v13.31.0

feat(opsserver): add admin user create/delete management and default hosted idp.global auth support
v13.30.0
2026-05-19 17:06:52 +00:00 · 2026-05-19 17:06:50 +00:00 · 2026-05-18 16:09:40 +00:00 · 2026-05-18 16:09:26 +00:00 · 2026-05-14 00:43:14 +00:00 · 2026-05-14 00:42:58 +00:00
28 changed files with 1929 additions and 454 deletions
@@ -23,11 +23,14 @@
        "outputMode": "bundle",
        "bundler": "esbuild",
        "production": true,
-        "includeFiles": ["./html/**/*.html"]
+        "includeFiles": [
+          "./html/**/*.html"
+        ]
      }
    ]
  },
  "@git.zone/cli": {
+    "schemaVersion": 2,
    "projectType": "service",
    "module": {
      "githost": "code.foss.global",
@@ -60,18 +63,37 @@
      ]
    },
    "release": {
-      "registries": [
-        "https://verdaccio.lossless.digital",
-        "https://registry.npmjs.org"
-      ],
-      "accessLevel": "public"
+      "targets": {
+        "git": {
+          "enabled": true,
+          "remote": "origin"
+        },
+        "npm": {
+          "enabled": true,
+          "registries": [
+            "https://verdaccio.lossless.digital",
+            "https://registry.npmjs.org"
+          ],
+          "accessLevel": "public"
+        },
+        "docker": {
+          "enabled": true,
+          "engine": "tsdocker"
+        }
+      }
    }
  },
  "@git.zone/tsdocker": {
-    "registries": ["code.foss.global"],
+    "registries": [
+      "code.foss.global"
+    ],
    "registryRepoMap": {
      "code.foss.global": "serve.zone/dcrouter"
    },
-    "platforms": ["linux/amd64", "linux/arm64"]
-  }
-}
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
+  },
+  "@ship.zone/szci": {}
+}
@@ -1,5 +1,57 @@
 # Changelog

+## Pending
+
+
+
+
+
+## 2026-05-19 - 13.31.0
+
+### Features
+
+- add admin user create/delete management and default hosted idp.global auth support (opsserver)
+  - adds admin-only createUser and deleteUser typed requests with safeguards against deleting the current user or last active admin
+  - updates the ops users UI to create and delete users, show richer account details, and support optional idp.global login during account creation
+  - treats idp.global as available by default via the hosted https://idp.global endpoint while keeping URL settings as optional overrides
+  - adds VPN-only route controls and indicators in the ops routes UI
+
+## 2026-05-18 - 13.30.0
+
+### Features
+
+- document first-admin bootstrap flow and update authentication examples (docs)
+  - Add README guidance for explicit initial admin creation on DB-backed instances across the main package, API client, interfaces, and web dashboard docs.
+  - Update authentication examples to use persisted admin email/password credentials instead of the old default admin login.
+  - Refresh dependency versions in package.json to align documentation with current package releases.
+
+## 2026-05-14 - 13.29.1
+
+### Fixes
+
+- enable npm publishing in smartconfig (smartconfig)
+  - Sets the npm integration flag to true in .smartconfig.json
+  - Keeps the configured Verdaccio and npmjs registries unchanged
+
+## 2026-05-14 - 13.29.0
+
+### Fixes
+
+- harden VPN route access and wireguard client configuration handling (vpn)
+  - Fail closed for vpnOnly routes when no VPN client IPs are available by replacing allow lists and enforcing a block-all fallback
+  - Refresh route application and VPN client security after target profile creation so profile changes take effect immediately
+  - Validate vpnConfig.serverEndpoint, require persisted config managers for VPN startup, and normalize WireGuard AllowedIPs during client creation, export, and key rotation
+  - Switch smartvpn server setup to wireguard transport with a localhost-only listener and await async server stop operations consistently
+
+### Features
+
+- add persisted admin bootstrap flow with optional idp.global authentication (opsserver-admin)
+  - introduces bootstrap status and initial admin creation endpoints for OpsServer
+  - switches admin authentication from ephemeral-only users to database-backed accounts when a persistent admin exists
+  - adds optional idp.global login support for admin accounts and exposes auth source metadata in user listings
+  - updates the web dashboard to prompt creation of the first persisted admin account
+  - adds integration coverage for bootstrap, persisted login, identity invalidation, and user listing behavior
+
 ## 2026-05-09 - 13.28.0 - feat(gateway-clients)
 add managed gateway client administration and token-bound route ownership

@@ -2612,4 +2664,4 @@ Applied a core fix.
 - Fixed core functionality for version 1.0.1

 –––––––––––––––––––––––
-Note: Versions that only contained version bumps (for example, 1.0.11 and the plain "1.0.x" commits) have been omitted from individual entries and are implicitly included in the version ranges above.
+Note: Versions that only contained version bumps (for example, 1.0.11 and the plain "1.0.x" commits) have been omitted from individual entries and are implicitly included in the version ranges above.
@@ -1,7 +1,7 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "13.28.0",
+  "version": "13.31.0",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
  "exports": {
@@ -22,22 +22,23 @@
    "watch": "tswatch"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.4.0",
-    "@git.zone/tsbundle": "^2.10.1",
-    "@git.zone/tsdocker": "^2.2.5",
-    "@git.zone/tsrun": "^2.0.3",
-    "@git.zone/tstest": "^3.6.3",
-    "@git.zone/tswatch": "^3.3.3",
-    "@types/node": "^25.6.1"
+    "@git.zone/tsbuild": "^4.4.1",
+    "@git.zone/tsbundle": "^2.10.4",
+    "@git.zone/tsdocker": "^2.3.0",
+    "@git.zone/tsrun": "^2.0.4",
+    "@git.zone/tstest": "^3.6.6",
+    "@git.zone/tswatch": "^3.3.5",
+    "@types/node": "^25.9.0"
  },
  "dependencies": {
-    "@api.global/typedrequest": "^3.3.0",
+    "@api.global/typedrequest": "^3.3.1",
    "@api.global/typedrequest-interfaces": "^3.0.19",
    "@api.global/typedserver": "^8.4.6",
-    "@api.global/typedsocket": "^4.1.2",
+    "@api.global/typedsocket": "^4.1.3",
    "@apiclient.xyz/cloudflare": "^7.1.0",
    "@design.estate/dees-catalog": "^3.81.0",
    "@design.estate/dees-element": "^2.2.4",
+    "@idp.global/sdk": "^1.3.1",
    "@push.rocks/lik": "^6.4.1",
    "@push.rocks/projectinfo": "^5.1.0",
    "@push.rocks/qenv": "^6.1.4",
@@ -55,20 +56,20 @@
    "@push.rocks/smartnetwork": "^4.7.1",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.10.0",
+    "@push.rocks/smartproxy": "^27.10.2",
    "@push.rocks/smartradius": "^1.1.2",
    "@push.rocks/smartrequest": "^5.0.3",
    "@push.rocks/smartrx": "^3.0.10",
    "@push.rocks/smartstate": "^2.3.1",
    "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.19.2",
+    "@push.rocks/smartvpn": "1.19.4",
    "@push.rocks/taskbuffer": "^8.0.2",
    "@serve.zone/catalog": "^2.12.4",
-    "@serve.zone/interfaces": "^5.5.0",
+    "@serve.zone/interfaces": "^5.8.0",
    "@serve.zone/remoteingress": "^4.17.1",
    "@tsclass/tsclass": "^9.5.1",
    "@types/qrcode": "^1.5.6",
-    "lru-cache": "^11.3.6",
+    "lru-cache": "^11.4.0",
    "qrcode": "^1.5.4",
    "uuid": "^14.0.0"
  },
@@ -73,10 +73,22 @@ await router.start();
 After startup:

 - open the dashboard at `http://localhost:3000`
- log in with the current built-in development credentials `admin` / `admin`
+- complete the first-admin bootstrap flow if no persisted admin account exists yet
 - send proxied traffic to `http://localhost:18080`
 - stop gracefully with `await router.stop()`

+## Initial Admin Bootstrap
+
+When DB-backed persistence is enabled and no persisted admin exists, dcrouter does not auto-create an admin account. The Ops dashboard exposes a non-cancelable first-admin bootstrap flow that must be completed explicitly.
+
+Bootstrap behavior:
+
+- `getAdminBootstrapStatus` reports whether persistence is ready and whether a first admin is required.
+- The temporary env/config admin identity is only used to authorize bootstrap access while no persisted admin exists.
+- `createInitialAdminUser` creates the first persisted admin with normalized email and local password authentication.
+- Optional `idp.global` authentication can be enabled for that local account. The hosted `https://idp.global` endpoint is used by default, `adminAuth.idpGlobalUrl` or `DCROUTER_IDP_GLOBAL_URL` only override it, and the local dcrouter role remains authoritative.
+- After a persisted admin exists, temporary bootstrap admin login is rejected and normal persisted-account authentication is used.
+
 ## Configuration Model

