStats();
+  const alpha = stats.domainActivity.find((item) => item.domain === 'alpha.example.com');
+  const beta = stats.domainActivity.find((item) => item.domain === 'beta.example.com');
+
+  expect(alpha).toBeDefined();
+  expect(beta).toBeDefined();
+
+  expect(alpha!.requestCount).toEqual(3);
+  expect(alpha!.routeCount).toEqual(1);
+  expect(alpha!.activeConnections).toEqual(3);
+  expect(alpha!.bytesInPerSecond).toEqual(900);
+  expect(alpha!.bytesOutPerSecond).toEqual(1800);
+
+  expect(beta!.requestCount).toEqual(1);
+  expect(beta!.routeCount).toEqual(1);
+  expect(beta!.activeConnections).toEqual(1);
+  expect(beta!.bytesInPerSecond).toEqual(300);
+  expect(beta!.bytesOutPerSecond).toEqual(600);
+});
+
+export default tap.start();

test/test.smartmta-storage-manager.node.ts

@@ -0,0 +1,31 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { SmartMtaStorageManager } from '../ts/email/index.js';
+
+const tempDir = plugins.path.join(process.cwd(), '.nogit', 'test-smartmta-storage');
+
+tap.test('SmartMtaStorageManager persists, lists, and deletes keys', async () => {
+  await plugins.fs.promises.rm(tempDir, { recursive: true, force: true });
+
+  const storageManager = new SmartMtaStorageManager(tempDir);
+  await storageManager.set('/email/dkim/example.com/default/metadata', 'metadata');
+  await storageManager.set('/email/dkim/example.com/default/public.key', 'public');
+
+  expect(await storageManager.get('/email/dkim/example.com/default/metadata')).toEqual('metadata');
+
+  const keys = await storageManager.list('/email/dkim/example.com/');
+  expect(keys).toEqual([
+    '/email/dkim/example.com/default/metadata',
+    '/email/dkim/example.com/default/public.key',
+  ]);
+
+  await storageManager.delete('/email/dkim/example.com/default/metadata');
+  expect(await storageManager.get('/email/dkim/example.com/default/metadata')).toBeNull();
+});
+
+tap.test('cleanup', async () => {
+  await plugins.fs.promises.rm(tempDir, { recursive: true, force: true });
+  await tap.stopForcefully();
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.17.2',
+  version: '13.18.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -9,6 +9,7 @@ import {
   type IUnifiedEmailServerOptions,
   type IEmailRoute,
   type IEmailDomainConfig,
+  type IStorageManagerLike,
 } from '@push.rocks/smartmta';
 import { logger } from './logger.js';
 import { StorageBackedCertManager } from './classes.storage-cert-manager.js';
@@ -29,7 +30,7 @@ import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
-import { EmailDomainManager } from './email/classes.email-domain.manager.js';
+import { EmailDomainManager, SmartMtaStorageManager } from './email/index.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -248,15 +249,13 @@ export class DcRouter {
   public radiusServer?: RadiusServer;
   public opsServer!: OpsServer;
   public metricsManager?: MetricsManager;
+  private emailEventSubscriptions: Array<{
+    emitter: { off(eventName: string, listener: (...args: any[]) => void): void };
+    eventName: string;
+    listener: (...args: any[]) => void;
+  }> = [];
 
-  // Compatibility shim for smartmta's DkimManager which calls dcRouter.storageManager.set()
-  public storageManager: any = {
-    get: async (_key: string) => null,
-    set: async (_key: string, _value: string) => {
-      // DKIM keys from smartmta — logged but not yet migrated to smartdata
-      logger.log('debug', `storageManager.set() called (compat shim) for key: ${_key}`);
-    },
-  };
+  public storageManager: IStorageManagerLike;
 
   // Unified database (smartdata + LocalSmartDb or external MongoDB)
   public dcRouterDb?: DcRouterDb;
@@ -315,7 +314,8 @@ export class DcRouter {
   // Seed routes assembled during setupSmartProxy, passed to RouteConfigManager for DB seeding
   private seedConfigRoutes: plugins.smartproxy.IRouteConfig[] = [];
   private seedEmailRoutes: plugins.smartproxy.IRouteConfig[] = [];
-  private seedDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  // Runtime-only DoH routes. These carry live socket handlers and must never be persisted.
+  private runtimeDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
 
   // Environment access
   private qenv = new plugins.qenv.Qenv('./', '.nogit/');
@@ -328,6 +328,10 @@ export class DcRouter {
 
     // Resolve all data paths from baseDir
     this.resolvedPaths = paths.resolvePaths(this.options.baseDir);
+    paths.ensureDataDirectories(this.resolvedPaths);
+    this.storageManager = new SmartMtaStorageManager(
+      plugins.path.join(this.resolvedPaths.dataDir, 'smartmta-storage')
+    );
 
     // Initialize service manager and register all services
     this.serviceManager = new plugins.taskbuffer.ServiceManager({
@@ -451,9 +455,13 @@ export class DcRouter {
           .dependsOn('DcRouterDb')
           .withStart(async () => {
             this.emailDomainManager = new EmailDomainManager(this);
+            await this.emailDomainManager.start();
           })
           .withStop(async () => {
-            this.emailDomainManager = undefined;
+            if (this.emailDomainManager) {
+              await this.emailDomainManager.stop();
+              this.emailDomainManager = undefined;
+            }
           }),
       );
     }
@@ -547,7 +555,9 @@ export class DcRouter {
             await this.referenceResolver.initialize();
 
             // Initialize target profile manager
-            this.targetProfileManager = new TargetProfileManager();
+            this.targetProfileManager = new TargetProfileManager(
+              () => this.routeConfigManager?.getRoutes() || new Map(),
+            );
             await this.targetProfileManager.initialize();
 
             this.routeConfigManager = new RouteConfigManager(
@@ -560,7 +570,10 @@ export class DcRouter {
                       return [];
                     }
                     return this.targetProfileManager.getMatchingClientIps(
-                      route, routeId, this.vpnManager.listClients(),
+                      route,
+                      routeId,
+                      this.vpnManager.listClients(),
+                      this.routeConfigManager?.getRoutes() || new Map(),
                     );
                   }
                 : undefined,
@@ -575,14 +588,15 @@ export class DcRouter {
                   this.tunnelManager.syncAllowedEdges();
                 }
               },
+              () => this.runtimeDnsRoutes,
             );
             this.apiTokenManager = new ApiTokenManager();
             await this.apiTokenManager.initialize();
             await this.routeConfigManager.initialize(
               this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
               this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
-              this.seedDnsRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
             );
+            await this.targetProfileManager.normalizeAllRouteRefs();
 
             // Seed default profiles/targets if DB is empty and seeding is enabled
             const seeder = new DbSeeder(this.referenceResolver);
@@ -603,19 +617,20 @@ export class DcRouter {
 
     // Email Server: optional, depends on SmartProxy
     if (this.options.emailConfig) {
+      const emailServiceDeps = ['SmartProxy', 'MetricsManager'];
+      if (this.options.dbConfig?.enabled !== false) {
+        emailServiceDeps.push('EmailDomainManager');
+      }
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('EmailServer')
           .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn(...emailServiceDeps)
           .withStart(async () => {
             await this.setupUnifiedEmailHandling();
           })
           .withStop(async () => {
             if (this.emailServer) {
-              if ((this.emailServer as any).deliverySystem) {
-                (this.emailServer as any).deliverySystem.removeAllListeners();
-              }
-              this.emailServer.removeAllListeners();
+              this.clearEmailEventSubscriptions();
               await this.emailServer.stop();
               this.emailServer = undefined;
             }
@@ -629,7 +644,7 @@ export class DcRouter {
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('DnsServer')
           .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn('SmartProxy', ...(this.options.emailConfig ? ['EmailServer'] : []))
           .withStart(async () => {
             await this.setupDnsWithSocketHandler();
           })
@@ -886,7 +901,7 @@ export class DcRouter {
       this.smartProxy = undefined;
     }
 
-    // Assemble seed routes from constructor config — these will be seeded into DB
+    // Assemble serializable seed routes from constructor config — these will be seeded into DB
     // by RouteConfigManager.initialize() when the ConfigManagers service starts.
     this.seedConfigRoutes = (this.options.smartProxyConfig?.routes || []) as plugins.smartproxy.IRouteConfig[];
     logger.log('info', `Found ${this.seedConfigRoutes.length} routes in config`);
@@ -897,17 +912,17 @@ export class DcRouter {
       logger.log('debug', 'Email routes generated', { routes: JSON.stringify(this.seedEmailRoutes) });
     }
 
-    this.seedDnsRoutes = [];
+    this.runtimeDnsRoutes = [];
     if (this.options.dnsNsDomains && this.options.dnsNsDomains.length > 0) {
-      this.seedDnsRoutes = this.generateDnsRoutes();
-      logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(this.seedDnsRoutes) });
+      this.runtimeDnsRoutes = this.generateDnsRoutes();
+      logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(this.runtimeDnsRoutes) });
     }
 
     // Combined routes for SmartProxy bootstrap (before DB routes are loaded)
     let routes: plugins.smartproxy.IRouteConfig[] = [
       ...this.seedConfigRoutes,
       ...this.seedEmailRoutes,
-      ...this.seedDnsRoutes,
+      ...this.runtimeDnsRoutes,
     ];
 
     // Build the ACME options for SmartProxy from the DB-backed AcmeConfigManager.
@@ -1457,7 +1472,6 @@ export class DcRouter {
       await this.routeConfigManager.initialize(
         this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
         this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
-        this.seedDnsRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
       );
     }
 
@@ -1505,40 +1519,74 @@ export class DcRouter {
       ...this.options.emailConfig,
       domains: transformedDomains,
       ports: this.options.emailConfig.ports.map(port => portMapping[port] || port + 10000),
-      hostname: 'localhost' // Listen on localhost for SmartProxy forwarding
+      persistRoutes: this.options.emailConfig.persistRoutes ?? false,
+      queue: {
+        storageType: 'disk',
+        persistentPath: plugins.path.join(this.resolvedPaths.dataDir, 'smartmta-queue'),
+        ...this.options.emailConfig.queue,
+      },
     };
     
     // Create unified email server
     this.emailServer = new UnifiedEmailServer(this, emailConfig);
+    this.clearEmailEventSubscriptions();
     
     // Set up error handling
-    this.emailServer.on('error', (err: Error) => {
+    this.addEmailEventSubscription(this.emailServer, 'error', (err: Error) => {
       logger.log('error', `UnifiedEmailServer error: ${err.message}`);
     });
     
     // Start the server
     await this.emailServer.start();
 
