v13.9.0

changelog.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 2026-04-08 - 13.9.0 - feat(dns)
+add built-in dcrouter DNS provider support and rename manual domains to dcrouter-hosted/local
+
+- Expose a synthetic built-in "DcRouter" provider in provider listings and block create, edit, delete, test, and external domain listing operations for it
+- Rename domain and record source semantics from "manual" to "dcrouter" and "local" across backend, interfaces, and UI
+- Add database migrations to convert existing DomainDoc.source and DnsRecordDoc.source values to the new naming
+- Update domain creation flows and provider UI labels to reflect dcrouter-hosted authoritative domains
+
+## 2026-04-08 - 13.8.0 - feat(acme)
+add DB-backed ACME configuration management and OpsServer certificate settings UI
+
+- introduces a singleton AcmeConfig manager and document persisted in the database, with first-boot seeding from legacy tls.contactEmail and smartProxyConfig.acme options
+- updates SmartProxy startup to read live ACME settings from the database and only enable DNS-01 challenge wiring when ACME is configured and enabled
+- adds authenticated OpsServer typed request endpoints and API token scopes for reading and updating ACME configuration
+- adds web app state and a certificates view card/modal for viewing and editing ACME settings from the Domains certificate UI
+
+## 2026-04-08 - 13.7.1 - fix(repo)
+no changes to commit
+
+
+## 2026-04-08 - 13.7.0 - feat(dns-providers)
+add provider-agnostic DNS provider form metadata and reusable UI for create/edit flows
+
+- Introduce shared DNS provider type descriptors and credential field metadata to drive provider forms dynamically.
+- Add a reusable dns-provider-form component and update provider create/edit dialogs to use typed provider selection and credential handling.
+- Remove Cloudflare-specific ACME helper exposure and clarify provider-agnostic DNS manager and factory documentation for future provider implementations.
+
 ## 2026-04-08 - 13.6.0 - feat(dns)
 add db-backed DNS provider, domain, and record management with ops UI support
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.6.0",
+  "version": "13.9.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -35,7 +35,7 @@
     "@api.global/typedserver": "^8.4.6",
     "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.69.1",
+    "@design.estate/dees-catalog": "^3.70.0",
     "@design.estate/dees-element": "^2.2.4",
     "@push.rocks/lik": "^6.4.0",
     "@push.rocks/projectinfo": "^5.1.0",
@@ -49,7 +49,7 @@
     "@push.rocks/smartjwt": "^2.2.1",
     "@push.rocks/smartlog": "^3.2.2",
     "@push.rocks/smartmetrics": "^3.0.3",
-    "@push.rocks/smartmigration": "1.1.1",
+    "@push.rocks/smartmigration": "1.2.0",
     "@push.rocks/smartmta": "^5.3.1",
     "@push.rocks/smartnetwork": "^4.5.2",
     "@push.rocks/smartpath": "^6.0.0",

pnpm-lock.yaml

@@ -24,8 +24,8 @@ importers:
         specifier: ^7.1.0
         version: 7.1.0
       '@design.estate/dees-catalog':
-        specifier: ^3.69.1
-        version: 3.69.1(@tiptap/pm@2.27.2)
+        specifier: ^3.70.0
+        version: 3.70.0(@tiptap/pm@2.27.2)
       '@design.estate/dees-element':
         specifier: ^2.2.4
         version: 2.2.4
@@ -66,8 +66,8 @@ importers:
         specifier: ^3.0.3
         version: 3.0.3
       '@push.rocks/smartmigration':
-        specifier: 1.1.1
-        version: 1.1.1(@push.rocks/smartbucket@4.6.0)(@push.rocks/smartdata@7.1.7(socks@2.8.7))
+        specifier: 1.2.0
+        version: 1.2.0(@push.rocks/smartbucket@4.6.0)(@push.rocks/smartdata@7.1.7(socks@2.8.7))
       '@push.rocks/smartmta':
         specifier: ^5.3.1
         version: 5.3.1
@@ -353,8 +353,8 @@ packages:
   '@configvault.io/interfaces@1.0.17':
     resolution: {integrity: sha512-bEcCUR2VBDJsTin8HQh8Uw/mlYl2v8A3jMIaQ+MTB9Hrqd6CZL2dL7iJdWyFl/3EIX+LDxWFR+Oq7liIq7w+1Q==}
 