 `DcRouter` is configured with `IDcRouterOptions` from `@serve.zone/dcrouter`.
@@ -199,7 +211,7 @@ const client = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
 });

-await client.login('admin', 'admin');
+await client.login('admin@example.com', 'strong-password');

 const route = await client.routes.build()
  .setName('api-gateway')
@@ -279,7 +291,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -0,0 +1,249 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { TypedRequest } from '@api.global/typedrequest';
+import { OpsServer } from '../ts/opsserver/index.js';
+import { DcRouterDb } from '../ts/db/index.js';
+import * as plugins from '../ts/plugins.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+const testPort = 3110;
+const baseUrl = `http://localhost:${testPort}/typedrequest`;
+const bootstrapPassword = 'temporary-bootstrap-password';
+const persistedPassword = 'persisted-admin-password';
+
+let previousAdminPassword: string | undefined;
+let opsServer: OpsServer;
+let testDb: DcRouterDb;
+let storagePath: string;
+let bootstrapIdentity: interfaces.data.IIdentity;
+let persistedIdentity: interfaces.data.IIdentity;
+let createdUserId: string;
+
+const createStatusRequest = () => new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+  baseUrl,
+  'getAdminBootstrapStatus',
+);
+
+const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+  baseUrl,
+  'adminLoginWithUsernameAndPassword',
+);
+
+tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
+  previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
+  process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;
+
+  storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  testDb = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await testDb.start();
+  await testDb.getDb().mongoDb.createCollection('__test_init');
+
+  const fakeDcRouter = {
+    options: {
+      opsServerPort: testPort,
+      dbConfig: { enabled: true },
+      adminAuth: {
+        idpClient: {
+          loginWithEmailAndPassword: async () => ({
+            jwt: 'idp-jwt',
+            refreshToken: 'idp-refresh-token',
+            user: {
+              id: 'idp-user-1',
+              data: {
+                name: 'Wrong IdP User',
+                username: 'wrong@example.com',
+                email: 'wrong@example.com',
+                status: 'active',
+                connectedOrgs: [],
+              },
+            },
+          }),
+          stop: async () => {},
+        },
+      },
+    },
+    typedrouter: new plugins.typedrequest.TypedRouter(),
+    dcRouterDb: testDb,
+  };
+
+  opsServer = new OpsServer(fakeDcRouter as any);
+  await opsServer.start();
+});
+
+tap.test('reports bootstrap required without auto-persisting an admin', async () => {
+  const status = await createStatusRequest().fire({});
+
+  expect(status.dbEnabled).toEqual(true);
+  expect(status.dbReady).toEqual(true);
+  expect(status.hasPersistentAdmin).toEqual(false);
+  expect(status.needsBootstrap).toEqual(true);
+  expect(status.ephemeralAdminAvailable).toEqual(true);
+  expect(status.idpGlobalConfigured).toEqual(true);
+});
+
+tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => {
+  const response = await createLoginRequest().fire({
+    username: 'admin',
+    password: bootstrapPassword,
+  });
+
+  if (!response.identity) {
+    throw new Error('Expected bootstrap login identity');
+  }
+  bootstrapIdentity = response.identity;
+  expect(bootstrapIdentity.role).toEqual('admin');
+});
+
+tap.test('creates the initial persisted admin explicitly', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_CreateInitialAdminUser>(
+    baseUrl,
+    'createInitialAdminUser',
+  );
+
+  const response = await request.fire({
+    identity: bootstrapIdentity,
+    email: 'Admin@Example.com',
+    name: 'Persisted Admin',
+    password: persistedPassword,
+    enableIdpGlobalAuth: true,
+  });
+
+  expect(response.success).toEqual(true);
+  expect(response.user?.role).toEqual('admin');
+  expect(response.user?.authSources).toContain('local');
+  expect(response.user?.authSources).toContain('idp.global');
+  if (!response.identity) {
+    throw new Error('Expected persisted admin identity');
+  }
+  persistedIdentity = response.identity;
+});
+
+tap.test('disables bootstrap mode after persisted admin exists', async () => {
+  const status = await createStatusRequest().fire({});
+
+  expect(status.hasPersistentAdmin).toEqual(true);
+  expect(status.needsBootstrap).toEqual(false);
+  expect(status.ephemeralAdminAvailable).toEqual(false);
+});
+
+tap.test('rejects the old temporary admin after persisted admin creation', async () => {
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin',
+      password: bootstrapPassword,
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
+tap.test('rejects the old temporary admin identity after persisted admin creation', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
+    baseUrl,
+    'verifyIdentity',
+  );
+  const response = await request.fire({ identity: bootstrapIdentity });
+
+  expect(response.valid).toEqual(false);
+});
+
+tap.test('authenticates the persisted admin locally by normalized email', async () => {
+  const response = await createLoginRequest().fire({
+    username: 'admin@example.com',
+    password: persistedPassword,
+    authSource: 'local',
+  });
+
+  if (!response.identity) {
+    throw new Error('Expected persisted admin login identity');
+  }
+  expect(response.identity.userId).toEqual(persistedIdentity.userId);
+});
+
+tap.test('rejects idp.global login when IdP email does not match local account', async () => {
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin@example.com',
+      password: 'idp-password',
+      authSource: 'idp.global',
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
+tap.test('creates a persisted non-admin user explicitly', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_CreateUser>(baseUrl, 'createUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    email: 'operator@example.com',
+    name: 'Operator User',
+    role: 'user',
+    password: 'operator-password',
+  });
+
+  expect(response.success).toEqual(true);
+  expect(response.user?.role).toEqual('user');
+  expect(response.user?.email).toEqual('operator@example.com');
+  if (!response.user?.id) {
+    throw new Error('Expected created user id');
+  }
+  createdUserId = response.user.id;
+});
+
+tap.test('rejects deleting the current persisted admin user', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_DeleteUser>(baseUrl, 'deleteUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    id: persistedIdentity.userId,
+  });
+
+  expect(response.success).toEqual(false);
+});
+
+tap.test('deletes a persisted non-current user', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_DeleteUser>(baseUrl, 'deleteUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    id: createdUserId,
+  });
+
+  expect(response.success).toEqual(true);
+});
+
+tap.test('lists persisted users without password material', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_ListUsers>(baseUrl, 'listUsers');
+  const response = await request.fire({ identity: persistedIdentity });
+
+  expect(response.users.length).toEqual(1);
+  expect(response.users[0].email).toEqual('Admin@Example.com');
+  expect((response.users[0] as any).password).toBeUndefined();
+});
+
+tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
+  await opsServer.stop();
+  await testDb.stop();
+  DcRouterDb.resetInstance();
+  await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+
+  if (previousAdminPassword === undefined) {
+    delete process.env.DCROUTER_ADMIN_PASSWORD;
+  } else {
+    process.env.DCROUTER_ADMIN_PASSWORD = previousAdminPassword;
+  }
+});
+
+export default tap.start();
@@ -1,6 +1,7 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import { VpnManager } from '../ts/vpn/classes.vpn-manager.js';
+import { RouteConfigManager } from '../ts/config/classes.route-config-manager.js';

 tap.test('VpnManager downgrades back to socket mode when no host-IP clients remain', async () => {
  const manager = new VpnManager({ forwardingMode: 'socket' });
@@ -107,4 +108,70 @@ tap.test('DcRouter.updateVpnConfig swaps the runtime VPN resolver and restarts V
  expect(dcRouter.vpnManager).toBeUndefined();
 });