-    // Wire delivery events to MetricsManager and logger
-    if (this.metricsManager && this.emailServer.deliverySystem) {
-      this.emailServer.deliverySystem.on('deliveryStart', (item: any) => {
-        this.metricsManager!.trackEmailReceived(item?.from);
-        logger.log('info', `Email delivery started: ${item?.from} → ${item?.to}`, { zone: 'email' });
-      });
-      this.emailServer.deliverySystem.on('deliverySuccess', (item: any) => {
-        this.metricsManager!.trackEmailSent(item?.to);
-        logger.log('info', `Email delivered to ${item?.to}`, { zone: 'email' });
-      });
-      this.emailServer.deliverySystem.on('deliveryFailed', (item: any, error: any) => {
-        this.metricsManager!.trackEmailFailed(item?.to, error?.message);
-        logger.log('warn', `Email delivery failed to ${item?.to}: ${error?.message}`, { zone: 'email' });
-      });
-    }
+    // Wire delivery events to MetricsManager and logger using smartmta's public queue APIs.
     if (this.metricsManager && this.emailServer) {
-      this.emailServer.on('bounceProcessed', () => {
+      const getEnvelope = (item: { processingResult?: any; lastError?: string }) => {
+        const emailLike = item?.processingResult;
+        const from = emailLike?.from || emailLike?.email?.from || '';
+        const recipients = Array.isArray(emailLike?.to)
+          ? emailLike.to
+          : Array.isArray(emailLike?.email?.to)
+            ? emailLike.email.to
+            : [];
+        return {
+          from,
+          recipients: recipients.filter(Boolean),
+        };
+      };
+      const updateQueueSize = () => {
+        this.metricsManager!.updateQueueSize(this.emailServer!.getQueueStats().queueSize);
+      };
+
+      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemEnqueued', (item: any) => {
+        const envelope = getEnvelope(item);
+        this.metricsManager!.trackEmailReceived(envelope.from);
+        updateQueueSize();
+        logger.log('info', `Email queued: ${envelope.from} → ${envelope.recipients.join(', ') || 'unknown'}`, { zone: 'email' });
+      });
+      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemDelivered', (item: any) => {
+        const envelope = getEnvelope(item);
+        this.metricsManager!.trackEmailSent(envelope.recipients[0]);
+        updateQueueSize();
+        logger.log('info', `Email delivered to ${envelope.recipients.join(', ') || 'unknown'}`, { zone: 'email' });
+      });
+      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemFailed', (item: any) => {
+        const envelope = getEnvelope(item);
+        this.metricsManager!.trackEmailFailed(envelope.recipients[0], item?.lastError);
+        updateQueueSize();
+        logger.log('warn', `Email delivery failed to ${envelope.recipients.join(', ') || 'unknown'}: ${item?.lastError || 'unknown error'}`, { zone: 'email' });
+      });
+      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemDeferred', () => {
+        updateQueueSize();
+      });
+      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemRemoved', () => {
+        updateQueueSize();
+      });
+      this.addEmailEventSubscription(this.emailServer, 'bounceProcessed', () => {
         this.metricsManager!.trackEmailBounced();
         logger.log('warn', 'Email bounce processed', { zone: 'email' });
       });
+      updateQueueSize();
     }
 
     logger.log('info', `Email server started on ports: ${emailConfig.ports.join(', ')}`);
@@ -1568,11 +1616,7 @@ export class DcRouter {
     try {
       // Stop the unified email server which contains all components
       if (this.emailServer) {
-        // Remove listeners before stopping to prevent leaks on config update cycles
-        if ((this.emailServer as any).deliverySystem) {
-          (this.emailServer as any).deliverySystem.removeAllListeners();
-        }
-        this.emailServer.removeAllListeners();
+        this.clearEmailEventSubscriptions();
         await this.emailServer.stop();
         logger.log('info', 'Unified email server stopped');
         this.emailServer = undefined;
@@ -1777,14 +1821,14 @@ export class DcRouter {
     // Generate and register authoritative records
     const authoritativeRecords = await this.generateAuthoritativeRecords();
     
-    // Generate email DNS records
-    const emailDnsRecords = await this.generateEmailDnsRecords();
-    
-    // Initialize DKIM for all email domains
-    await this.initializeDkimForEmailDomains();
-    
-    // Load DKIM records from JSON files (they should now exist)
-    const dkimRecords = await this.loadDkimRecords();
+     // Generate email DNS records
+     const emailDnsRecords = await this.generateEmailDnsRecords();
+     
+     // Ensure DKIM keys exist for internal-dns domains before generating records.
+     await this.initializeDkimForEmailDomains();
+     
+     // Generate DKIM records directly from smartmta instead of scanning legacy JSON files.
+     const dkimRecords = await this.loadDkimRecords();
     
     // Combine all records: authoritative, email, DKIM, and user-defined
     const allRecords = [...authoritativeRecords, ...emailDnsRecords, ...dkimRecords];
@@ -1933,54 +1977,30 @@ export class DcRouter {
   }
   
   /**
-   * Load DKIM records from JSON files
-   * Reads all *.dkimrecord.json files from the DNS records directory
+   * Generate DKIM DNS records for internal-dns domains from smartmta's selector-aware DKIM state.
    */
   private async loadDkimRecords(): Promise<Array<{name: string; type: string; value: string; ttl?: number}>> {
     const records: Array<{name: string; type: string; value: string; ttl?: number}> = [];
-    
-    try {
-      // Ensure paths are imported
-      const dnsDir = this.resolvedPaths.dnsRecordsDir;
-      
-      // Check if directory exists
-      if (!plugins.fs.existsSync(dnsDir)) {
-        logger.log('debug', 'No DNS records directory found, skipping DKIM record loading');
-        return records;
+    if (!this.options.emailConfig?.domains || !this.emailServer?.dkimCreator) {
+      return records;
+    }
+
+    for (const domainConfig of this.options.emailConfig.domains) {
+      if (domainConfig.dnsMode !== 'internal-dns') {
+        continue;
       }
-      
-      // Read all files in the directory
-      const files = plugins.fs.readdirSync(dnsDir);
-      const dkimFiles = files.filter(f => f.endsWith('.dkimrecord.json'));
-      
-      logger.log('info', `Found ${dkimFiles.length} DKIM record files`);
-      
-      // Load each DKIM record
-      for (const file of dkimFiles) {
-        try {
-          const filePath = plugins.path.join(dnsDir, file);
-          const fileContent = plugins.fs.readFileSync(filePath, 'utf8');
-          const dkimRecord = JSON.parse(fileContent);
-          
-          // Validate record structure
-          if (dkimRecord.name && dkimRecord.type === 'TXT' && dkimRecord.value) {
-            records.push({
-              name: dkimRecord.name,
-              type: 'TXT',
-              value: dkimRecord.value,
-              ttl: 3600 // Standard DKIM TTL
-            });
-            
-            logger.log('info', `Loaded DKIM record for ${dkimRecord.name}`);
-          } else {
-            logger.log('warn', `Invalid DKIM record structure in ${file}`);
-          }
-        } catch (error: unknown) {
-          logger.log('error', `Failed to load DKIM record from ${file}: ${(error as Error).message}`);
-        }
+      const selector = domainConfig.dkim?.selector || 'default';
+      try {
+        const dkimRecord = await this.emailServer.dkimCreator.getDNSRecordForDomain(domainConfig.domain, selector);
+        records.push({
+          name: dkimRecord.name,
+          type: 'TXT',
+          value: dkimRecord.value,
+          ttl: domainConfig.dns?.internal?.ttl || 3600,
+        });
+      } catch (error: unknown) {
+        logger.log('error', `Failed to generate DKIM record for ${domainConfig.domain}: ${(error as Error).message}`);
       }
-    } catch (error: unknown) {
-      logger.log('error', `Failed to load DKIM records: ${(error as Error).message}`);
     }
 
     return records;
@@ -2007,12 +2027,17 @@ export class DcRouter {
     // Ensure necessary directories exist
     paths.ensureDataDirectories(this.resolvedPaths);
     
-    // Generate DKIM keys for each email domain
+    // Generate DKIM keys for each internal-dns email domain using the configured selector.
     for (const domainConfig of this.options.emailConfig.domains) {
+      if (domainConfig.dnsMode !== 'internal-dns') {
+        continue;
+      }
       try {
-        // Generate DKIM keys for all domains, regardless of DNS mode
-        // This ensures keys are ready even if DNS mode changes later
-        await dkimCreator.handleDKIMKeysForDomain(domainConfig.domain);
+        await dkimCreator.handleDKIMKeysForSelector(
+          domainConfig.domain,
+          domainConfig.dkim?.selector || 'default',
+          domainConfig.dkim?.keySize || 2048,
+        );
         logger.log('info', `DKIM keys initialized for ${domainConfig.domain}`);
       } catch (error: unknown) {
         logger.log('error', `Failed to initialize DKIM for ${domainConfig.domain}: ${(error as Error).message}`);
@@ -2142,6 +2167,25 @@ export class DcRouter {
       }
     }
   }
+
+  private addEmailEventSubscription(
+    emitter: {
+      on(eventName: string, listener: (...args: any[]) => void): void;
+      off(eventName: string, listener: (...args: any[]) => void): void;
+    },
+    eventName: string,
+    listener: (...args: any[]) => void,
+  ): void {
+    emitter.on(eventName, listener);
+    this.emailEventSubscriptions.push({ emitter, eventName, listener });
+  }
+
+  private clearEmailEventSubscriptions(): void {
+    for (const subscription of this.emailEventSubscriptions) {
+      subscription.emitter.off(subscription.eventName, subscription.listener);
+    }
+    this.emailEventSubscriptions = [];
+  }
   
   /**
    * Detect the server's public IP address
@@ -2179,7 +2223,7 @@ export class DcRouter {
     // Pass current bootstrap routes so the manager can derive edge ports initially.
     // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
     // will push the complete merged routes here.
-    const bootstrapRoutes = [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.seedDnsRoutes];
+    const bootstrapRoutes = [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.runtimeDnsRoutes];
     this.remoteIngressManager.setRoutes(bootstrapRoutes as any[]);
 
     // If ConfigManagers finished before us, re-apply routes
@@ -2283,8 +2327,11 @@ export class DcRouter {
 
         // Resolve DNS A records for matched domains (with caching)
         for (const domain of domains) {
-          const stripped = domain.replace(/^\*\./, '');
-          const resolvedIps = await this.resolveVpnDomainIPs(stripped);
+          if (this.isWildcardVpnDomain(domain)) {
+            this.logSkippedWildcardAllowedIp(domain);
+            continue;
+          }
+          const resolvedIps = await this.resolveVpnDomainIPs(domain);
           for (const ip of resolvedIps) {
             ips.add(`${ip}/32`);
           }
@@ -2303,6 +2350,8 @@ export class DcRouter {
 
   /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
   private vpnDomainIpCache = new Map<string, { ips: string[]; expiresAt: number }>();
+  /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
+  private warnedWildcardVpnDomains = new Set<string>();
 
   /**
    * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
@@ -2328,6 +2377,19 @@ export class DcRouter {
     }
   }
 
+  private isWildcardVpnDomain(domain: string): boolean {
+    return domain.includes('*');
+  }
+
+  private logSkippedWildcardAllowedIp(domain: string): void {
+    if (this.warnedWildcardVpnDomains.has(domain)) return;
+    this.warnedWildcardVpnDomains.add(domain);
+    logger.log(
+      'warn',
+      `VPN: Skipping wildcard domain '${domain}' for WireGuard AllowedIPs; wildcard patterns must be resolved to concrete hostnames by matching routes.`,
+    );
+  }
+
   // VPN security injection is now handled dynamically by RouteConfigManager.applyRoutes()
   // via the getVpnAllowList callback — no longer a separate method here.
 

ts/config/classes.route-config-manager.ts

@@ -55,6 +55,7 @@ export class RouteConfigManager {
     private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
     private referenceResolver?: ReferenceResolver,
     private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void,
+    private getRuntimeRoutes?: () => plugins.smartproxy.IRouteConfig[],
   ) {}
 
   /** Expose routes map for reference resolution lookups. */
@@ -63,7 +64,8 @@ export class RouteConfigManager {
   }
 