-  '@design.estate/dees-catalog@3.69.1':
-    resolution: {integrity: sha512-OSpHB/hfOrL2mkAfF50TqTKJ2hvPd7Cj1WklAmFckyjloE4fd7DRDeXdI/Bziq9152gExipX5VoofTAOr4rF5w==}
+  '@design.estate/dees-catalog@3.70.0':
+    resolution: {integrity: sha512-bNqOxxl83FNCCV+7QoUj6oeRC0VTExWOClrLrHNMoLIU0TCtzhcmQqiuJhdWrcCwZ5RBhXHGMSFsR62d2RcWpw==}
 
   '@design.estate/dees-comms@1.0.30':
     resolution: {integrity: sha512-KchMlklJfKAjQiJiR0xmofXtQ27VgZtBIxcMwPE9d+h3jJRv+lPZxzBQVOM0eyM0uS44S5vJMZ11IeV4uDXSHg==}
@@ -1231,8 +1231,8 @@ packages:
   '@push.rocks/smartmetrics@3.0.3':
     resolution: {integrity: sha512-RYY4NOla3kraZYVF9TBHgIz4/hSkqVDVNP7tLwhLK5mGBPBy8I/9NWXX6txZKQw6QihP85YD8mWUuUu2xS4D6Q==}
 
-  '@push.rocks/smartmigration@1.1.1':
-    resolution: {integrity: sha512-K/eLN9cNy+CLOT73rhI93vOy/vGwpV46iJpjRUyPwHsMcQcV6po2idk5+XZQzeuq2x7KpKuUPtZ6gXMtf5Y/ig==}
+  '@push.rocks/smartmigration@1.2.0':
+    resolution: {integrity: sha512-H2diE1UbZm4cXjxgxkt2YQW3aUQ3QVVU/e8Ws30hzIep0xIqL1BH6//WawA5ZBQhnAOBssZpVOuWOd3GIeBq+Q==}
     peerDependencies:
       '@push.rocks/smartbucket': ^4.6.0
       '@push.rocks/smartdata': ^7.1.7
@@ -4315,7 +4315,7 @@ snapshots:
       '@api.global/typedrequest-interfaces': 3.0.19
       '@api.global/typedsocket': 4.1.2(@push.rocks/smartserve@2.0.3)
       '@cloudflare/workers-types': 4.20260405.1
-      '@design.estate/dees-catalog': 3.69.1(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.70.0(@tiptap/pm@2.27.2)
       '@design.estate/dees-comms': 1.0.30
       '@push.rocks/lik': 6.4.0
       '@push.rocks/smartdelay': 3.0.5
@@ -4844,7 +4844,7 @@ snapshots:
     dependencies:
       '@api.global/typedrequest-interfaces': 3.0.19
 
-  '@design.estate/dees-catalog@3.69.1(@tiptap/pm@2.27.2)':
+  '@design.estate/dees-catalog@3.70.0(@tiptap/pm@2.27.2)':
     dependencies:
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
@@ -6354,7 +6354,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartlog': 3.2.2
 
-  '@push.rocks/smartmigration@1.1.1(@push.rocks/smartbucket@4.6.0)(@push.rocks/smartdata@7.1.7(socks@2.8.7))':
+  '@push.rocks/smartmigration@1.2.0(@push.rocks/smartbucket@4.6.0)(@push.rocks/smartdata@7.1.7(socks@2.8.7))':
     dependencies:
       '@push.rocks/smartlog': 3.2.2
       '@push.rocks/smartversion': 3.1.0
@@ -6900,7 +6900,7 @@ snapshots:
 