+tap.test('RouteConfigManager makes vpnOnly routes fail closed without VPN clients', async () => {
+  const manager = new RouteConfigManager(() => undefined);
+  const route = {
+    name: 'private-route',
+    vpnOnly: true,
+    match: { domains: ['private.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: { ipAllowList: ['*'] },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual([]);
+  expect(prepared.security.ipBlockList).toContain('*');
+});
+
+tap.test('RouteConfigManager replaces public allow lists for vpnOnly routes', async () => {
+  const manager = new RouteConfigManager(
+    () => undefined,
+    undefined,
+    () => ['10.8.0.2'],
+  );
+  const route = {
+    name: 'private-route',
+    vpnOnly: true,
+    match: { domains: ['private.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: {
+      ipAllowList: ['*', '203.0.113.10'],
+      ipBlockList: ['198.51.100.5'],
+    },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual(['10.8.0.2']);
+  expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
+});
+
+tap.test('VpnManager rewrites WireGuard AllowedIPs after key rotation', async () => {
+  const manager = new VpnManager({
+    serverEndpoint: 'vpn.example.com',
+    getClientAllowedIPs: async () => ['10.8.0.0/24', '203.0.113.10/32'],
+  });
+
+  (manager as any).vpnServer = {
+    rotateClientKey: async () => ({
+      entry: {
+        clientId: 'client-1',
+        publicKey: 'noise-public-key',
+        wgPublicKey: 'wg-public-key',
+      },
+      wireguardConfig: '[Interface]\nPrivateKey = old\nAddress = 10.8.0.2/24\n[Peer]\nAllowedIPs = 0.0.0.0/0\nEndpoint = vpn.example.com:51820\n',
+      secrets: { noisePrivateKey: 'noise-private-key', wgPrivateKey: 'wg-private-key' },
+    }),
+  };
+  (manager as any).clients = new Map([
+    ['client-1', { clientId: 'client-1', targetProfileIds: ['profile-1'] }],
+  ]);
+  (manager as any).persistClient = async () => {};
+
+  const bundle = await manager.rotateClientKey('client-1');
+
+  expect(bundle.wireguardConfig).toContain('AllowedIPs = 10.8.0.0/24, 203.0.113.10/32');
+});
+
 export default tap.start()
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.28.0',
+  version: '13.31.0',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -167,6 +167,14 @@ export interface IDcRouterOptions {
  /** Port for the OpsServer web UI (default: 3000) */
  opsServerPort?: number;

+  /** Optional OpsServer account authentication settings. */
+  adminAuth?: {
+    /** Optional idp.global password-authentication URL override. Defaults to the SDK's hosted https://idp.global endpoint. Can also be set through DCROUTER_IDP_GLOBAL_URL. */
+    idpGlobalUrl?: string;
+    /** Test/integration hook for injecting an idp.global-compatible password client. */
+    idpClient?: Pick<plugins.idpSdkServer.IdpGlobalServerClient, 'loginWithEmailAndPassword' | 'stop'>;
+  };
+
  remoteIngressConfig?: {
    /** Enable remote ingress hub (default: false) */
    enabled?: boolean;
@@ -740,10 +748,14 @@ export class DcRouter {

    // VPN Server: optional, depends on SmartProxy
    if (this.options.vpnConfig?.enabled) {
+      const vpnServiceDeps = ['SmartProxy'];
+      if (this.options.dbConfig?.enabled !== false) {
+        vpnServiceDeps.push('ConfigManagers');
+      }
      this.serviceManager.addService(
        new plugins.taskbuffer.Service('VpnServer')
          .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn(...vpnServiceDeps)
          .withStart(async () => {
            await this.setupVpnServer();
          })
@@ -2418,6 +2430,13 @@ export class DcRouter {
      return;
    }

+    if (this.options.dbConfig?.enabled === false) {
+      throw new Error('VPN requires dbConfig.enabled because clients, keys, routes, and target profiles are persisted in DcRouterDb');
+    }
+    if (!this.routeConfigManager || !this.targetProfileManager) {
+      throw new Error('VPN requires initialized route and target profile managers');
+    }
+
    logger.log('info', 'Setting up VPN server...');

    this.vpnManager = new VpnManager({
@@ -607,19 +607,21 @@ export class RouteConfigManager {
    route: plugins.smartproxy.IRouteConfig,
    routeId?: string,
  ): plugins.smartproxy.IRouteConfig {
-    const vpnCallback = this.getVpnClientIpsForRoute;
-    if (!vpnCallback) return route;
-
    const dcRoute = route as IDcRouterRouteConfig;
    if (!dcRoute.vpnOnly) return route;

-    const vpnEntries = vpnCallback(dcRoute, routeId);
-    const existingEntries = route.security?.ipAllowList || [];
+    const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
+    const existingBlockList = route.security?.ipBlockList || [];
+    const ipBlockList = vpnEntries.length
+      ? existingBlockList
+      : [...new Set([...existingBlockList, '*'])];
+
    return {
      ...route,
      security: {
        ...route.security,
-        ipAllowList: [...existingEntries, ...vpnEntries],
+        ipAllowList: vpnEntries,
+        ipBlockList,
      },
    };
  }
@@ -113,6 +113,9 @@ export class OpsServer {
  }

  public async stop() {
+    if (this.adminHandler) {
+      await this.adminHandler.stop();
+    }
    // Clean up log handler streams and push destination before stopping the server
    if (this.logsHandler) {
      this.logsHandler.cleanup();
@@ -8,19 +8,33 @@ export interface IJwtData {
  expiresAt: number;
 }

+type TAdminUser = {
+  id: string;
+  username: string;
+  email?: string;
+  name?: string;
+  role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
+};
+
 export class AdminHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
  
  // JWT instance
  public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
  
-  // Simple in-memory user storage (in production, use proper database)
+  // Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
  private users = new Map<string, {
    id: string;
    username: string;
    password: string;
    role: string;
  }>();
+
+  private accountStore?: plugins.idpSdkServer.SmartdataAccountStore;
+  private idpClient?: plugins.idpSdkServer.IdpGlobalServerClient;
+  private ownsIdpClient = false;
  
  constructor(private opsServerRef: OpsServer) {
    // Add this handler's router to the parent
@@ -32,6 +46,14 @@ export class AdminHandler {
    this.initializeDefaultUsers();
    this.registerHandlers();
  }
+
+  public async stop(): Promise<void> {
+    if (this.ownsIdpClient) {
+      await this.idpClient?.stop();
+    }
+    this.idpClient = undefined;
+    this.ownsIdpClient = false;
+  }
  
  private async initializeJwt(): Promise<void> {
    this.smartjwtInstance = new plugins.smartjwt.SmartJwt();
@@ -61,54 +83,207 @@ export class AdminHandler {
  }

  /**
-   * Return a safe projection of the users Map — excludes password fields.
+   * Return a safe projection of the active user source — excludes password fields.
   * Used by UsersHandler to serve the admin-only listUsers endpoint.
   */
-  public listUsers(): Array<{ id: string; username: string; role: string }> {
+  public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
+    if (await this.hasPersistentAdminAccount()) {
+      const store = this.getAccountStore();
+      const accounts = await store!.listAccounts();
+      return accounts.map((accountArg) => this.accountToUser(accountArg));
+    }
+
    return Array.from(this.users.values()).map((user) => ({
      id: user.id,
      username: user.username,
      role: user.role,
    }));
  }
+
+  public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
+    const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
+    const store = this.getAccountStore();
+    const dbReady = !!store;
+    const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
+    return {
+      dbEnabled,
+      dbReady,
+      hasPersistentAdmin,
+      needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
+      ephemeralAdminAvailable: !hasPersistentAdmin,
+      idpGlobalConfigured: this.isIdpGlobalConfigured(),
+    };
+  }
+
+  public async createInitialAdminUser(optionsArg: {
+    email: string;
+    name?: string;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  }): Promise<interfaces.requests.IReq_CreateInitialAdminUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+
+    if (await store.hasActiveAdminAccount()) {
+      throw new plugins.typedrequest.TypedResponseError('initial admin already exists');
+    }
+
+    const password = String(optionsArg.password || '');
+    if (!password) {
+      throw new plugins.typedrequest.TypedResponseError('password is required');
+    }
+
+    const email = String(optionsArg.email || '').trim();
+    const authSources: Array<'local' | 'idp.global'> = ['local'];
+    if (optionsArg.enableIdpGlobalAuth) {
+      authSources.push('idp.global');
+    }
+
+    try {
+      const account = await store.createAccount({
+        email,
+        name: String(optionsArg.name || '').trim() || email,
+        role: 'admin',
+        authSources,
+        password,
+      });
+      const user = this.accountToUser(account);
+      return {
+        success: true,
+        identity: await this.createIdentityForUser(user),
+        user,
+      };
+    } catch (error) {
+      throw new plugins.typedrequest.TypedResponseError((error as Error).message || 'failed to create initial admin');
+    }
+  }
+
+  public async createUser(optionsArg: {
+    email: string;
+    name?: string;
+    role: interfaces.requests.TUserManagementRole;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  }): Promise<interfaces.requests.IReq_CreateUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      return { success: false, message: 'database is not ready' };
+    }
+    if (!(await store.hasActiveAdminAccount())) {
+      return { success: false, message: 'initial admin bootstrap is required before creating users' };
+    }
+
+    const role = optionsArg.role;
+    if (role !== 'admin' && role !== 'user') {
+      return { success: false, message: 'role must be admin or user' };
+    }
+
+    const password = String(optionsArg.password || '');
+    if (!password) {
+      return { success: false, message: 'password is required' };
+    }
+
+    const authSources: Array<'local' | 'idp.global'> = ['local'];
+    if (optionsArg.enableIdpGlobalAuth) {
+      authSources.push('idp.global');
+    }
+
+    try {
+      const email = String(optionsArg.email || '').trim();
+      const account = await store.createAccount({
+        email,
+        name: String(optionsArg.name || '').trim() || email,
+        role,
+        authSources,
+        password,
+      });
+      return { success: true, user: this.accountToUser(account) };
+    } catch (error) {
+      return { success: false, message: (error as Error).message || 'failed to create user' };
+    }
+  }
+
+  public async deleteUser(optionsArg: {
+    id: string;
+    requestingUserId: string;
+  }): Promise<interfaces.requests.IReq_DeleteUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      return { success: false, message: 'database is not ready' };
+    }
+    if (!(await store.hasActiveAdminAccount())) {
+      return { success: false, message: 'initial admin bootstrap is required before deleting users' };
+    }
+
+    const id = String(optionsArg.id || '').trim();
+    if (!id) {
+      return { success: false, message: 'user id is required' };
+    }
+    if (id === optionsArg.requestingUserId) {
+      return { success: false, message: 'cannot delete the current user' };
+    }
+
+    const account = await store.getAccountById(id);
+    if (!account) {
+      return { success: false, message: 'user not found' };
+    }
+
+    if (account.role === 'admin' && account.status === 'active') {
+      const activeAdmins = (await store.listAccounts()).filter(
+        (accountArg) => accountArg.role === 'admin' && accountArg.status === 'active',
+      );
+      if (activeAdmins.length <= 1) {
+        return { success: false, message: 'cannot delete the last active admin' };
+      }
+    }
+
+    const doc = await plugins.idpSdkServer.IdpSdkAccountDoc.findById(id);
+    if (!doc) {
+      return { success: false, message: 'user not found' };
+    }
+    await doc.delete();
+    return { success: true };
+  }
  