   /**
-   * Load persisted routes, seed config/email/dns routes, compute warnings, apply to SmartProxy.
+   * Load persisted routes, seed serializable config/email/dns routes,
+   * compute warnings, and apply the combined DB-backed + runtime route set to SmartProxy.
    */
   public async initialize(
     configRoutes: IDcRouterRouteConfig[] = [],
@@ -284,23 +286,40 @@ export class RouteConfigManager {
 
   private async loadRoutes(): Promise<void> {
     const docs = await RouteDoc.findAll();
+    let prunedRuntimeRoutes = 0;
+
     for (const doc of docs) {
-      if (doc.id) {
-        this.routes.set(doc.id, {
-          id: doc.id,
-          route: doc.route,
-          enabled: doc.enabled,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-          origin: doc.origin || 'api',
-          metadata: doc.metadata,
-        });
+      if (!doc.id) continue;
+
+      const storedRoute: IRoute = {
+        id: doc.id,
+        route: doc.route,
+        enabled: doc.enabled,
+        createdAt: doc.createdAt,
+        updatedAt: doc.updatedAt,
+        createdBy: doc.createdBy,
+        origin: doc.origin || 'api',
+        metadata: doc.metadata,
+      };
+
+      if (this.isPersistedRuntimeRoute(storedRoute)) {
+        await doc.delete();
+        prunedRuntimeRoutes++;
+        logger.log(
+          'warn',
+          `Removed persisted runtime-only route '${storedRoute.route.name || storedRoute.id}' (${storedRoute.id}) from RouteDoc`,
+        );
+        continue;
       }
+
+      this.routes.set(doc.id, storedRoute);
     }
     if (this.routes.size > 0) {
       logger.log('info', `Loaded ${this.routes.size} route(s) from database`);
     }
+    if (prunedRuntimeRoutes > 0) {
+      logger.log('info', `Pruned ${prunedRuntimeRoutes} persisted runtime-only route(s) from RouteDoc`);
+    }
   }
 
   private async persistRoute(stored: IRoute): Promise<void> {
@@ -389,36 +408,18 @@ export class RouteConfigManager {
 
       const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
 
-      const http3Config = this.getHttp3Config?.();
-      const vpnCallback = this.getVpnClientIpsForRoute;
-
-      // Helper: inject VPN security into a vpnOnly route
-      const injectVpn = (route: plugins.smartproxy.IRouteConfig, routeId?: string): plugins.smartproxy.IRouteConfig => {
-        if (!vpnCallback) return route;
-        const dcRoute = route as IDcRouterRouteConfig;
-        if (!dcRoute.vpnOnly) return route;
-        const vpnEntries = vpnCallback(dcRoute, routeId);
-        const existingEntries = route.security?.ipAllowList || [];
-        return {
-          ...route,
-          security: {
-            ...route.security,
-            ipAllowList: [...existingEntries, ...vpnEntries],
-          },
-        };
-      };
-
       // Add all enabled routes with HTTP/3 and VPN augmentation
       for (const route of this.routes.values()) {
         if (route.enabled) {
-          let r = route.route;
-          if (http3Config?.enabled !== false) {
-            r = augmentRouteWithHttp3(r, { enabled: true, ...http3Config });
-          }
-          enabledRoutes.push(injectVpn(r, route.id));
+          enabledRoutes.push(this.prepareRouteForApply(route.route, route.id));
         }
       }
 
+      const runtimeRoutes = this.getRuntimeRoutes?.() || [];
+      for (const route of runtimeRoutes) {
+        enabledRoutes.push(this.prepareRouteForApply(route));
+      }
+
       await smartProxy.updateRoutes(enabledRoutes);
 
       // Notify listeners (e.g. RemoteIngressManager) of the route set
@@ -429,4 +430,47 @@ export class RouteConfigManager {
       logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.routes.size} total)`);
     });
   }
+
+  private prepareRouteForApply(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    let preparedRoute = route;
+    const http3Config = this.getHttp3Config?.();
+
+    if (http3Config?.enabled !== false) {
+      preparedRoute = augmentRouteWithHttp3(preparedRoute, { enabled: true, ...http3Config });
+    }
+
+    return this.injectVpnSecurity(preparedRoute, routeId);
+  }
+
+  private injectVpnSecurity(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    const vpnCallback = this.getVpnClientIpsForRoute;
+    if (!vpnCallback) return route;
+
+    const dcRoute = route as IDcRouterRouteConfig;
+    if (!dcRoute.vpnOnly) return route;
+
+    const vpnEntries = vpnCallback(dcRoute, routeId);
+    const existingEntries = route.security?.ipAllowList || [];
+    return {
+      ...route,
+      security: {
+        ...route.security,
+        ipAllowList: [...existingEntries, ...vpnEntries],
+      },
+    };
+  }
+
+  private isPersistedRuntimeRoute(storedRoute: IRoute): boolean {
+    const routeName = storedRoute.route.name || '';
+    const actionType = storedRoute.route.action?.type;
+
+    return (routeName.startsWith('dns-over-https-') && actionType === 'socket-handler')
+      || (storedRoute.origin === 'dns' && actionType === 'socket-handler');
+  }
 }

ts/config/classes.target-profile-manager.ts

@@ -13,6 +13,10 @@ import type { IRoute } from '../../ts_interfaces/data/route-management.js';
 export class TargetProfileManager {
   private profiles = new Map<string, ITargetProfile>();
 
+  constructor(
+    private getAllRoutes?: () => Map<string, IRoute>,
+  ) {}
+
   // =========================================================================
   // Lifecycle
   // =========================================================================
@@ -43,13 +47,14 @@ export class TargetProfileManager {
     const id = plugins.uuid.v4();
     const now = Date.now();
 
+    const routeRefs = this.normalizeRouteRefs(data.routeRefs);
     const profile: ITargetProfile = {
       id,
       name: data.name,
       description: data.description,
       domains: data.domains,
       targets: data.targets,
-      routeRefs: data.routeRefs,
+      routeRefs,
       createdAt: now,
       updatedAt: now,
       createdBy: data.createdBy,
@@ -70,11 +75,19 @@ export class TargetProfileManager {
       throw new Error(`Target profile '${id}' not found`);
     }
 
+    if (patch.name !== undefined && patch.name !== profile.name) {
+      for (const existing of this.profiles.values()) {
+        if (existing.id !== id && existing.name === patch.name) {
+          throw new Error(`Target profile with name '${patch.name}' already exists (id: ${existing.id})`);
+        }
+      }
+    }
+
     if (patch.name !== undefined) profile.name = patch.name;
     if (patch.description !== undefined) profile.description = patch.description;
     if (patch.domains !== undefined) profile.domains = patch.domains;
     if (patch.targets !== undefined) profile.targets = patch.targets;
-    if (patch.routeRefs !== undefined) profile.routeRefs = patch.routeRefs;
+    if (patch.routeRefs !== undefined) profile.routeRefs = this.normalizeRouteRefs(patch.routeRefs);
     profile.updatedAt = Date.now();
 
     await this.persistProfile(profile);
@@ -127,6 +140,29 @@ export class TargetProfileManager {
     return this.profiles.get(id);
   }
 
+  /**
+   * Normalize stored route references to route IDs when they can be resolved
+   * uniquely against the current route registry.
+   */
+  public async normalizeAllRouteRefs(): Promise<void> {
+    const allRoutes = this.getAllRoutes?.();
+    if (!allRoutes?.size) return;
+
+    for (const profile of this.profiles.values()) {
+      const normalizedRouteRefs = this.normalizeRouteRefsAgainstRoutes(
+        profile.routeRefs,
+        allRoutes,
+        'bestEffort',
+      );
+      if (this.sameStringArray(profile.routeRefs, normalizedRouteRefs)) continue;
+
+      profile.routeRefs = normalizedRouteRefs;
+      profile.updatedAt = Date.now();
+      await this.persistProfile(profile);
+      logger.log('info', `Normalized route refs for target profile '${profile.name}' (${profile.id})`);
+    }
+  }
+
   public listProfiles(): ITargetProfile[] {
     return [...this.profiles.values()];
   }
@@ -178,9 +214,11 @@ export class TargetProfileManager {
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     clients: VpnClientDoc[],
+    allRoutes: Map<string, IRoute> = new Map(),
   ): Array<string | { ip: string; domains: string[] }> {
     const entries: Array<string | { ip: string; domains: string[] }> = [];
     const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     for (const client of clients) {
       if (!client.enabled || !client.assignedIp) continue;
@@ -194,7 +232,13 @@ export class TargetProfileManager {
         const profile = this.profiles.get(profileId);
         if (!profile) continue;
 
-        const matchResult = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
+        const matchResult = this.routeMatchesProfileDetailed(
+          route,
+          routeId,
+          profile,
+          routeDomains,
+          routeNameIndex,
+        );
         if (matchResult === 'full') {
           fullAccess = true;
           break; // No need to check more profiles
@@ -224,6 +268,7 @@ export class TargetProfileManager {
   ): { domains: string[]; targetIps: string[] } {
     const domains = new Set<string>();
     const targetIps = new Set<string>();
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     // Collect all access specifiers from assigned profiles
     for (const profileId of targetProfileIds) {
@@ -247,7 +292,12 @@ export class TargetProfileManager {
       // Route references: scan all routes
       for (const [routeId, route] of allRoutes) {
         if (!route.enabled) continue;
-        if (this.routeMatchesProfile(route.route as IDcRouterRouteConfig, routeId, profile)) {
+        if (this.routeMatchesProfile(
+          route.route as IDcRouterRouteConfig,
+          routeId,
+          profile,
+          routeNameIndex,
+        )) {
           const routeDomains = (route.route.match as any)?.domains;
           if (Array.isArray(routeDomains)) {
             for (const d of routeDomains) {
@@ -275,9 +325,16 @@ export class TargetProfileManager {
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     profile: ITargetProfile,
+    routeNameIndex: Map<string, string[]>,
   ): boolean {
     const routeDomains: string[] = (route.match as any)?.domains || [];
-    const result = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
+    const result = this.routeMatchesProfileDetailed(
+      route,
+      routeId,
+      profile,
+      routeDomains,
+      routeNameIndex,
+    );
     return result !== 'none';
   }
 
@@ -294,11 +351,17 @@ export class TargetProfileManager {
     routeId: string | undefined,
     profile: ITargetProfile,
     routeDomains: string[],
+    routeNameIndex: Map<string, string[]>,
   ): 'full' | { type: 'scoped'; domains: string[] } | 'none' {
     // 1. Route reference match → full access
     if (profile.routeRefs?.length) {
       if (routeId && profile.routeRefs.includes(routeId)) return 'full';
-      if (route.name && profile.routeRefs.includes(route.name)) return 'full';
+      if (routeId && route.name && profile.routeRefs.includes(route.name)) {
+        const matchingRouteIds = routeNameIndex.get(route.name) || [];
+        if (matchingRouteIds.length === 1 && matchingRouteIds[0] === routeId) {
+          return 'full';
+        }
+      }
     }
 
     // 2. Domain match
@@ -362,6 +425,66 @@ export class TargetProfileManager {
     return false;
   }
 