   '@serve.zone/catalog@2.12.3(@tiptap/pm@2.27.2)':
     dependencies:
-      '@design.estate/dees-catalog': 3.69.1(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.70.0(@tiptap/pm@2.27.2)
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
       '@design.estate/dees-wcctools': 3.8.0

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.6.0',
+  version: '13.9.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/acme/index.ts

@@ -0,0 +1 @@
+export * from './manager.acme-config.js';

ts/acme/manager.acme-config.ts

@@ -0,0 +1,182 @@
+import { logger } from '../logger.js';
+import { AcmeConfigDoc } from '../db/documents/index.js';
+import type { IDcRouterOptions } from '../classes.dcrouter.js';
+import type { IAcmeConfig } from '../../ts_interfaces/data/acme-config.js';
+
+/**
+ * AcmeConfigManager — owns the singleton ACME configuration in the DB.
+ *
+ * Lifecycle:
+ *  - `start()` — loads from the DB; if empty, seeds from legacy constructor
+ *    fields (`tls.contactEmail`, `smartProxyConfig.acme.*`) on first boot.
+ *  - `getConfig()` — returns the in-memory cached `IAcmeConfig` (or null)
+ *  - `updateConfig(args, updatedBy)` — upserts and refreshes the cache
+ *
+ * Reload semantics: updates take effect on the next dcrouter restart because
+ * `SmartAcme` is instantiated once in `setupSmartProxy()`. `renewThresholdDays`
+ * applies immediately to the next renewal check. See
+ * `ts_web/elements/domains/ops-view-certificates.ts` for the UI warning.
+ */
+export class AcmeConfigManager {
+  private cached: IAcmeConfig | null = null;
+
+  constructor(private options: IDcRouterOptions) {}
+
+  public async start(): Promise<void> {
+    logger.log('info', 'AcmeConfigManager: starting');
+    let doc = await AcmeConfigDoc.load();
+
+    if (!doc) {
+      // First-boot path: seed from legacy constructor fields if present.
+      const seed = this.deriveSeedFromOptions();
+      if (seed) {
+        doc = await this.createSeedDoc(seed);
+        logger.log(
+          'info',
+          `AcmeConfigManager: seeded from constructor legacy fields (accountEmail=${seed.accountEmail}, useProduction=${seed.useProduction})`,
+        );
+      } else {
+        logger.log(
+          'info',
+          'AcmeConfigManager: no AcmeConfig in DB and no legacy constructor fields — ACME disabled until configured via Domains > Certificates > Settings.',
+        );
+      }
+    } else if (this.deriveSeedFromOptions()) {
+      logger.log(
+        'warn',
+        'AcmeConfigManager: ignoring constructor tls.contactEmail / smartProxyConfig.acme — DB already has AcmeConfigDoc. Manage via Domains > Certificates > Settings.',
+      );
+    }
+
+    this.cached = doc ? this.toPlain(doc) : null;
+    if (this.cached) {
+      logger.log(
+        'info',
+        `AcmeConfigManager: loaded ACME config (accountEmail=${this.cached.accountEmail}, enabled=${this.cached.enabled}, useProduction=${this.cached.useProduction})`,
+      );
+    }
+  }
+
+  public async stop(): Promise<void> {
+    this.cached = null;
+  }
+
+  /**
+   * Returns the current ACME config, or null if not configured.
+   * In-memory — does not hit the DB.
+   */
+  public getConfig(): IAcmeConfig | null {
+    return this.cached;
+  }
+
+  /**
+   * True if there is an enabled ACME config. Used by `setupSmartProxy()` to
+   * decide whether to instantiate SmartAcme.
+   */
+  public hasEnabledConfig(): boolean {
+    return this.cached !== null && this.cached.enabled;
+  }
+
+  /**
+   * Upsert the ACME config. All fields are optional; missing fields are
+   * preserved from the existing row (or defaulted if there is no row yet).
+   */
+  public async updateConfig(
+    args: Partial<Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'>>,