  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+        'getAdminBootstrapStatus',
+        async (_dataArg) => this.getBootstrapStatus()
+      )
+    );
+
+    this.opsServerRef.adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateInitialAdminUser>(
+        'createInitialAdminUser',
+        async (dataArg) => this.createInitialAdminUser({
+          email: dataArg.email,
+          name: dataArg.name,
+          password: dataArg.password,
+          enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+        })
+      )
+    );
+
    // Admin Login Handler
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
        'adminLoginWithUsernameAndPassword',
        async (dataArg) => {
          try {
-            // Find user by username and password
-            let user: { id: string; username: string; password: string; role: string } | null = null;
-            for (const [_, userData] of this.users) {
-              if (userData.username === dataArg.username && userData.password === dataArg.password) {
-                user = userData;
-                break;
-              }
-            }
-            
+            const user = await this.authenticateUser({
+              username: dataArg.username,
+              password: dataArg.password,
+              authSource: dataArg.authSource,
+            });
            if (!user) {
              throw new plugins.typedrequest.TypedResponseError('login failed');
            }
-            
-            const expiresAtTimestamp = Date.now() + 3600 * 1000 * 24; // 24 hours
-            
-            const jwt = await this.smartjwtInstance.createJWT({
-              userId: user.id,
-              status: 'loggedIn',
-              expiresAt: expiresAtTimestamp,
-            });
-            
+
            return {
-              identity: {
-                jwt,
-                userId: user.id,
-                name: user.username,
-                expiresAt: expiresAtTimestamp,
-                role: user.role,
-                type: 'user',
-              },
+              identity: await this.createIdentityForUser(user),
            };
          } catch (error) {
            if (error instanceof plugins.typedrequest.TypedResponseError) {
@@ -162,8 +337,7 @@ export class AdminHandler {
              };
            }
            
-            // Find user
-            const user = this.users.get(jwtData.userId);
+            const user = await this.resolveUser(jwtData.userId);
            if (!user) {
              return {
                valid: false,
@@ -175,7 +349,7 @@ export class AdminHandler {
              identity: {
                jwt: dataArg.identity.jwt,
                userId: user.id,
-                name: user.username,
+                name: user.name || user.username,
                expiresAt: jwtData.expiresAt,
                role: user.role,
                type: 'user',
@@ -224,6 +398,15 @@ export class AdminHandler {
          return false;
        }
        
+        const user = await this.resolveUser(jwtData.userId);
+        if (!user) {
+          return false;
+        }
+
+        if (dataArg.identity.role && dataArg.identity.role !== user.role) {
+          return false;
+        }
+
        return true;
      } catch (error) {
        return false;
@@ -256,4 +439,114 @@ export class AdminHandler {
      name: 'adminIdentityGuard',
    }
  );
+
+  private async authenticateUser(optionsArg: {
+    username: string;
+    password: string;
+    authSource?: interfaces.requests.TAdminLoginAuthSource;
+  }): Promise<TAdminUser | null> {
+    if (await this.hasPersistentAdminAccount()) {
+      const store = this.getAccountStore();
+      const authService = new plugins.idpSdkServer.AccountAuthService({
+        store: store!,
+        idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
+      });
+      const result = await authService.authenticate({
+        email: optionsArg.username,
+        password: optionsArg.password,
+        authSource: optionsArg.authSource || 'auto',
+      });
+      return result ? this.accountToUser(result.account) : null;
+    }
+
+    for (const [_, userData] of this.users) {
+      if (userData.username === optionsArg.username && userData.password === optionsArg.password) {
+        return userData;
+      }
+    }
+    return null;
+  }
+
+  private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
+    if (await this.hasPersistentAdminAccount()) {
+      const account = await this.getAccountStore()!.getAccountById(userIdArg);
+      if (!account || account.status !== 'active') {
+        return null;
+      }
+      return this.accountToUser(account);
+    }
+
+    return this.users.get(userIdArg) || null;
+  }
+
+  private async hasPersistentAdminAccount(): Promise<boolean> {
+    const store = this.getAccountStore();
+    return store ? store.hasActiveAdminAccount() : false;
+  }
+
+  private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
+    if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
+      return null;
+    }
+    const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;
+    if (!dcRouterDb?.isReady()) {
+      return null;
+    }
+    if (!this.accountStore) {
+      this.accountStore = new plugins.idpSdkServer.SmartdataAccountStore({
+        smartdataDb: dcRouterDb.getDb(),
+      });
+    }
+    return this.accountStore;
+  }
+
+  private getIdpClient(): Pick<plugins.idpSdkServer.IdpGlobalServerClient, 'loginWithEmailAndPassword' | 'stop'> | undefined {
+    const configuredClient = this.opsServerRef.dcRouterRef.options.adminAuth?.idpClient;
+    if (configuredClient) {
+      return configuredClient;
+    }
+
+    const baseUrl = this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl || process.env.DCROUTER_IDP_GLOBAL_URL;
+    if (!this.idpClient) {
+      this.idpClient = baseUrl
+        ? new plugins.idpSdkServer.IdpGlobalServerClient({ baseUrl })
+        : new plugins.idpSdkServer.IdpGlobalServerClient({} as plugins.idpSdkServer.IIdpGlobalServerClientOptions);
+      this.ownsIdpClient = true;
+    }
+    return this.idpClient;
+  }
+
+  private isIdpGlobalConfigured(): boolean {
+    return true;
+  }
+
+  private accountToUser(accountArg: plugins.idpSdkServer.IIdpSdkAccount): TAdminUser {
+    return {
+      id: accountArg.id,
+      username: accountArg.email,
+      email: accountArg.email,
+      name: accountArg.name,
+      role: accountArg.role,
+      status: accountArg.status,
+      authSources: accountArg.authSources,
+    };
+  }
+
+  private async createIdentityForUser(userArg: TAdminUser): Promise<interfaces.data.IIdentity> {
+    const expiresAtTimestamp = Date.now() + 3600 * 1000 * 24; // 24 hours
+    const jwt = await this.smartjwtInstance.createJWT({
+      userId: userArg.id,
+      status: 'loggedIn',
+      expiresAt: expiresAtTimestamp,
+    });
+
+    return {
+      jwt,
+      userId: userArg.id,
+      name: userArg.name || userArg.username,
+      expiresAt: expiresAtTimestamp,
+      role: userArg.role,
+      type: 'user',
+    };
+  }
 }
@@ -88,6 +88,8 @@ export class TargetProfileHandler {
            routeRefs: dataArg.routeRefs,
            createdBy: userId,
          });
+          await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
+          await this.opsServerRef.dcRouterRef.vpnManager?.refreshAllClientSecurity();
          return { success: true, id };
        },
      ),
@@ -3,7 +3,7 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';