+  private normalizeRouteRefs(routeRefs?: string[]): string[] | undefined {
+    const allRoutes = this.getAllRoutes?.() || new Map<string, IRoute>();
+    return this.normalizeRouteRefsAgainstRoutes(routeRefs, allRoutes, 'strict');
+  }
+
+  private normalizeRouteRefsAgainstRoutes(
+    routeRefs: string[] | undefined,
+    allRoutes: Map<string, IRoute>,
+    mode: 'strict' | 'bestEffort',
+  ): string[] | undefined {
+    if (!routeRefs?.length) return undefined;
+    if (!allRoutes.size) return [...new Set(routeRefs)];
+
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
+    const normalizedRefs = new Set<string>();
+
+    for (const routeRef of routeRefs) {
+      if (allRoutes.has(routeRef)) {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      const matchingRouteIds = routeNameIndex.get(routeRef) || [];
+      if (matchingRouteIds.length === 1) {
+        normalizedRefs.add(matchingRouteIds[0]);
+        continue;
+      }
+
+      if (mode === 'bestEffort') {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      if (matchingRouteIds.length > 1) {
+        throw new Error(`Route reference '${routeRef}' is ambiguous; use a route ID instead`);
+      }
+      throw new Error(`Route reference '${routeRef}' not found`);
+    }
+
+    return [...normalizedRefs];
+  }
+
+  private buildRouteNameIndex(allRoutes: Map<string, IRoute>): Map<string, string[]> {
+    const routeNameIndex = new Map<string, string[]>();
+    for (const [routeId, route] of allRoutes) {
+      const routeName = route.route.name;
+      if (!routeName) continue;
+      const matchingRouteIds = routeNameIndex.get(routeName) || [];
+      matchingRouteIds.push(routeId);
+      routeNameIndex.set(routeName, matchingRouteIds);
+    }
+    return routeNameIndex;
+  }
+
+  private sameStringArray(left?: string[], right?: string[]): boolean {
+    if (!left?.length && !right?.length) return true;
+    if (!left || !right || left.length !== right.length) return false;
+    return left.every((value, index) => value === right[index]);
+  }
+
   // =========================================================================
   // Private: persistence
   // =========================================================================

ts/dns/manager.dns.ts

@@ -97,8 +97,8 @@ export class DnsManager {
       if (hasLegacyConfig) {
         logger.log(
           'warn',
-          'DnsManager: DB has DomainDoc entries — ignoring legacy dnsScopes/dnsRecords/dnsNsDomains constructor config. ' +
-            'Manage DNS via the Domains UI instead.',
+          'DnsManager: DB has DomainDoc entries — ignoring legacy dnsScopes/dnsRecords constructor config. ' +
+            'dnsNsDomains is still required for nameserver and DoH bootstrap unless that moves into DB-backed config.',
         );
       }
       return;

ts/email/classes.email-domain.manager.ts

@@ -1,4 +1,5 @@
 import * as plugins from '../plugins.js';
+import type { IEmailDomainConfig } from '@push.rocks/smartmta';
 import { logger } from '../logger.js';
 import { EmailDomainDoc } from '../db/documents/classes.email-domain.doc.js';
 import { DomainDoc } from '../db/documents/classes.domain.doc.js';
@@ -15,9 +16,12 @@ import type { IEmailDomain, IEmailDnsRecord, TDnsRecordStatus } from '../../ts_i
  */
 export class EmailDomainManager {
   private dcRouter: any; // DcRouter — avoids circular import
+  private readonly baseEmailDomains: IEmailDomainConfig[];
 
   constructor(dcRouterRef: any) {
     this.dcRouter = dcRouterRef;
+    this.baseEmailDomains = ((this.dcRouter.options?.emailConfig?.domains || []) as IEmailDomainConfig[])
+      .map((domainConfig) => JSON.parse(JSON.stringify(domainConfig)) as IEmailDomainConfig);
   }
 
   private get dnsManager(): DnsManager | undefined {
@@ -32,6 +36,12 @@ export class EmailDomainManager {
     return this.dcRouter.options?.emailConfig?.hostname || this.dcRouter.options?.tls?.domain || 'localhost';
   }
 
+  public async start(): Promise<void> {
+    await this.syncManagedDomainsToRuntime();
+  }
+
+  public async stop(): Promise<void> {}
+
   // ---------------------------------------------------------------------------
   // CRUD
   // ---------------------------------------------------------------------------
@@ -64,6 +74,9 @@ export class EmailDomainManager {
     const domainName = subdomain ? `${subdomain}.${baseDomain}` : baseDomain;
 
     // Check for duplicates
+    if (this.isDomainAlreadyConfigured(domainName)) {
+      throw new Error(`Email domain already configured for ${domainName}`);
+    }
     const existing = await EmailDomainDoc.findByDomain(domainName);
     if (existing) {
       throw new Error(`Email domain already exists for ${domainName}`);
@@ -77,8 +90,8 @@ export class EmailDomainManager {
     let publicKey: string | undefined;
     if (this.dkimCreator) {
       try {
-        await this.dkimCreator.handleDKIMKeysForDomain(domainName);
-        const dnsRecord = await this.dkimCreator.getDNSRecordForSelector(domainName, selector);
+        await this.dkimCreator.handleDKIMKeysForSelector(domainName, selector, keySize);
+        const dnsRecord = await this.dkimCreator.getDNSRecordForDomain(domainName, selector);
         // Extract public key from the DNS record value
         const match = dnsRecord?.value?.match(/p=([A-Za-z0-9+/=]+)/);
         publicKey = match ? match[1] : undefined;
@@ -110,6 +123,7 @@ export class EmailDomainManager {
     doc.createdAt = now;
     doc.updatedAt = now;
     await doc.save();
+    await this.syncManagedDomainsToRuntime();
 
     logger.log('info', `Email domain created: ${domainName}`);
     return this.docToInterface(doc);
@@ -131,12 +145,14 @@ export class EmailDomainManager {
     if (changes.rateLimits !== undefined) doc.rateLimits = changes.rateLimits;
     doc.updatedAt = new Date().toISOString();
     await doc.save();
+    await this.syncManagedDomainsToRuntime();
   }
 
   public async deleteEmailDomain(id: string): Promise<void> {
     const doc = await EmailDomainDoc.findById(id);
     if (!doc) throw new Error(`Email domain not found: ${id}`);
     await doc.delete();
+    await this.syncManagedDomainsToRuntime();
     logger.log('info', `Email domain deleted: ${doc.domain}`);
   }
 
@@ -153,8 +169,17 @@ export class EmailDomainManager {
 
     const domain = doc.domain;
     const selector = doc.dkim.selector;
-    const publicKey = doc.dkim.publicKey || '';
     const hostname = this.emailHostname;
+    let dkimValue = `v=DKIM1; h=sha256; k=rsa; p=${doc.dkim.publicKey || ''}`;
+
+    if (this.dkimCreator) {
+      try {
+        const dnsRecord = await this.dkimCreator.getDNSRecordForDomain(domain, selector);
+        dkimValue = dnsRecord.value;
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to load DKIM DNS record for ${domain}: ${(err as Error).message}`);
+      }
+    }
 
     const records: IEmailDnsRecord[] = [
       {
@@ -172,7 +197,7 @@ export class EmailDomainManager {
       {
         type: 'TXT',
         name: `${selector}._domainkey.${domain}`,
-        value: `v=DKIM1; h=sha256; k=rsa; p=${publicKey}`,
+        value: dkimValue,
         status: doc.dnsStatus.dkim,
       },
       {
@@ -207,17 +232,7 @@ export class EmailDomainManager {
 
     for (const required of requiredRecords) {
       // Check if a matching record already exists
-      const exists = existingRecords.some((r) => {
-        if (required.type === 'MX') {
-          return r.type === 'MX' && r.name.toLowerCase() === required.name.toLowerCase();
-        }
-        // For TXT records, match by name AND check value prefix (v=spf1, v=DKIM1, v=DMARC1)
-        if (r.type !== 'TXT' || r.name.toLowerCase() !== required.name.toLowerCase()) return false;
-        if (required.value.startsWith('v=spf1')) return r.value.includes('v=spf1');
-        if (required.value.startsWith('v=DKIM1')) return r.value.includes('v=DKIM1');
-        if (required.value.startsWith('v=DMARC1')) return r.value.includes('v=DMARC1');
-        return false;
-      });
+      const exists = existingRecords.some((r) => this.recordMatchesRequired(r, required));
 
       if (!exists) {
         try {
@@ -259,16 +274,23 @@ export class EmailDomainManager {
     const resolver = new plugins.dns.promises.Resolver();
 
     // MX check
-    doc.dnsStatus.mx = await this.checkMx(resolver, domain);
+    const requiredRecords = await this.getRequiredDnsRecords(id);
+
+    const mxRecord = requiredRecords.find((record) => record.type === 'MX');
+    const spfRecord = requiredRecords.find((record) => record.name === domain && record.value.startsWith('v=spf1'));
+    const dkimRecord = requiredRecords.find((record) => record.name === `${selector}._domainkey.${domain}`);
+    const dmarcRecord = requiredRecords.find((record) => record.name === `_dmarc.${domain}`);
+
+    doc.dnsStatus.mx = await this.checkMx(resolver, domain, mxRecord?.value);
 
     // SPF check
-    doc.dnsStatus.spf = await this.checkTxtRecord(resolver, domain, 'v=spf1');
+    doc.dnsStatus.spf = await this.checkTxtRecord(resolver, domain, spfRecord?.value);
 
     // DKIM check
-    doc.dnsStatus.dkim = await this.checkTxtRecord(resolver, `${selector}._domainkey.${domain}`, 'v=DKIM1');
+    doc.dnsStatus.dkim = await this.checkTxtRecord(resolver, `${selector}._domainkey.${domain}`, dkimRecord?.value);
 
     // DMARC check
-    doc.dnsStatus.dmarc = await this.checkTxtRecord(resolver, `_dmarc.${domain}`, 'v=DMARC1');
+    doc.dnsStatus.dmarc = await this.checkTxtRecord(resolver, `_dmarc.${domain}`, dmarcRecord?.value);
 
     doc.dnsStatus.lastCheckedAt = new Date().toISOString();
     doc.updatedAt = new Date().toISOString();
@@ -277,10 +299,28 @@ export class EmailDomainManager {
     return this.getRequiredDnsRecords(id);
   }
 