+    updatedBy: string,
+  ): Promise<IAcmeConfig> {
+    let doc = await AcmeConfigDoc.load();
+    const now = Date.now();
+
+    if (!doc) {
+      doc = new AcmeConfigDoc();
+      doc.configId = 'acme-config';
+      doc.accountEmail = args.accountEmail ?? '';
+      doc.enabled = args.enabled ?? true;
+      doc.useProduction = args.useProduction ?? true;
+      doc.autoRenew = args.autoRenew ?? true;
+      doc.renewThresholdDays = args.renewThresholdDays ?? 30;
+    } else {
+      if (args.accountEmail !== undefined) doc.accountEmail = args.accountEmail;
+      if (args.enabled !== undefined) doc.enabled = args.enabled;
+      if (args.useProduction !== undefined) doc.useProduction = args.useProduction;
+      if (args.autoRenew !== undefined) doc.autoRenew = args.autoRenew;
+      if (args.renewThresholdDays !== undefined) doc.renewThresholdDays = args.renewThresholdDays;
+    }
+
+    doc.updatedAt = now;
+    doc.updatedBy = updatedBy;
+    await doc.save();
+
+    this.cached = this.toPlain(doc);
+    return this.cached;
+  }
+
+  // ==========================================================================
+  // Internal helpers
+  // ==========================================================================
+
+  /**
+   * Build a seed object from the legacy constructor fields. Returns null
+   * if the user has not provided any of them.
+   *
+   * Supports BOTH `tls.contactEmail` (short form) and `smartProxyConfig.acme`
+   * (full form). `smartProxyConfig.acme` wins when both are present.
+   */
+  private deriveSeedFromOptions(): Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'> | null {
+    const acme = this.options.smartProxyConfig?.acme;
+    const tls = this.options.tls;
+
+    // Prefer the explicit smartProxyConfig.acme block if present.
+    if (acme?.accountEmail) {
+      return {
+        accountEmail: acme.accountEmail,
+        enabled: acme.enabled !== false,
+        useProduction: acme.useProduction !== false,
+        autoRenew: acme.autoRenew !== false,
+        renewThresholdDays: acme.renewThresholdDays ?? 30,
+      };
+    }
+
+    // Fall back to the short tls.contactEmail form.
+    if (tls?.contactEmail) {
+      return {
+        accountEmail: tls.contactEmail,
+        enabled: true,
+        useProduction: true,
+        autoRenew: true,
+        renewThresholdDays: 30,
+      };
+    }
+
+    return null;
+  }
+
+  private async createSeedDoc(
+    seed: Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'>,
+  ): Promise<AcmeConfigDoc> {
+    const doc = new AcmeConfigDoc();
+    doc.configId = 'acme-config';
+    doc.accountEmail = seed.accountEmail;
+    doc.enabled = seed.enabled;
+    doc.useProduction = seed.useProduction;
+    doc.autoRenew = seed.autoRenew;
+    doc.renewThresholdDays = seed.renewThresholdDays;
+    doc.updatedAt = Date.now();
+    doc.updatedBy = 'seed';
+    await doc.save();
+    return doc;
+  }
+
+  private toPlain(doc: AcmeConfigDoc): IAcmeConfig {
+    return {
+      accountEmail: doc.accountEmail,
+      enabled: doc.enabled,
+      useProduction: doc.useProduction,
+      autoRenew: doc.autoRenew,
+      renewThresholdDays: doc.renewThresholdDays,
+      updatedAt: doc.updatedAt,
+      updatedBy: doc.updatedBy,
+    };
+  }
+}

ts/classes.dcrouter.ts

@@ -28,6 +28,7 @@ import { RouteConfigManager, ApiTokenManager, ReferenceResolver, DbSeeder, Targe
 import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
+import { AcmeConfigManager } from './acme/manager.acme-config.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -276,6 +277,9 @@ export class DcRouter {
   // Domain / DNS management (DB-backed providers, domains, records)
   public dnsManager?: DnsManager;
 