 /**
- * Read-only handler for OpsServer user accounts. Registers on adminRouter,
+ * Handler for OpsServer user accounts. Registers on adminRouter,
 * so admin middleware enforces auth + role check before the handler runs.
 * User data is owned by AdminHandler; this handler just exposes a safe
 * projection of it via TypedRequest.
@@ -16,15 +16,38 @@ export class UsersHandler {
  private registerHandlers(): void {
    const router = this.opsServerRef.adminRouter;

-    // List users (admin-only, read-only)
+    // List users (admin-only)
    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListUsers>(
        'listUsers',
        async (_dataArg) => {
-          const users = this.opsServerRef.adminHandler.listUsers();
+          const users = await this.opsServerRef.adminHandler.listUsers();
          return { users };
        },
      ),
    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateUser>(
+        'createUser',
+        async (dataArg) => this.opsServerRef.adminHandler.createUser({
+          email: dataArg.email,
+          name: dataArg.name,
+          role: dataArg.role,
+          password: dataArg.password,
+          enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+        }),
+      ),
+    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteUser>(
+        'deleteUser',
+        async (dataArg) => this.opsServerRef.adminHandler.deleteUser({
+          id: dataArg.id,
+          requestingUserId: dataArg.identity.userId,
+        }),
+      ),
+    );
  }
 }
@@ -41,6 +41,13 @@ export {
  typedsocket,
 }

+// @idp.global scope
+import * as idpSdkServer from '@idp.global/sdk/server';
+
+export {
+  idpSdkServer,
+}
+
 // @push.rocks scope
 import * as projectinfo from '@push.rocks/projectinfo';
 import * as qenv from '@push.rocks/qenv';
@@ -91,7 +91,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -111,6 +111,7 @@ export class VpnManager {

    const subnet = this.getSubnet();
    const wgListenPort = this.config.wgListenPort ?? 51820;
+    const serverEndpoint = this.getWireGuardServerEndpoint();

    const desiredForwardingMode = this.getDesiredForwardingMode(anyClientUsesHostIp);
    if (anyClientUsesHostIp && desiredForwardingMode === 'hybrid') {
@@ -133,21 +134,19 @@ export class VpnManager {
      : { default: 'forceTarget' as const, target: '127.0.0.1' };

    const serverConfig: plugins.smartvpn.IVpnServerConfig = {
-      listenAddr: '0.0.0.0:0', // WS listener not strictly needed but required field
+      listenAddr: '127.0.0.1:0', // Required by smartvpn, unused in wireguard-only mode
      privateKey: this.serverKeys.noisePrivateKey,
      publicKey: this.serverKeys.noisePublicKey,
      subnet,
      dns: this.config.dns,
      forwardingMode: forwardingMode as any,
-      transportMode: 'all',
+      transportMode: 'wireguard',
      wgPrivateKey: this.serverKeys.wgPrivateKey,
      wgListenPort,
      clients: clientEntries,
      socketForwardProxyProtocol: !isBridge,
      destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
-      serverEndpoint: this.config.serverEndpoint
-        ? `${this.config.serverEndpoint}:${wgListenPort}`
-        : undefined,
+      serverEndpoint,
      clientAllowedIPs: [subnet],
      // Bridge-specific config
      ...(isBridge ? {
@@ -187,7 +186,7 @@ export class VpnManager {
      } catch {
        // Ignore stop errors
      }
-      this.vpnServer.stop();
+      await this.vpnServer.stop();
      this.vpnServer = undefined;
    }
    this.resolvedForwardingMode = undefined;
@@ -244,14 +243,10 @@ export class VpnManager {
      vlanId: doc.vlanId,
    });

-    // Override AllowedIPs with per-client values based on target profiles
-    if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(doc.targetProfileIds || []);
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /AllowedIPs\s*=\s*.+/,
-        `AllowedIPs = ${allowedIPs.join(', ')}`,
-      );
-    }
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      doc.targetProfileIds || [],
+    );

    // Persist client entry (including WG private key for export/QR)
    doc.clientId = bundle.entry.clientId;
@@ -381,9 +376,13 @@ export class VpnManager {
  public async rotateClientKey(clientId: string): Promise<plugins.smartvpn.IClientConfigBundle> {
    if (!this.vpnServer) throw new Error('VPN server not running');
    const bundle = await this.vpnServer.rotateClientKey(clientId);
+    const client = this.clients.get(clientId);
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      client?.targetProfileIds || [],
+    );

    // Update persisted entry with new keys (including private key for export/QR)
-    const client = this.clients.get(clientId);
    if (client) {
      client.noisePublicKey = bundle.entry.publicKey;
      client.wgPublicKey = bundle.entry.wgPublicKey || '';
@@ -414,15 +413,7 @@ export class VpnManager {
        );
      }

-      // Override AllowedIPs with per-client values based on target profiles
-      if (this.config.getClientAllowedIPs) {
-        const profileIds = persisted?.targetProfileIds || [];
-        const allowedIPs = await this.config.getClientAllowedIPs(profileIds);
-        config = config.replace(
-          /AllowedIPs\s*=\s*.+/,
-          `AllowedIPs = ${allowedIPs.join(', ')}`,
-        );
-      }
+      config = await this.rewriteWireGuardAllowedIPs(config, persisted?.targetProfileIds || []);
    }

    return config;
@@ -515,6 +506,46 @@ export class VpnManager {
    }
  }

+  private getWireGuardServerEndpoint(): string {
+    const endpoint = this.config.serverEndpoint?.trim();
+    if (!endpoint) {
+      throw new Error('vpnConfig.serverEndpoint is required when VPN is enabled');
+    }
+    if (endpoint.includes('://') || endpoint.includes('/')) {
+      throw new Error('vpnConfig.serverEndpoint must be a host or host:port, not a URL');
+    }
+
+    const host = endpoint.includes(':') ? endpoint.split(':')[0] : endpoint;
+    const lowerHost = host.toLowerCase();
+    if (
+      lowerHost === 'localhost'
+      || lowerHost === '0.0.0.0'
+      || lowerHost.startsWith('127.')
+    ) {
+      throw new Error('vpnConfig.serverEndpoint must be reachable by VPN clients');
+    }
+
+    return endpoint.includes(':')
+      ? endpoint
+      : `${endpoint}:${this.config.wgListenPort ?? 51820}`;
+  }
+
+  private async rewriteWireGuardAllowedIPs(
+    wireguardConfig: string,
+    targetProfileIds: string[],
+  ): Promise<string> {
+    if (!this.config.getClientAllowedIPs) return wireguardConfig;
+
+    const allowedIPs = await this.config.getClientAllowedIPs(targetProfileIds);
+    const effectiveAllowedIPs = allowedIPs.length ? allowedIPs : [this.getSubnet()];
+    const allowedLine = `AllowedIPs = ${effectiveAllowedIPs.join(', ')}`;
+
+    if (/^AllowedIPs\s*=.*$/m.test(wireguardConfig)) {
+      return wireguardConfig.replace(/^AllowedIPs\s*=.*$/m, allowedLine);
+    }
+    return `${wireguardConfig.trimEnd()}\n${allowedLine}\n`;
+  }
+
  // ── Private helpers ────────────────────────────────────────────────────

  private async loadOrGenerateServerKeys(): Promise<VpnServerKeysDoc> {
@@ -532,7 +563,7 @@ export class VpnManager {

    const noiseKeys = await tempServer.generateKeypair();
    const wgKeys = await tempServer.generateWgKeypair();
-    tempServer.stop();
+    await tempServer.stop();

    const doc = stored || new VpnServerKeysDoc();
    doc.noisePrivateKey = noiseKeys.privateKey;
@@ -27,7 +27,7 @@ const client = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
 });

-await client.login('admin', 'admin');
+await client.login('admin@example.com', 'strong-password');

 const { routes, warnings } = await client.routes.list();
 console.log(routes.length, warnings.length);
@@ -43,13 +43,13 @@ await route.toggle(true);