-  private async checkMx(resolver: plugins.dns.promises.Resolver, domain: string): Promise<TDnsRecordStatus> {
+  private recordMatchesRequired(record: DnsRecordDoc, required: IEmailDnsRecord): boolean {
+    if (record.type !== required.type || record.name.toLowerCase() !== required.name.toLowerCase()) {
+      return false;
+    }
+    return record.value.trim() === required.value.trim();
+  }
+
+  private async checkMx(
+    resolver: plugins.dns.promises.Resolver,
+    domain: string,
+    expectedValue?: string,
+  ): Promise<TDnsRecordStatus> {
     try {
       const records = await resolver.resolveMx(domain);
-      return records && records.length > 0 ? 'valid' : 'missing';
+      if (!records || records.length === 0) {
+        return 'missing';
+      }
+      if (!expectedValue) {
+        return 'valid';
+      }
+      const found = records.some((record) => `${record.priority} ${record.exchange}`.trim() === expectedValue.trim());
+      return found ? 'valid' : 'invalid';
     } catch {
       return 'missing';
     }
@@ -289,13 +329,19 @@ export class EmailDomainManager {
   private async checkTxtRecord(
     resolver: plugins.dns.promises.Resolver,
     name: string,
-    prefix: string,
+    expectedValue?: string,
   ): Promise<TDnsRecordStatus> {
     try {
       const records = await resolver.resolveTxt(name);
       const flat = records.map((r) => r.join(''));
-      const found = flat.some((r) => r.startsWith(prefix));
-      return found ? 'valid' : 'missing';
+      if (flat.length === 0) {
+        return 'missing';
+      }
+      if (!expectedValue) {
+        return 'valid';
+      }
+      const found = flat.some((record) => record.trim() === expectedValue.trim());
+      return found ? 'valid' : 'invalid';
     } catch {
       return 'missing';
     }
@@ -318,4 +364,63 @@ export class EmailDomainManager {
       updatedAt: doc.updatedAt,
     };
   }
+
+  private isDomainAlreadyConfigured(domainName: string): boolean {
+    const configuredDomains = ((this.dcRouter.options?.emailConfig?.domains || []) as IEmailDomainConfig[])
+      .map((domainConfig) => domainConfig.domain.toLowerCase());
+    return configuredDomains.includes(domainName.toLowerCase());
+  }
+
+  private async buildManagedDomainConfigs(): Promise<IEmailDomainConfig[]> {
+    const docs = await EmailDomainDoc.findAll();
+    const managedConfigs: IEmailDomainConfig[] = [];
+
+    for (const doc of docs) {
+      const linkedDomain = await DomainDoc.findById(doc.linkedDomainId);
+      if (!linkedDomain) {
+        logger.log('warn', `Skipping managed email domain ${doc.domain}: linked domain missing`);
+        continue;
+      }
+
+      managedConfigs.push({
+        domain: doc.domain,
+        dnsMode: linkedDomain.source === 'dcrouter' ? 'internal-dns' : 'external-dns',
+        dkim: {
+          selector: doc.dkim.selector,
+          keySize: doc.dkim.keySize,
+          rotateKeys: doc.dkim.rotateKeys,
+          rotationInterval: doc.dkim.rotationIntervalDays,
+        },
+        rateLimits: doc.rateLimits,
+      });
+    }
+
+    return managedConfigs;
+  }
+
+  private async syncManagedDomainsToRuntime(): Promise<void> {
+    if (!this.dcRouter.options?.emailConfig) {
+      return;
+    }
+
+    const mergedDomains = new Map<string, IEmailDomainConfig>();
+    for (const domainConfig of this.baseEmailDomains) {
+      mergedDomains.set(domainConfig.domain.toLowerCase(), JSON.parse(JSON.stringify(domainConfig)) as IEmailDomainConfig);
+    }
+
+    for (const managedConfig of await this.buildManagedDomainConfigs()) {
+      const key = managedConfig.domain.toLowerCase();
+      if (mergedDomains.has(key)) {
+        logger.log('warn', `Managed email domain ${managedConfig.domain} duplicates a configured domain; keeping the configured definition`);
+        continue;
+      }
+      mergedDomains.set(key, managedConfig);
+    }
+
+    const domains = Array.from(mergedDomains.values());
+    this.dcRouter.options.emailConfig.domains = domains;
+    if (this.dcRouter.emailServer) {
+      this.dcRouter.emailServer.updateOptions({ domains });
+    }
+  }
 }

ts/email/classes.smartmta-storage-manager.ts

@@ -0,0 +1,108 @@
+import * as plugins from '../plugins.js';
+import type { IStorageManagerLike } from '@push.rocks/smartmta';
+
+export class SmartMtaStorageManager implements IStorageManagerLike {
+  private readonly resolvedRootDir: string;
+
+  constructor(private rootDir: string) {
+    this.resolvedRootDir = plugins.path.resolve(rootDir);
+    plugins.fsUtils.ensureDirSync(this.resolvedRootDir);
+  }
+
+  private normalizeKey(key: string): string {
+    return key.replace(/^\/+/, '').replace(/\\/g, '/');
+  }
+
+  private resolvePathForKey(key: string): string {
+    const normalizedKey = this.normalizeKey(key);
+    const resolvedPath = plugins.path.resolve(this.resolvedRootDir, normalizedKey);
+    if (
+      resolvedPath !== this.resolvedRootDir
+      && !resolvedPath.startsWith(`${this.resolvedRootDir}${plugins.path.sep}`)
+    ) {
+      throw new Error(`Storage key escapes root directory: ${key}`);
+    }
+    return resolvedPath;
+  }
+
+  private toStorageKey(filePath: string): string {
+    const relativePath = plugins.path.relative(this.resolvedRootDir, filePath).split(plugins.path.sep).join('/');
+    return `/${relativePath}`;
+  }
+
+  public async get(key: string): Promise<string | null> {
+    const filePath = this.resolvePathForKey(key);
+    try {
+      return await plugins.fs.promises.readFile(filePath, 'utf8');
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return null;
+      }
+      throw error;
+    }
+  }
+
+  public async set(key: string, value: string): Promise<void> {
+    const filePath = this.resolvePathForKey(key);
+    await plugins.fs.promises.mkdir(plugins.path.dirname(filePath), { recursive: true });
+    await plugins.fs.promises.writeFile(filePath, value, 'utf8');
+  }
+
+  public async list(prefix: string): Promise<string[]> {
+    const prefixPath = this.resolvePathForKey(prefix);
+    try {
+      const stat = await plugins.fs.promises.stat(prefixPath);
+      if (stat.isFile()) {
+        return [this.toStorageKey(prefixPath)];
+      }
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return [];
+      }
+      throw error;
+    }
+
+    const results: string[] = [];
+    const walk = async (currentPath: string): Promise<void> => {
+      const entries = await plugins.fs.promises.readdir(currentPath, { withFileTypes: true });
+      for (const entry of entries) {
+        const entryPath = plugins.path.join(currentPath, entry.name);
+        if (entry.isDirectory()) {
+          await walk(entryPath);
+        } else if (entry.isFile()) {
+          results.push(this.toStorageKey(entryPath));
+        }
+      }
+    };
+
+    await walk(prefixPath);
+    return results.sort();
+  }
+
+  public async delete(key: string): Promise<void> {
+    const targetPath = this.resolvePathForKey(key);
+    try {
+      const stat = await plugins.fs.promises.stat(targetPath);
+      if (stat.isDirectory()) {
+        await plugins.fs.promises.rm(targetPath, { recursive: true, force: true });
+      } else {
+        await plugins.fs.promises.unlink(targetPath);
+      }
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return;
+      }
+      throw error;
+    }
+
+    let currentDir = plugins.path.dirname(targetPath);
+    while (currentDir.startsWith(this.resolvedRootDir) && currentDir !== this.resolvedRootDir) {
+      const entries = await plugins.fs.promises.readdir(currentDir);
+      if (entries.length > 0) {
+        break;
+      }
+      await plugins.fs.promises.rmdir(currentDir);
+      currentDir = plugins.path.dirname(currentDir);
+    }
+  }
+}

ts/email/index.ts

@@ -1 +1,2 @@
 export * from './classes.email-domain.manager.js';
+export * from './classes.smartmta-storage-manager.js';

ts/monitoring/classes.metricsmanager.ts

@@ -733,16 +733,17 @@ export class MetricsManager {
         }
       }
 
-      // Map route name → domains from route config
+      // Map canonical route key → domains from route config
       const routeDomains = new Map<string, string[]>();
       if (this.dcRouter.smartProxy) {
         for (const route of this.dcRouter.smartProxy.routeManager.getRoutes()) {
-          if (!route.name || !route.match.domains) continue;
+          const routeKey = route.name || route.id;
+          if (!routeKey || !route.match.domains) continue;
           const domains = Array.isArray(route.match.domains)
             ? route.match.domains
             : [route.match.domains];
           if (domains.length > 0) {
-            routeDomains.set(route.name, domains);
+            routeDomains.set(routeKey, domains);
           }
         }
       }
@@ -753,23 +754,23 @@ export class MetricsManager {
         if (entry.domain) allKnownDomains.add(entry.domain);
       }
 
-      // Build reverse map: concrete domain → route name(s)
+      // Build reverse map: concrete domain → canonical route key(s)
       const domainToRoutes = new Map<string, string[]>();
-      for (const [routeName, domains] of routeDomains) {
+      for (const [routeKey, domains] of routeDomains) {
         for (const pattern of domains) {
           if (pattern.includes('*')) {
             const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '[^.]+') + '$');
             for (const knownDomain of allKnownDomains) {
               if (regex.test(knownDomain)) {
                 const existing = domainToRoutes.get(knownDomain);
-                if (existing) { existing.push(routeName); }
-                else { domainToRoutes.set(knownDomain, [routeName]); }
+                if (existing) { existing.push(routeKey); }
+                else { domainToRoutes.set(knownDomain, [routeKey]); }
               }
             }
           } else {
             const existing = domainToRoutes.get(pattern);
-            if (existing) { existing.push(routeName); }
-            else { domainToRoutes.set(pattern, [routeName]); }
+            if (existing) { existing.push(routeKey); }
+            else { domainToRoutes.set(pattern, [routeKey]); }
           }
         }
       }
@@ -777,10 +778,10 @@ export class MetricsManager {
       // For each route, compute the total request count across all its resolved domains
       // so we can distribute throughput/connections proportionally
       const routeTotalRequests = new Map<string, number>();
-      for (const [domain, routeNames] of domainToRoutes) {
+      for (const [domain, routeKeys] of domainToRoutes) {
         const reqs = domainRequestTotals.get(domain) || 0;
-        for (const routeName of routeNames) {
-          routeTotalRequests.set(routeName, (routeTotalRequests.get(routeName) || 0) + reqs);
+        for (const routeKey of routeKeys) {
+          routeTotalRequests.set(routeKey, (routeTotalRequests.get(routeKey) || 0) + reqs);
         }
       }
 
@@ -793,16 +794,16 @@ export class MetricsManager {
         requestCount: number;
       }>();
 
-      for (const [domain, routeNames] of domainToRoutes) {
+      for (const [domain, routeKeys] of domainToRoutes) {
         const domainReqs = domainRequestTotals.get(domain) || 0;
         let totalConns = 0;
         let totalIn = 0;
         let totalOut = 0;
 
-        for (const routeName of routeNames) {
-          const conns = connectionsByRoute.get(routeName) || 0;
-          const tp = throughputByRoute.get(routeName) || { in: 0, out: 0 };
-          const routeTotal = routeTotalRequests.get(routeName) || 0;
+        for (const routeKey of routeKeys) {
+          const conns = connectionsByRoute.get(routeKey) || 0;
+          const tp = throughputByRoute.get(routeKey) || { in: 0, out: 0 };
+          const routeTotal = routeTotalRequests.get(routeKey) || 0;
 
           const share = routeTotal > 0 ? domainReqs / routeTotal : 0;
           totalConns += conns * share;
@@ -814,7 +815,7 @@ export class MetricsManager {
           activeConnections: Math.round(totalConns),
           bytesInPerSec: totalIn,
           bytesOutPerSec: totalOut,
-          routeCount: routeNames.length,
+          routeCount: routeKeys.length,
           requestCount: domainReqs,
         });
       }
@@ -990,4 +991,4 @@ export class MetricsManager {
 
     return { queries };
   }
-}
+}

ts/opsserver/handlers/certificate.handler.ts

@@ -198,12 +198,11 @@ export class CertificateHandler {
         try {
           const rustStatus = await smartProxy.getCertificateStatus(info.routeNames[0]);
           if (rustStatus) {
-            if (rustStatus.expiryDate) expiryDate = rustStatus.expiryDate;
-            if (rustStatus.issuer) issuer = rustStatus.issuer;
-            if (rustStatus.issuedAt) issuedAt = rustStatus.issuedAt;
-            if (rustStatus.status === 'valid' || rustStatus.status === 'expired') {
-              status = rustStatus.status;
+            if (rustStatus.expiresAt > 0) {
+              expiryDate = new Date(rustStatus.expiresAt).toISOString();
             }
+            if (rustStatus.source) issuer = rustStatus.source;
+            status = rustStatus.isValid ? 'valid' : 'expired';
           }
         } catch {
           // Rust bridge may not support this command yet — ignore

ts/opsserver/handlers/email-ops.handler.ts

@@ -48,7 +48,7 @@ export class EmailOpsHandler {
           }
 
           const queue = emailServer.deliveryQueue;
-          const item = queue.getItem(dataArg.emailId);
+          const item = emailServer.getQueueItem(dataArg.emailId);
 
           if (!item) {
             return { success: false, error: 'Email not found in queue' };
@@ -82,22 +82,10 @@ export class EmailOpsHandler {
    */
   private getAllQueueEmails(): interfaces.requests.IEmail[] {
     const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-    if (!emailServer?.deliveryQueue) {
+    if (!emailServer) {
       return [];
     }
-
-    const queue = emailServer.deliveryQueue;
-    const queueMap = (queue as any).queue as Map<string, any>;
-
-    if (!queueMap) {
-      return [];
-    }
-
-    const emails: interfaces.requests.IEmail[] = [];
-
-    for (const [id, item] of queueMap.entries()) {
-      emails.push(this.mapQueueItemToEmail(item));
-    }
+    const emails = emailServer.getQueueItems().map((item) => this.mapQueueItemToEmail(item));
 