 ## Authentication

-The client supports session login and API-token authentication.
+The client supports persisted-admin session login and API-token authentication. Initial admin creation is a bootstrap flow exposed by the Ops dashboard and raw TypedRequest contracts; after a persisted admin exists, use that account with `login()`.

 ```typescript
 const sessionClient = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
 });
-await sessionClient.login('admin', 'admin');
+await sessionClient.login('admin@example.com', 'strong-password');

 const tokenClient = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
@@ -153,7 +153,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -30,7 +30,7 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';

 | Area | Examples |
 | --- | --- |
-| Auth | admin login, logout, identity verification, users |
+| Auth | admin login, first-admin bootstrap status/creation, logout, identity verification, users |
 | Routes | merged route listing, API route CRUD, toggles, warnings, ownership metadata |
 | Access | API tokens, source profiles, target profiles, network targets |
 | DNS and domains | DNS providers, domains, DNS records, ACME config |
@@ -66,6 +66,10 @@ for (const route of response.routes) {
 }
 ```

+## Bootstrap Contracts
+
+The auth request group includes `getAdminBootstrapStatus` and `createInitialAdminUser`. These exist so a fresh DB-backed dcrouter can require explicit first-admin creation instead of auto-persisting a default account. `createInitialAdminUser` requires the temporary bootstrap identity and can optionally enable `idp.global` authentication for the same normalized local email. The SDK defaults to hosted `https://idp.global`; dcrouter URL settings are overrides only.
+
 ## When To Use It

 - Use it in custom CLIs that call dcrouter's TypedRequest API directly.
@@ -98,7 +102,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -1,6 +1,18 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';

+export type TAdminLoginAuthSource = 'auto' | 'local' | 'idp.global';
+
+export interface IAdminUserProjection {
+  id: string;
+  username: string;
+  email?: string;
+  name?: string;
+  role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
+}
+
 // Admin Login
 export interface IReq_AdminLoginWithUsernameAndPassword extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
@@ -10,12 +22,50 @@ export interface IReq_AdminLoginWithUsernameAndPassword extends plugins.typedreq
  request: {
    username: string;
    password: string;
+    authSource?: TAdminLoginAuthSource;
  };
  response: {
    identity?: authInterfaces.IIdentity;
  };
 }

+// Admin bootstrap status
+export interface IReq_GetAdminBootstrapStatus extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetAdminBootstrapStatus
+> {
+  method: 'getAdminBootstrapStatus';
+  request: {};
+  response: {
+    dbEnabled: boolean;
+    dbReady: boolean;
+    hasPersistentAdmin: boolean;
+    needsBootstrap: boolean;
+    ephemeralAdminAvailable: boolean;
+    idpGlobalConfigured: boolean;
+  };
+}
+
+// Create the first persisted admin account. Requires the bootstrap/ephemeral admin identity.
+export interface IReq_CreateInitialAdminUser extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateInitialAdminUser
+> {
+  method: 'createInitialAdminUser';
+  request: {
+    identity: authInterfaces.IIdentity;
+    email: string;
+    name?: string;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  };
+  response: {
+    success: boolean;
+    identity?: authInterfaces.IIdentity;
+    user?: IAdminUserProjection;
+  };
+}
+
 // Admin Logout
 export interface IReq_AdminLogout extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
@@ -43,4 +93,4 @@ export interface IReq_VerifyIdentity extends plugins.typedrequestInterfaces.impl
    valid: boolean;
    identity?: authInterfaces.IIdentity;
  };
-}
+}
@@ -1,8 +1,11 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
+import type { IAdminUserProjection } from './admin.js';
+
+export type TUserManagementRole = 'admin' | 'user';

 /**
- * List all OpsServer users (admin-only, read-only).
+ * List all OpsServer users (admin-only).
 * Deliberately omits password/secret fields from the response.
 */
 export interface IReq_ListUsers extends plugins.typedrequestInterfaces.implementsTR<
@@ -14,10 +17,47 @@ export interface IReq_ListUsers extends plugins.typedrequestInterfaces.implement
    identity: authInterfaces.IIdentity;
  };
  response: {
-    users: Array<{
-      id: string;
-      username: string;
-      role: string;
-    }>;
+    users: IAdminUserProjection[];
+  };
+}
+
+/**
+ * Create a persisted OpsServer user account (admin-only).
+ */
+export interface IReq_CreateUser extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateUser
+> {
+  method: 'createUser';
+  request: {
+    identity: authInterfaces.IIdentity;
+    email: string;
+    name?: string;
+    role: TUserManagementRole;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  };
+  response: {
+    success: boolean;
+    user?: IAdminUserProjection;
+    message?: string;
+  };
+}
+
+/**
+ * Delete a persisted OpsServer user account (admin-only).
+ */
+export interface IReq_DeleteUser extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteUser
+> {
+  method: 'deleteUser';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
  };
 }
@@ -95,7 +95,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.28.0',
+  version: '13.31.0',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -10,6 +10,8 @@ export interface ILoginState {
  isLoggedIn: boolean;
 }

+export type IAdminBootstrapStatus = interfaces.requests.IReq_GetAdminBootstrapStatus['response'];
+
 export interface IStatsState {
  serverStats: interfaces.data.IServerStats | null;
  emailStats: interfaces.data.IEmailStats | null;
@@ -312,7 +314,11 @@ export const routeManagementStatePart = await appState.getStatePart<IRouteManage
 export interface IUser {
  id: string;
  username: string;
+  email?: string;
+  name?: string;
  role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
 }

 export interface IUsersState {
@@ -351,6 +357,7 @@ const getActionContext = (): IActionContext => {
 export const loginAction = loginStatePart.createAction<{
  username: string;
  password: string;
+  authSource?: interfaces.requests.TAdminLoginAuthSource;
 }>(async (statePartArg, dataArg): Promise<ILoginState> => {
  const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
    interfaces.requests.IReq_AdminLoginWithUsernameAndPassword
@@ -360,6 +367,7 @@ export const loginAction = loginStatePart.createAction<{
    const response = await typedRequest.fire({
      username: dataArg.username,
      password: dataArg.password,
+      authSource: dataArg.authSource,
    });

    if (response.identity) {
@@ -375,6 +383,47 @@ export const loginAction = loginStatePart.createAction<{
  }
 });

+export async function getAdminBootstrapStatus(): Promise<IAdminBootstrapStatus> {
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetAdminBootstrapStatus
+  >('/typedrequest', 'getAdminBootstrapStatus');
+
+  return request.fire({});
+}
+
+export async function createInitialAdminUser(optionsArg: {
+  email: string;
+  name?: string;
+  password: string;
+  enableIdpGlobalAuth?: boolean;
+}) {
+  const context = getActionContext();
+  if (!context.identity) {
+    throw new Error('No identity available for admin bootstrap');
+  }
+
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateInitialAdminUser
+  >('/typedrequest', 'createInitialAdminUser');
+
+  const response = await request.fire({
+    identity: context.identity,
+    email: optionsArg.email,
+    name: optionsArg.name,
+    password: optionsArg.password,
+    enableIdpGlobalAuth: optionsArg.enableIdpGlobalAuth,
+  });
+
+  if (response.identity) {
+    loginStatePart.setState({
+      identity: response.identity,
+      isLoggedIn: true,
+    });
+  }
+
+  return response;
+}
+
 // Logout Action — always clears state, even if identity is expired/missing
 export const logoutAction = loginStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
@@ -2588,7 +2637,7 @@ export async function createGatewayClientToken(
  });
 }

-// Users (read-only list)
+// Users
 export const fetchUsersAction = usersStatePart.createAction(async (statePartArg): Promise<IUsersState> => {
  const context = getActionContext();
  const currentState = statePartArg.getState()!;
@@ -2617,6 +2666,74 @@ export const fetchUsersAction = usersStatePart.createAction(async (statePartArg)
  }
 });

+export const createUserAction = usersStatePart.createAction<{
+  email: string;
+  name?: string;
+  role: interfaces.requests.TUserManagementRole;
+  password: string;
+  enableIdpGlobalAuth?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<IUsersState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateUser
+    >('/typedrequest', 'createUser');
+
+    const response = await request.fire({
+      identity: context.identity,
+      email: dataArg.email,
+      name: dataArg.name,
+      role: dataArg.role,
+      password: dataArg.password,
+      enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+    });
+
+    if (!response.success) {
+      throw new Error(response.message || 'Failed to create user');
+    }
+
+    return await actionContext!.dispatch(fetchUsersAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to create user',
+    };
+  }
+});
+
+export const deleteUserAction = usersStatePart.createAction<string>(
+  async (statePartArg, userIdArg, actionContext): Promise<IUsersState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteUser
+      >('/typedrequest', 'deleteUser');
+
+      const response = await request.fire({
+        identity: context.identity,
+        id: userIdArg,
+      });
+
+      if (!response.success) {
+        throw new Error(response.message || 'Failed to delete user');
+      }
+
+      return await actionContext!.dispatch(fetchUsersAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete user',
+      };
+    }
+  },
+);
+
 export async function createApiToken(
  name: string,
  scopes: interfaces.data.TApiTokenScope[],
@@ -116,12 +116,31 @@ export class OpsViewUsers extends DeesElement {
          .showColumnFilters=${true}
          .displayFunction=${(user: appstate.IUser) => ({
            ID: html`<span class="userIdCell">${user.id}</span>`,
-            Username: user.username,
+            Email: user.email || user.username,
+            Name: user.name || '',
            Role: this.renderRoleBadge(user.role),
+            Status: user.status || 'active',
+            Auth: (user.authSources || []).join(', ') || 'bootstrap',
            Session: user.id === currentUserId
              ? html`<span class="sessionBadge">current</span>`
              : '',
          })}
+          .dataActions=${[
+            {
+              name: 'Create User',
+              iconName: 'lucide:userPlus',
+              type: ['header'],
+              actionFunc: async () => await this.showCreateUserDialog(),
+            },
+            {
+              name: 'Delete',
+              iconName: 'lucide:trash2',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                await this.showDeleteUserDialog(actionData.item as appstate.IUser);
+              },
+            },
+          ]}
        ></dees-table>
      </div>
    `;
@@ -132,6 +151,125 @@ export class OpsViewUsers extends DeesElement {
    return html`<span class="roleBadge ${cls}">${role}</span>`;
  }

+  private async showCreateUserDialog(): Promise<void> {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: 'Create User',
+      content: html`
+        <dees-form>
+          <dees-input-text .key=${'email'} .label=${'Email'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'name'} .label=${'Display name'}></dees-input-text>
+          <dees-input-dropdown
+            .key=${'role'}
+            .label=${'Role'}
+            .options=${[
+              { option: 'User', key: 'user' },
+              { option: 'Admin', key: 'admin' },
+            ]}
+            .selectedOption=${{ option: 'User', key: 'user' }}
+            .required=${true}
+          ></dees-input-dropdown>
+          <dees-input-text .key=${'password'} .label=${'Password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+          <dees-input-text .key=${'passwordConfirm'} .label=${'Confirm password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+          <dees-input-checkbox
+            .key=${'enableIdpGlobalAuth'}
+            .label=${'Allow idp.global login for this email'}
+            .description=${'Uses https://idp.global by default; the local dcrouter account and role remain authoritative.'}
+          ></dees-input-checkbox>
+        </dees-form>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Create',
+          iconName: 'lucide:userPlus',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form') as any;
+            if (!form) return;
+            const data = await form.collectFormData();
+            const email = String(data.email || '').trim();
+            const name = String(data.name || '').trim();
+            const password = String(data.password || '');
+            const passwordConfirm = String(data.passwordConfirm || '');
+            const roleValue = String(data.role?.key ?? data.role ?? 'user');
+
+            if (!email || !password) {
+              form.setStatus?.('error', 'Email and password are required.');
+              return;
+            }
+            if (password !== passwordConfirm) {
+              form.setStatus?.('error', 'Passwords do not match.');
+              return;
+            }
+
+            form.setStatus?.('pending', 'Creating user...');
+            await appstate.usersStatePart.dispatchAction(appstate.createUserAction, {
+              email,
+              name,
+              role: roleValue === 'admin' ? 'admin' : 'user',
+              password,
+              enableIdpGlobalAuth: Boolean(data.enableIdpGlobalAuth),
+            });
+
+            const state = appstate.usersStatePart.getState();
+            if (state?.error) {
+              form.setStatus?.('error', state.error);
+              return;
+            }
+
+            DeesToast.show({ message: `User created for ${email}`, type: 'success', duration: 3000 });
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private async showDeleteUserDialog(userArg: appstate.IUser): Promise<void> {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+    const currentUserId = this.loginState.identity?.userId;
+    if (userArg.id === currentUserId) {
+      DeesToast.show({ message: 'You cannot delete the current user.', type: 'error', duration: 4000 });
+      return;
+    }
+
+    await DeesModal.createAndShow({
+      heading: 'Delete User',
+      content: html`
+        <div style="padding: 8px 0; font-size: 14px; line-height: 1.5;">
+          <p>Delete <strong>${userArg.email || userArg.username}</strong>?</p>
+          <p style="color: #f59e0b; margin-top: 12px;">This removes the local dcrouter account and cannot be undone.</p>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Delete',
+          iconName: 'lucide:trash2',
+          action: async (modalArg: any) => {
+            await appstate.usersStatePart.dispatchAction(appstate.deleteUserAction, userArg.id);
+            const state = appstate.usersStatePart.getState();
+            if (state?.error) {
+              DeesToast.show({ message: state.error, type: 'error', duration: 4000 });
+              return;
+            }
+            DeesToast.show({ message: 'User deleted.', type: 'success', duration: 3000 });
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
  async firstUpdated() {
    if (this.loginState.isLoggedIn) {
      await appstate.usersStatePart.dispatchAction(appstate.fetchUsersAction, null);
@@ -271,6 +271,7 @@ export class OpsViewRoutes extends DeesElement {
      const tags = [...(mr.route.tags || [])];
      tags.push(mr.origin);
      if (!mr.enabled) tags.push('disabled');
+      if (mr.route.vpnOnly) tags.push('vpn-only');

      return {
        ...mr.route,
@@ -360,6 +361,7 @@ export class OpsViewRoutes extends DeesElement {
        <div style="color: #ccc; padding: 8px 0;">
          <p>Origin: <strong style="color: #0af;">${merged.origin}</strong></p>
          <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled'}</strong></p>
+          ${merged.route.vpnOnly ? html`<p>Access: <strong style="color: #22c55e;">VPN only</strong></p>` : ''}
          <p>ID: <code style="color: #888;">${merged.id}</code></p>
          ${isSystemManaged ? html`<p>This route is system-managed. Change its source config to modify it directly.</p>` : ''}
          ${meta?.sourceProfileName ? html`<p>Source Profile: <strong style="color: #a78bfa;">${meta.sourceProfileName}</strong></p>` : ''}
@@ -491,6 +493,7 @@ export class OpsViewRoutes extends DeesElement {
      ? (Array.isArray(firstTarget.host) ? firstTarget.host[0] : firstTarget.host)
      : '';
    const currentTargetPort = typeof firstTarget?.port === 'number' ? String(firstTarget.port) : '';
+    const currentVpnOnly = route.vpnOnly === true;
    const currentRemoteIngressEnabled = route.remoteIngress?.enabled === true;
    const currentEdgeFilter = route.remoteIngress?.edgeFilter || [];

@@ -518,6 +521,7 @@ export class OpsViewRoutes extends DeesElement {
          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${currentTargetHost}></dees-input-text>
          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'} .value=${currentTargetPort}></dees-input-text>
          <dees-input-checkbox .key=${'preserveMatchPort'} .label=${'Preserve incoming port'} .value=${currentPreserveMatchPort}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'vpnOnly'} .label=${'VPN only'} .description=${'Only VPN clients with matching target profiles can access this route'} .value=${currentVpnOnly}></dees-input-checkbox>
          <dees-input-checkbox .key=${'remoteIngressEnabled'} .label=${'Enable Remote Ingress'} .value=${currentRemoteIngressEnabled}></dees-input-checkbox>
          <div class="remoteIngressGroup" style="display: ${currentRemoteIngressEnabled ? 'flex' : 'none'}; flex-direction: column; gap: 16px;">
            <dees-input-list .key=${'remoteIngressEdgeFilter'} .label=${'Edge Filter'} .description=${'Optional edge IDs or tags. Leave empty to allow all edges.'} .placeholder=${'Add edge ID or tag...'} .value=${currentEdgeFilter}></dees-input-list>
@@ -570,6 +574,7 @@ export class OpsViewRoutes extends DeesElement {
            const remoteIngressEdgeFilter: string[] = Array.isArray(formData.remoteIngressEdgeFilter)
              ? formData.remoteIngressEdgeFilter.filter(Boolean)
              : [];
+            const vpnOnly = Boolean(formData.vpnOnly);