     // Sort by createdAt descending (newest first)
     emails.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
@@ -110,12 +98,10 @@ export class EmailOpsHandler {
    */
   private getEmailDetail(emailId: string): interfaces.requests.IEmailDetail | null {
     const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-    if (!emailServer?.deliveryQueue) {
+    if (!emailServer) {
       return null;
     }
-
-    const queue = emailServer.deliveryQueue;
-    const item = queue.getItem(emailId);
+    const item = emailServer.getQueueItem(emailId);
 
     if (!item) {
       return null;

ts/opsserver/handlers/stats.handler.ts

@@ -530,13 +530,49 @@ export class StatsHandler {
       nextRetry?: number;
     }>;
   }> {
-    // TODO: Implement actual queue status collection
+    const emailServer = this.opsServerRef.dcRouterRef.emailServer;
+    if (!emailServer) {
+      return {
+        pending: 0,
+        active: 0,
+        failed: 0,
+        retrying: 0,
+        items: [],
+      };
+    }
+
+    const queueStats = emailServer.getQueueStats();
+    const items = emailServer.getQueueItems()
+      .sort((a, b) => {
+        const left = a.createdAt instanceof Date ? a.createdAt.getTime() : new Date(a.createdAt).getTime();
+        const right = b.createdAt instanceof Date ? b.createdAt.getTime() : new Date(b.createdAt).getTime();
+        return right - left;
+      })
+      .slice(0, 50)
+      .map((item) => {
+        const emailLike = item.processingResult;
+        const recipients = Array.isArray(emailLike?.to)
+          ? emailLike.to
+          : Array.isArray(emailLike?.email?.to)
+            ? emailLike.email.to
+            : [];
+        const subject = emailLike?.subject || emailLike?.email?.subject || '';
+        return {
+          id: item.id,
+          recipient: recipients[0] || '',
+          subject,
+          status: item.status,
+          attempts: item.attempts,
+          nextRetry: item.nextAttempt instanceof Date ? item.nextAttempt.getTime() : undefined,
+        };
+      });
+
     return {
-      pending: 0,
-      active: 0,
-      failed: 0,
-      retrying: 0,
-      items: [],
+      pending: queueStats.status.pending,
+      active: queueStats.status.processing,
+      failed: queueStats.status.failed,
+      retrying: queueStats.status.deferred,
+      items,
     };
   }
   
@@ -600,4 +636,4 @@ export class StatsHandler {
       ],
     };
   }
-}
+}

ts/vpn/classes.vpn-manager.ts

@@ -55,6 +55,8 @@ export class VpnManager {
   private vpnServer?: plugins.smartvpn.VpnServer;
   private clients: Map<string, VpnClientDoc> = new Map();
   private serverKeys?: VpnServerKeysDoc;
+  private resolvedForwardingMode?: 'socket' | 'bridge' | 'hybrid';
+  private forwardingModeOverride?: 'socket' | 'bridge' | 'hybrid';
 
   constructor(config: IVpnManagerConfig) {
     this.config = config;
@@ -88,6 +90,7 @@ export class VpnManager {
       if (client.useHostIp) {
         anyClientUsesHostIp = true;
       }
+      this.normalizeClientRoutingSettings(client);
       const entry: plugins.smartvpn.IClientEntry = {
         clientId: client.clientId,
         publicKey: client.noisePublicKey,
@@ -97,13 +100,12 @@ export class VpnManager {
         assignedIp: client.assignedIp,
         expiresAt: client.expiresAt,
         security: this.buildClientSecurity(client),
+        useHostIp: client.useHostIp,
+        useDhcp: client.useDhcp,
+        staticIp: client.staticIp,
+        forceVlan: client.forceVlan,
+        vlanId: client.vlanId,
       };
-      // Pass per-client bridge fields if present (for hybrid/bridge mode)
-      if (client.useHostIp !== undefined) (entry as any).useHostIp = client.useHostIp;
-      if (client.useDhcp !== undefined) (entry as any).useDhcp = client.useDhcp;
-      if (client.staticIp !== undefined) (entry as any).staticIp = client.staticIp;
-      if (client.forceVlan !== undefined) (entry as any).forceVlan = client.forceVlan;
-      if (client.vlanId !== undefined) (entry as any).vlanId = client.vlanId;
       clientEntries.push(entry);
     }
 
@@ -112,13 +114,15 @@ export class VpnManager {
 
     // Auto-detect hybrid mode: if any persisted client uses host IP and mode is
     // 'socket' (or unset), upgrade to 'hybrid' so the daemon can handle both
-    let configuredMode = this.config.forwardingMode ?? 'socket';
+    let configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
     if (anyClientUsesHostIp && configuredMode === 'socket') {
       configuredMode = 'hybrid';
       logger.log('info', 'VPN: Auto-upgrading forwarding mode to hybrid (client with useHostIp detected)');
     }
     const forwardingMode = configuredMode === 'hybrid' ? 'hybrid' : configuredMode;
     const isBridge = forwardingMode === 'bridge';
+    this.resolvedForwardingMode = forwardingMode;
+    this.forwardingModeOverride = undefined;
 
     // Create and start VpnServer
     this.vpnServer = new plugins.smartvpn.VpnServer({
@@ -143,7 +147,7 @@ export class VpnManager {
       wgListenPort,
       clients: clientEntries,
       socketForwardProxyProtocol: !isBridge,
-      destinationPolicy: this.config.destinationPolicy ?? defaultDestinationPolicy,
+      destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
       serverEndpoint: this.config.serverEndpoint
         ? `${this.config.serverEndpoint}:${wgListenPort}`
         : undefined,
@@ -189,6 +193,7 @@ export class VpnManager {
       this.vpnServer.stop();
       this.vpnServer = undefined;
     }
+    this.resolvedForwardingMode = undefined;
     logger.log('info', 'VPN server stopped');
   }
 
@@ -213,14 +218,38 @@ export class VpnManager {
       throw new Error('VPN server not running');
     }
 
+    await this.ensureForwardingModeForHostIpClient(opts.useHostIp === true);
+
+    const doc = new VpnClientDoc();
+    doc.clientId = opts.clientId;
+    doc.enabled = true;
+    doc.targetProfileIds = opts.targetProfileIds;
+    doc.description = opts.description;
+    doc.destinationAllowList = opts.destinationAllowList;
+    doc.destinationBlockList = opts.destinationBlockList;
+    doc.useHostIp = opts.useHostIp;
+    doc.useDhcp = opts.useDhcp;
+    doc.staticIp = opts.staticIp;
+    doc.forceVlan = opts.forceVlan;
+    doc.vlanId = opts.vlanId;
+    doc.createdAt = Date.now();
+    doc.updatedAt = Date.now();
+    this.normalizeClientRoutingSettings(doc);
+
     const bundle = await this.vpnServer.createClient({
-      clientId: opts.clientId,
-      description: opts.description,
+      clientId: doc.clientId,
+      description: doc.description,
+      security: this.buildClientSecurity(doc),
+      useHostIp: doc.useHostIp,
+      useDhcp: doc.useDhcp,
+      staticIp: doc.staticIp,
+      forceVlan: doc.forceVlan,
+      vlanId: doc.vlanId,
     });
 
     // Override AllowedIPs with per-client values based on target profiles
     if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(opts.targetProfileIds || []);
+      const allowedIPs = await this.config.getClientAllowedIPs(doc.targetProfileIds || []);
       bundle.wireguardConfig = bundle.wireguardConfig.replace(
         /AllowedIPs\s*=\s*.+/,
         `AllowedIPs = ${allowedIPs.join(', ')}`,
@@ -228,40 +257,16 @@ export class VpnManager {
     }
 
     // Persist client entry (including WG private key for export/QR)
-    const doc = new VpnClientDoc();
     doc.clientId = bundle.entry.clientId;
     doc.enabled = bundle.entry.enabled ?? true;
-    doc.targetProfileIds = opts.targetProfileIds;
     doc.description = bundle.entry.description;
     doc.assignedIp = bundle.entry.assignedIp;
     doc.noisePublicKey = bundle.entry.publicKey;
     doc.wgPublicKey = bundle.entry.wgPublicKey || '';
     doc.wgPrivateKey = bundle.secrets?.wgPrivateKey
       || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
-    doc.createdAt = Date.now();
     doc.updatedAt = Date.now();
     doc.expiresAt = bundle.entry.expiresAt;
-    if (opts.destinationAllowList !== undefined) {
-      doc.destinationAllowList = opts.destinationAllowList;
-    }
-    if (opts.destinationBlockList !== undefined) {
-      doc.destinationBlockList = opts.destinationBlockList;
-    }
-    if (opts.useHostIp !== undefined) {
-      doc.useHostIp = opts.useHostIp;
-    }
-    if (opts.useDhcp !== undefined) {
-      doc.useDhcp = opts.useDhcp;
-    }
-    if (opts.staticIp !== undefined) {
-      doc.staticIp = opts.staticIp;
-    }
-    if (opts.forceVlan !== undefined) {
-      doc.forceVlan = opts.forceVlan;
-    }
-    if (opts.vlanId !== undefined) {
-      doc.vlanId = opts.vlanId;
-    }
     this.clients.set(doc.clientId, doc);
     try {
       await this.persistClient(doc);
@@ -276,12 +281,6 @@ export class VpnManager {
       throw err;
     }
 
-    // Sync per-client security to the running daemon
-    const security = this.buildClientSecurity(doc);
-    if (security.destinationPolicy) {
-      await this.vpnServer!.updateClient(doc.clientId, { security });
-    }
-
     this.config.onClientChanged?.();
     return bundle;
   }
@@ -364,13 +363,13 @@ export class VpnManager {
     if (update.staticIp !== undefined) client.staticIp = update.staticIp;
     if (update.forceVlan !== undefined) client.forceVlan = update.forceVlan;
     if (update.vlanId !== undefined) client.vlanId = update.vlanId;
+    this.normalizeClientRoutingSettings(client);
     client.updatedAt = Date.now();
     await this.persistClient(client);
 