            const updatedRoute: any = {
              name: formData.name,
@@ -586,6 +591,7 @@ export class OpsViewRoutes extends DeesElement {
                  },
                ],
              },
+              vpnOnly: vpnOnly ? true : null,
              remoteIngress: remoteIngressEnabled
                ? {
                    enabled: true,
@@ -684,6 +690,7 @@ export class OpsViewRoutes extends DeesElement {
          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${'localhost'}></dees-input-text>
          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'}></dees-input-text>
          <dees-input-checkbox .key=${'preserveMatchPort'} .label=${'Preserve incoming port'} .value=${false}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'vpnOnly'} .label=${'VPN only'} .description=${'Only VPN clients with matching target profiles can access this route'} .value=${false}></dees-input-checkbox>
          <dees-input-checkbox .key=${'remoteIngressEnabled'} .label=${'Enable Remote Ingress'} .value=${false}></dees-input-checkbox>
          <div class="remoteIngressGroup" style="display: none; flex-direction: column; gap: 16px;">
            <dees-input-list .key=${'remoteIngressEdgeFilter'} .label=${'Edge Filter'} .description=${'Optional edge IDs or tags. Leave empty to allow all edges.'} .placeholder=${'Add edge ID or tag...'}></dees-input-list>
@@ -736,6 +743,7 @@ export class OpsViewRoutes extends DeesElement {
            const remoteIngressEdgeFilter: string[] = Array.isArray(formData.remoteIngressEdgeFilter)
              ? formData.remoteIngressEdgeFilter.filter(Boolean)
              : [];
+            const vpnOnly = Boolean(formData.vpnOnly);

            const route: any = {
              name: formData.name,
@@ -752,6 +760,7 @@ export class OpsViewRoutes extends DeesElement {
                  },
                ],
              },
+              ...(vpnOnly ? { vpnOnly: true } : {}),
              ...(remoteIngressEnabled
                ? {
                    remoteIngress: {
@@ -66,6 +66,9 @@ export class OpsDashboard extends DeesElement {
    isLoggedIn: false,
  };

+  private bootstrapStepper?: any;
+  private bootstrapCheckPromise?: Promise<void>;
+
  @state() accessor uiState: appstate.IUiState = {
    activeView: 'overview',
    activeSubview: null,
@@ -336,6 +339,7 @@ export class OpsDashboard extends DeesElement {
            await (simpleLogin as any).switchToSlottedContent();
            await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
            await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+            await this.ensureAdminBootstrap();
          } else {
            // Server rejected the JWT — clear state, show login
            await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
@@ -370,10 +374,104 @@ export class OpsDashboard extends DeesElement {
      await simpleLogin!.switchToSlottedContent();
      await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
      await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+      await this.ensureAdminBootstrap();
    } else {
      form!.setStatus('error', 'Login failed!');
      await domtools.convenience.smartdelay.delayFor(2000);
      form!.reset();
    }
  }
+
+  private async ensureAdminBootstrap(): Promise<void> {
+    if (!this.loginState.identity || this.bootstrapStepper?.isConnected) {
+      return;
+    }
+    if (this.bootstrapCheckPromise) {
+      return this.bootstrapCheckPromise;
+    }
+
+    this.bootstrapCheckPromise = (async () => {
+      try {
+        const status = await appstate.getAdminBootstrapStatus();
+        if (status.needsBootstrap) {
+          await this.showAdminBootstrapStepper(status);
+        }
+      } catch (error) {
+        console.error('Admin bootstrap status check failed:', error);
+      } finally {
+        this.bootstrapCheckPromise = undefined;
+      }
+    })();
+
+    return this.bootstrapCheckPromise;
+  }
+
+  private async showAdminBootstrapStepper(statusArg: appstate.IAdminBootstrapStatus): Promise<void> {
+    const { DeesStepper } = await import('@design.estate/dees-catalog');
+    this.bootstrapStepper = await DeesStepper.createAndShow({
+      cancelable: false,
+      steps: [
+        {
+          title: 'Create Persisted Admin',
+          content: html`
+            <div style="display: grid; gap: 16px; color: var(--dees-color-text-secondary); font-size: 14px; line-height: 1.5;">
+              <p style="margin: 0;">
+                This router is currently using the temporary bootstrap admin. Create the first persisted admin account to continue.
+              </p>
+              <dees-form>
+                <dees-input-text .key=${'email'} .label=${'Admin email'} .required=${true}></dees-input-text>
+                <dees-input-text .key=${'name'} .label=${'Display name'}></dees-input-text>
+                <dees-input-text .key=${'password'} .label=${'Password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+                <dees-input-text .key=${'passwordConfirm'} .label=${'Confirm password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+                <dees-input-checkbox
+                  .key=${'enableIdpGlobalAuth'}
+                  .label=${'Allow idp.global login for this email'}
+                  .description=${'Uses https://idp.global by default; the local dcrouter account and role remain authoritative.'}
+                ></dees-input-checkbox>
+              </dees-form>
+            </div>
+          `,
+          menuOptions: [
+            {
+              name: 'Create admin',
+              action: async (stepperArg: any) => {
+                const form = stepperArg.shadowRoot?.querySelector('.selected dees-form') as any;
+                if (!form) return;
+                const formData = await form.collectFormData();
+                const email = String(formData.email || '').trim();
+                const name = String(formData.name || '').trim();
+                const password = String(formData.password || '');
+                const passwordConfirm = String(formData.passwordConfirm || '');
+
+                if (!email || !password) {
+                  form.setStatus?.('error', 'Email and password are required.');
+                  return;
+                }
+                if (password !== passwordConfirm) {
+                  form.setStatus?.('error', 'Passwords do not match.');
+                  return;
+                }
+
+                try {
+                  form.setStatus?.('pending', 'Creating persisted admin...');
+                  await appstate.createInitialAdminUser({
+                    email,
+                    name,
+                    password,
+                    enableIdpGlobalAuth: Boolean(formData.enableIdpGlobalAuth),
+                  });
+                  form.setStatus?.('success', 'Persisted admin created.');
+                  await stepperArg.destroy();
+                  this.bootstrapStepper = undefined;
+                  await appstate.usersStatePart.dispatchAction(appstate.fetchUsersAction, null);
+                } catch (error) {
+                  form.setStatus?.('error', error instanceof Error ? error.message : 'Failed to create admin.');
+                }
+              },
+            },
+          ],
+        },
+      ],
+    });
+  }
 }
@@ -12,8 +12,8 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 | --- | --- |
 | `index.ts` | Initializes the app router and renders `<ops-dashboard>` into `document.body`. |
 | `router.ts` | Defines top-level dashboard routes, subviews, redirects, and URL/state synchronization. |
-| `appstate.ts` | Holds reactive login, UI, config, stats, route, DNS, email, remote ingress, VPN, and log state. |
-| `elements/` | Contains the dashboard shell and feature-specific Dees web components. |
+| `appstate.ts` | Holds reactive login, bootstrap, UI, config, stats, route, DNS, email, remote ingress, VPN, and log state. |
+| `elements/` | Contains the dashboard shell, first-admin bootstrap stepper, and feature-specific Dees web components. |

 ## View Map

@@ -37,6 +37,8 @@ The dashboard talks to the dcrouter OpsServer through:
 - Dees web components and app-state subscriptions for UI updates
 - QR code rendering for VPN client UX

+On a fresh DB-backed instance, the dashboard checks `getAdminBootstrapStatus` and shows a non-cancelable first-admin stepper before normal dashboard access.
+
 ## Usage

 This package is primarily consumed by the main dcrouter build and served by OpsServer. Install it directly only when you intentionally need the dashboard module boundary.
@@ -79,7 +81,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
Author	SHA1	Message	Date
jkunz	53d7c5350e	v13.31.0 Docker (tags) / release (push) Failing after 1s Details	2026-05-19 17:06:52 +00:00
jkunz	7986d01245	feat(opsserver): add admin user create/delete management and default hosted idp.global auth support	2026-05-19 17:06:50 +00:00
jkunz	0b01a4c26b	v13.30.0 Docker (tags) / release (push) Failing after 1s Details	2026-05-18 16:09:40 +00:00
jkunz	407c8eef8a	feat(docs): document first-admin bootstrap flow and update authentication examples	2026-05-18 16:09:26 +00:00
jkunz	aa0ef2f033	v13.29.1 Docker (tags) / release (push) Failing after 1s Details	2026-05-14 00:43:14 +00:00
jkunz	7819f09625	fix(smartconfig): enable npm publishing in smartconfig	2026-05-14 00:42:58 +00:00
jkunz	3f8c0c4219	v13.29.0 Docker (tags) / release (push) Failing after 1s Details	2026-05-14 00:37:15 +00:00
jkunz	70fcd46d52	feat(opsserver-admin): add persisted admin bootstrap flow with optional idp.global authentication	2026-05-14 00:30:09 +00:00
jkunz	47a1f5d7db	fix(vpn): harden VPN route access and wireguard client configuration handling	2026-05-13 13:42:12 +00:00