-    // Sync per-client security to the running daemon
     if (this.vpnServer) {
-      const security = this.buildClientSecurity(client);
-      await this.vpnServer.updateClient(clientId, { security });
+      await this.ensureForwardingModeForHostIpClient(client.useHostIp === true);
+      await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
     }
 
     this.config.onClientChanged?.();
@@ -478,26 +477,28 @@ export class VpnManager {
 
   /**
    * Build per-client security settings for the smartvpn daemon.
-   * All VPN traffic is forced through SmartProxy (forceTarget to 127.0.0.1).
-   * TargetProfile direct IP:port targets bypass SmartProxy via allowList.
+   * TargetProfile direct IP:port targets extend the effective allow-list.
    */
   private buildClientSecurity(client: VpnClientDoc): plugins.smartvpn.IClientSecurity {
     const security: plugins.smartvpn.IClientSecurity = {};
+    const basePolicy = this.getBaseDestinationPolicy(client);
 
-    // Collect direct targets from assigned TargetProfiles (bypass forceTarget for these IPs)
     const profileDirectTargets = this.config.getClientDirectTargets?.(client.targetProfileIds || []) || [];
-
-    // Merge with per-client explicit allow list
-    const mergedAllowList = [
-      ...(client.destinationAllowList || []),
-      ...profileDirectTargets,
-    ];
+    const mergedAllowList = this.mergeDestinationLists(
+      basePolicy.allowList,
+      client.destinationAllowList,
+      profileDirectTargets,
+    );
+    const mergedBlockList = this.mergeDestinationLists(
+      basePolicy.blockList,
+      client.destinationBlockList,
+    );
 
     security.destinationPolicy = {
-      default: 'forceTarget' as const,
-      target: '127.0.0.1',
+      default: basePolicy.default,
+      target: basePolicy.default === 'forceTarget' ? basePolicy.target : undefined,
       allowList: mergedAllowList.length ? mergedAllowList : undefined,
-      blockList: client.destinationBlockList,
+      blockList: mergedBlockList.length ? mergedBlockList : undefined,
     };
 
     return security;
@@ -510,10 +511,7 @@ export class VpnManager {
   public async refreshAllClientSecurity(): Promise<void> {
     if (!this.vpnServer) return;
     for (const client of this.clients.values()) {
-      const security = this.buildClientSecurity(client);
-      if (security.destinationPolicy) {
-        await this.vpnServer.updateClient(client.clientId, { security });
-      }
+      await this.vpnServer.updateClient(client.clientId, this.buildClientRuntimeUpdate(client));
     }
   }
 
@@ -550,6 +548,7 @@ export class VpnManager {
   private async loadPersistedClients(): Promise<void> {
     const docs = await VpnClientDoc.findAll();
     for (const doc of docs) {
+      this.normalizeClientRoutingSettings(doc);
       this.clients.set(doc.clientId, doc);
     }
     if (this.clients.size > 0) {
@@ -557,6 +556,93 @@ export class VpnManager {
     }
   }
 
+  private getResolvedForwardingMode(): 'socket' | 'bridge' | 'hybrid' {
+    return this.resolvedForwardingMode
+      ?? this.forwardingModeOverride
+      ?? this.config.forwardingMode
+      ?? 'socket';
+  }
+
+  private getDefaultDestinationPolicy(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    useHostIp = false,
+  ): plugins.smartvpn.IDestinationPolicy {
+    if (forwardingMode === 'bridge' || (forwardingMode === 'hybrid' && useHostIp)) {
+      return { default: 'allow' };
+    }
+    return { default: 'forceTarget', target: '127.0.0.1' };
+  }
+
+  private getServerDestinationPolicy(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    fallbackPolicy = this.getDefaultDestinationPolicy(forwardingMode),
+  ): plugins.smartvpn.IDestinationPolicy {
+    return this.config.destinationPolicy ?? fallbackPolicy;
+  }
+
+  private getBaseDestinationPolicy(client: Pick<VpnClientDoc, 'useHostIp'>): plugins.smartvpn.IDestinationPolicy {
+    if (this.config.destinationPolicy) {
+      return { ...this.config.destinationPolicy };
+    }
+    return this.getDefaultDestinationPolicy(this.getResolvedForwardingMode(), client.useHostIp === true);
+  }
+
+  private mergeDestinationLists(...lists: Array<string[] | undefined>): string[] {
+    const merged = new Set<string>();
+    for (const list of lists) {
+      for (const entry of list || []) {
+        merged.add(entry);
+      }
+    }
+    return [...merged];
+  }
+
+  private normalizeClientRoutingSettings(
+    client: Pick<VpnClientDoc, 'useHostIp' | 'useDhcp' | 'staticIp' | 'forceVlan' | 'vlanId'>,
+  ): void {
+    client.useHostIp = client.useHostIp === true;
+
+    if (!client.useHostIp) {
+      client.useDhcp = false;
+      client.staticIp = undefined;
+      client.forceVlan = false;
+      client.vlanId = undefined;
+      return;
+    }
+
+    client.useDhcp = client.useDhcp === true;
+    if (client.useDhcp) {
+      client.staticIp = undefined;
+    }
+
+    client.forceVlan = client.forceVlan === true;
+    if (!client.forceVlan) {
+      client.vlanId = undefined;
+    }
+  }
+
+  private buildClientRuntimeUpdate(client: VpnClientDoc): Partial<plugins.smartvpn.IClientEntry> {
+    return {
+      description: client.description,
+      security: this.buildClientSecurity(client),
+      useHostIp: client.useHostIp,
+      useDhcp: client.useDhcp,
+      staticIp: client.staticIp,
+      forceVlan: client.forceVlan,
+      vlanId: client.vlanId,
+    };
+  }
+
+  private async ensureForwardingModeForHostIpClient(useHostIp: boolean): Promise<void> {
+    if (!useHostIp || !this.vpnServer) return;
+    if (this.getResolvedForwardingMode() !== 'socket') return;
+
+    logger.log('info', 'VPN: Restarting server in hybrid mode to support a host-IP client');
+    this.forwardingModeOverride = 'hybrid';
+    await this.stop();
+    await this.start();
+  }
+
   private async persistClient(client: VpnClientDoc): Promise<void> {
     await client.save();
   }

ts_interfaces/data/target-profile.ts

@@ -21,7 +21,7 @@ export interface ITargetProfile {
   domains?: string[];
   /** Specific IP:port targets this profile grants access to */
   targets?: ITargetProfileTarget[];
-  /** Route references by stored route ID or route name */
+  /** Route references by stored route ID. Legacy route names are normalized when unique. */
   routeRefs?: string[];
   createdAt: number;
   updatedAt: number;

ts_migrations/index.ts

@@ -21,6 +21,30 @@ export interface IMigrationRunner {
   run(): Promise<IMigrationRunResult>;
 }
 
+async function migrateTargetProfileTargetHosts(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const collection = ctx.mongo!.collection('TargetProfileDoc');
+  const cursor = collection.find({ 'targets.host': { $exists: true } });
+  let migrated = 0;
+
+  for await (const doc of cursor) {
+    const targets = ((doc as any).targets || []).map((target: any) => {
+      if (target && typeof target === 'object' && 'host' in target && !('ip' in target)) {
+        const { host, ...rest } = target;
+        return { ...rest, ip: host };
+      }
+      return target;
+    });
+
+    await collection.updateOne({ _id: (doc as any)._id }, { $set: { targets } });
+    migrated++;
+  }
+
+  ctx.log.log('info', `rename-target-profile-host-to-ip: migrated ${migrated} profile(s)`);
+}
+
 /**
  * Create a configured SmartMigration runner with all dcrouter migration steps registered.
  *
@@ -48,23 +72,7 @@ export async function createMigrationRunner(
     .step('rename-target-profile-host-to-ip')
     .from('13.0.11').to('13.1.0')
     .description('Rename ITargetProfileTarget.host → ip on all target profiles')
-    .up(async (ctx) => {
-      const collection = ctx.mongo!.collection('targetprofiledoc');
-      const cursor = collection.find({ 'targets.host': { $exists: true } });
-      let migrated = 0;
-      for await (const doc of cursor) {
-        const targets = ((doc as any).targets || []).map((t: any) => {
-          if (t && typeof t === 'object' && 'host' in t && !('ip' in t)) {
-            const { host, ...rest } = t;
-            return { ...rest, ip: host };
-          }
-          return t;
-        });
-        await collection.updateOne({ _id: (doc as any)._id }, { $set: { targets } });
-        migrated++;
-      }
-      ctx.log.log('info', `rename-target-profile-host-to-ip: migrated ${migrated} profile(s)`);
-    })
+    .up(async (ctx) => migrateTargetProfileTargetHosts(ctx))
     .step('rename-domain-source-manual-to-dcrouter')
     .from('13.1.0').to('13.8.1')
     .description('Rename DomainDoc.source value from "manual" to "dcrouter"')
@@ -120,6 +128,12 @@ export async function createMigrationRunner(
         await db.collection('RouteOverrideDoc').drop();
         ctx.log.log('info', 'Dropped RouteOverrideDoc collection');
       }
+    })
+    .step('repair-target-profile-ip-migration')
+    .from('13.16.0').to('13.17.4')
+    .description('Repair TargetProfileDoc.targets host→ip migration for already-upgraded installs')
+    .up(async (ctx) => {
+      await migrateTargetProfileTargetHosts(ctx);
     });
 
   return migration;

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.17.2',
+  version: '13.18.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/elements/network/ops-view-network-activity.ts

@@ -374,7 +374,7 @@ export class OpsViewNetworkActivity extends DeesElement {
         type: 'number',
         icon: 'lucide:Plug',
         color: activeConnections > 100 ? '#f59e0b' : '#22c55e',
-        description: `Total: ${this.networkState.requestsTotal || this.statsState.serverStats?.totalConnections || 0}`,
+        description: `Total: ${this.formatNumber(this.statsState.serverStats?.totalConnections || 0)} connections`,
         actions: [
           {
             name: 'View Details',

ts_web/elements/network/ops-view-routes.ts

@@ -227,10 +227,10 @@ export class OpsViewRoutes extends DeesElement {
         ></dees-statsgrid>
 
         <dees-input-multitoggle
+          class="routeFilterToggle"
           .type=${'single'}
           .options=${['User Routes', 'System Routes']}
           .selectedOption=${this.routeFilter}
-          @change=${(e: any) => { this.routeFilter = e.target.value || e.target.selectedOption; }}
         ></dees-input-multitoggle>
 
         ${warnings.length > 0
@@ -677,5 +677,13 @@ export class OpsViewRoutes extends DeesElement {
 
   async firstUpdated() {
     await appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
+
+    const toggle = this.shadowRoot!.querySelector('.routeFilterToggle') as any;
+    if (toggle) {
+      const sub = toggle.changeSubject.subscribe(() => {
+        this.routeFilter = toggle.selectedOption;
+      });
+      this.rxSubscriptions.push(sub);
+    }
   }
 }

ts_web/elements/network/ops-view-targetprofiles.ts

@@ -95,7 +95,7 @@ export class OpsViewTargetProfiles extends DeesElement {
               ? html`${profile.targets.map(t => html`<span class="tagBadge">${t.ip}:${t.port}</span>`)}`
               : '-',
             'Route Refs': profile.routeRefs?.length
-              ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${r}</span>`)}`
+              ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)}`
               : '-',
             Created: new Date(profile.createdAt).toLocaleDateString(),
           })}
@@ -149,12 +149,57 @@ export class OpsViewTargetProfiles extends DeesElement {
     `;
   }
 
-  private getRouteCandidates() {
+  private getRouteChoices() {
     const routeState = appstate.routeManagementStatePart.getState();
     const routes = routeState?.mergedRoutes || [];
     return routes
-      .filter((mr) => mr.route.name)
-      .map((mr) => ({ viewKey: mr.route.name! }));
+      .filter((mr) => mr.route.name && mr.id)
+      .map((mr) => ({
+        routeId: mr.id!,
+        routeName: mr.route.name!,
+        label: `${mr.route.name} (${mr.id})`,
+      }));
+  }
+
+  private getRouteCandidates() {
+    return this.getRouteChoices().map((route) => ({ viewKey: route.label }));
+  }
+
+  private resolveRouteRefsToLabels(routeRefs?: string[]): string[] | undefined {
+    if (!routeRefs?.length) return undefined;
+
+    const routeChoices = this.getRouteChoices();
+    const routeById = new Map(routeChoices.map((route) => [route.routeId, route.label]));
+    const routeByName = new Map<string, string[]>();
+
+    for (const route of routeChoices) {
+      const labels = routeByName.get(route.routeName) || [];
+      labels.push(route.label);
+      routeByName.set(route.routeName, labels);
+    }
+
+    return routeRefs.map((routeRef) => {
+      const routeLabel = routeById.get(routeRef);
+      if (routeLabel) return routeLabel;
+
+      const labelsForName = routeByName.get(routeRef) || [];
+      if (labelsForName.length === 1) return labelsForName[0];
+
+      return routeRef;
+    });
+  }
+
+  private resolveRouteLabelsToRefs(routeRefs: string[]): string[] {
+    if (!routeRefs.length) return [];
+
+    const labelToId = new Map(
+      this.getRouteChoices().map((route) => [route.label, route.routeId]),
+    );
+    return routeRefs.map((routeRef) => labelToId.get(routeRef) || routeRef);
+  }
+
+  private formatRouteRef(routeRef: string): string {
+    return this.resolveRouteRefsToLabels([routeRef])?.[0] || routeRef;
   }
 
   private async ensureRoutesLoaded() {
@@ -203,7 +248,9 @@ export class OpsViewTargetProfiles extends DeesElement {
                 };
               })
               .filter((t): t is { ip: string; port: number } => t !== null && !isNaN(t.port));
-            const routeRefs: string[] = Array.isArray(data.routeRefs) ? data.routeRefs : [];
+            const routeRefs = this.resolveRouteLabelsToRefs(
+              Array.isArray(data.routeRefs) ? data.routeRefs : [],
+            );
 
             await appstate.targetProfilesStatePart.dispatchAction(appstate.createTargetProfileAction, {
               name: String(data.name),
@@ -222,7 +269,7 @@ export class OpsViewTargetProfiles extends DeesElement {
   private async showEditProfileDialog(profile: interfaces.data.ITargetProfile) {
     const currentDomains = profile.domains || [];
     const currentTargets = profile.targets?.map(t => `${t.ip}:${t.port}`) || [];
-    const currentRouteRefs = profile.routeRefs || [];
+    const currentRouteRefs = this.resolveRouteRefsToLabels(profile.routeRefs) || [];
 
     const { DeesModal } = await import('@design.estate/dees-catalog');
     await this.ensureRoutesLoaded();
@@ -261,7 +308,9 @@ export class OpsViewTargetProfiles extends DeesElement {
                 };
               })
               .filter((t): t is { ip: string; port: number } => t !== null && !isNaN(t.port));
-            const routeRefs: string[] = Array.isArray(data.routeRefs) ? data.routeRefs : [];
+            const routeRefs = this.resolveRouteLabelsToRefs(
+              Array.isArray(data.routeRefs) ? data.routeRefs : [],
+            );
 
             await appstate.targetProfilesStatePart.dispatchAction(appstate.updateTargetProfileAction, {
               id: profile.id,
@@ -336,7 +385,7 @@ export class OpsViewTargetProfiles extends DeesElement {
             <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};">Route Refs</div>
             <div style="font-size: 14px; margin-top: 4px;">
               ${profile.routeRefs?.length
-                ? profile.routeRefs.map(r => html`<span class="tagBadge">${r}</span>`)
+                ? profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)
                 : '-'}
             </div>
           </div>

ts_web/elements/network/ops-view-vpn.ts

@@ -28,7 +28,7 @@ function setupFormVisibility(formEl: any) {
     const staticIpGroup = contentEl.querySelector('.staticIpGroup') as HTMLElement;
     const vlanIdGroup = contentEl.querySelector('.vlanIdGroup') as HTMLElement;
     const aclGroup = contentEl.querySelector('.aclGroup') as HTMLElement;
-    if (hostIpGroup) hostIpGroup.style.display = show; // always show (forceTarget is always on)
+    if (hostIpGroup) hostIpGroup.style.display = show;
     if (hostIpDetails) hostIpDetails.style.display = data.useHostIp ? show : 'none';
     if (staticIpGroup) staticIpGroup.style.display = data.useDhcp ? 'none' : show;
     if (vlanIdGroup) vlanIdGroup.style.display = data.forceVlan ? show : 'none';
@@ -390,7 +390,7 @@ export class OpsViewVpn extends DeesElement {
                       if (!form) return;
                       const data = await form.collectFormData();
                       if (!data.clientId) return;
-                      const targetProfileIds = this.resolveProfileNamesToIds(
+                      const targetProfileIds = this.resolveProfileLabelsToIds(
                         Array.isArray(data.targetProfileNames) ? data.targetProfileNames : [],
                       );
 
@@ -414,10 +414,10 @@ export class OpsViewVpn extends DeesElement {
                         description: data.description || undefined,
                         targetProfileIds,
 
-                        useHostIp: useHostIp || undefined,
-                        useDhcp: useDhcp || undefined,
+                        useHostIp,
+                        useDhcp,
                         staticIp,
-                        forceVlan: forceVlan || undefined,
+                        forceVlan,
                         vlanId,
                         destinationAllowList,
                         destinationBlockList,
@@ -485,7 +485,7 @@ export class OpsViewVpn extends DeesElement {
                       <div class="infoItem"><span class="infoLabel">Transport</span><span class="infoValue">${conn.transport}</span></div>
                     ` : ''}
                     <div class="infoItem"><span class="infoLabel">Description</span><span class="infoValue">${client.description || '-'}</span></div>
-                    <div class="infoItem"><span class="infoLabel">Target Profiles</span><span class="infoValue">${this.resolveProfileIdsToNames(client.targetProfileIds)?.join(', ') || '-'}</span></div>
+                    <div class="infoItem"><span class="infoLabel">Target Profiles</span><span class="infoValue">${this.resolveProfileIdsToLabels(client.targetProfileIds)?.join(', ') || '-'}</span></div>
                     <div class="infoItem"><span class="infoLabel">Routing</span><span class="infoValue">${client.useHostIp ? 'Host IP' : 'SmartProxy'}</span></div>
                     ${client.useHostIp ? html`
                       <div class="infoItem"><span class="infoLabel">Host IP</span><span class="infoValue">${client.useDhcp ? 'DHCP' : client.staticIp ? `Static: ${client.staticIp}` : 'Not configured'}</span></div>
@@ -649,7 +649,7 @@ export class OpsViewVpn extends DeesElement {
               const client = actionData.item as interfaces.data.IVpnClient;
               const { DeesModal } = await import('@design.estate/dees-catalog');
               const currentDescription = client.description ?? '';
-              const currentTargetProfileNames = this.resolveProfileIdsToNames(client.targetProfileIds) || [];
+              const currentTargetProfileNames = this.resolveProfileIdsToLabels(client.targetProfileIds) || [];
               const profileCandidates = this.getTargetProfileCandidates();
               const currentUseHostIp = client.useHostIp ?? false;
               const currentUseDhcp = client.useDhcp ?? false;
@@ -695,7 +695,7 @@ export class OpsViewVpn extends DeesElement {
                       const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
                       if (!form) return;
                       const data = await form.collectFormData();
-                      const targetProfileIds = this.resolveProfileNamesToIds(
+                      const targetProfileIds = this.resolveProfileLabelsToIds(
                         Array.isArray(data.targetProfileNames) ? data.targetProfileNames : [],
                       );
 
@@ -719,10 +719,10 @@ export class OpsViewVpn extends DeesElement {
                         description: data.description || undefined,
                         targetProfileIds,
 
-                        useHostIp: useHostIp || undefined,
-                        useDhcp: useDhcp || undefined,
+                        useHostIp,
+                        useDhcp,
                         staticIp,
-                        forceVlan: forceVlan || undefined,
+                        forceVlan,
                         vlanId,
                         destinationAllowList,
                         destinationBlockList,
@@ -811,41 +811,52 @@ export class OpsViewVpn extends DeesElement {
   }
 
   /**
-   * Build autocomplete candidates from loaded target profiles.
-   * viewKey = profile name (displayed), payload = { id } (carried for resolution).
+   * Build stable profile labels for list inputs.
    */
-  private getTargetProfileCandidates() {
+  private getTargetProfileChoices() {
     const profileState = appstate.targetProfilesStatePart.getState();
     const profiles = profileState?.profiles || [];
-    return profiles.map((p) => ({ viewKey: p.name, payload: { id: p.id } }));
+    const nameCounts = new Map<string, number>();
+
+    for (const profile of profiles) {
+      nameCounts.set(profile.name, (nameCounts.get(profile.name) || 0) + 1);
+    }
+
+    return profiles.map((profile) => ({
+      id: profile.id,
+      label: (nameCounts.get(profile.name) || 0) > 1
+        ? `${profile.name} (${profile.id})`
+        : profile.name,
+    }));
+  }
+
+  private getTargetProfileCandidates() {
+    return this.getTargetProfileChoices().map((profile) => ({ viewKey: profile.label }));
   }
 
   /**
-   * Convert profile IDs to profile names (for populating edit form values).
+   * Convert profile IDs to form labels (for populating edit form values).
    */
-  private resolveProfileIdsToNames(ids?: string[]): string[] | undefined {
+  private resolveProfileIdsToLabels(ids?: string[]): string[] | undefined {
     if (!ids?.length) return undefined;
-    const profileState = appstate.targetProfilesStatePart.getState();
-    const profiles = profileState?.profiles || [];
+    const choices = this.getTargetProfileChoices();
+    const labelsById = new Map(choices.map((profile) => [profile.id, profile.label]));
     return ids.map((id) => {
-      const profile = profiles.find((p) => p.id === id);
-      return profile?.name || id;
+      return labelsById.get(id) || id;
     });
   }
 
   /**
-   * Convert profile names back to IDs (for saving form data).
-   * Uses the dees-input-list candidates' payload when available.
+   * Convert profile form labels back to IDs.
    */
-  private resolveProfileNamesToIds(names: string[]): string[] | undefined {
-    if (!names.length) return undefined;
-    const profileState = appstate.targetProfilesStatePart.getState();
-    const profiles = profileState?.profiles || [];
-    return names
-      .map((name) => {
-        const profile = profiles.find((p) => p.name === name);
-        return profile?.id;
-      })
+  private resolveProfileLabelsToIds(labels: string[]): string[] {
+    if (!labels.length) return [];
+
+    const labelsToIds = new Map(
+      this.getTargetProfileChoices().map((profile) => [profile.label, profile.id]),
+    );
+    return labels
+      .map((label) => labelsToIds.get(label))
       .filter((id): id is string => !!id);
   }
 }