+  // ACME configuration (DB-backed singleton, replaces tls.contactEmail)
+  public acmeConfigManager?: AcmeConfigManager;
+
   // Auto-discovered public IP (populated by generateAuthoritativeRecords)
   public detectedPublicIp: string | null = null;
 
@@ -412,11 +416,35 @@ export class DcRouter {
       );
     }
 
-    // SmartProxy: critical, depends on DcRouterDb + DnsManager (if enabled)
+    // AcmeConfigManager: optional, depends on DcRouterDb — owns the singleton
+    // ACME configuration (accountEmail, useProduction, etc.). Must run before
+    // SmartProxy so setupSmartProxy() can read the ACME config from the DB.
+    // On first boot, seeds from legacy `tls.contactEmail` / `smartProxyConfig.acme`.
+    if (this.options.dbConfig?.enabled !== false) {
+      this.serviceManager.addService(
+        new plugins.taskbuffer.Service('AcmeConfigManager')
+          .optional()
+          .dependsOn('DcRouterDb')
+          .withStart(async () => {
+            this.acmeConfigManager = new AcmeConfigManager(this.options);
+            await this.acmeConfigManager.start();
+          })
+          .withStop(async () => {
+            if (this.acmeConfigManager) {
+              await this.acmeConfigManager.stop();
+              this.acmeConfigManager = undefined;
+            }
+          })
+          .withRetry({ maxRetries: 1, baseDelayMs: 500 }),
+      );
+    }
+
+    // SmartProxy: critical, depends on DcRouterDb + DnsManager + AcmeConfigManager (if enabled)
     const smartProxyDeps: string[] = [];
     if (this.options.dbConfig?.enabled !== false) {
       smartProxyDeps.push('DcRouterDb');
       smartProxyDeps.push('DnsManager');
+      smartProxyDeps.push('AcmeConfigManager');
     }
     this.serviceManager.addService(
       new plugins.taskbuffer.Service('SmartProxy')
@@ -837,45 +865,62 @@ export class DcRouter {
     }
 
     let routes: plugins.smartproxy.IRouteConfig[] = [];
-    let acmeConfig: plugins.smartproxy.IAcmeOptions | undefined;
-    
-    // If user provides full SmartProxy config, use it directly
+
+    // If user provides full SmartProxy config, use its routes.
+    // NOTE: `smartProxyConfig.acme` is now seed-only — consumed by
+    // AcmeConfigManager on first boot. The live ACME config always comes
+    // from the DB via `this.acmeConfigManager.getConfig()`.
     if (this.options.smartProxyConfig) {
       routes = this.options.smartProxyConfig.routes || [];
-      acmeConfig = this.options.smartProxyConfig.acme;
-      logger.log('info', `Found ${routes.length} routes in config, ACME config present: ${!!acmeConfig}`);
+      logger.log('info', `Found ${routes.length} routes in config`);
     }
-    
+
     // If email config exists, automatically add email routes
     if (this.options.emailConfig) {
       const emailRoutes = this.generateEmailRoutes(this.options.emailConfig);
       logger.log('debug', 'Email routes generated', { routes: JSON.stringify(emailRoutes) });
       routes = [...routes, ...emailRoutes]; // Enable email routing through SmartProxy
     }
-    
+
     // If DNS is configured, add DNS routes
     if (this.options.dnsNsDomains && this.options.dnsNsDomains.length > 0) {
       const dnsRoutes = this.generateDnsRoutes();
       logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(dnsRoutes) });
       routes = [...routes, ...dnsRoutes];
     }
-    
-    // Merge TLS/ACME configuration if provided at root level
-    if (this.options.tls && !acmeConfig) {
-      acmeConfig = {
-        accountEmail: this.options.tls.contactEmail,
-        enabled: true,
-        useProduction: true,
-        autoRenew: true,
-        renewThresholdDays: 30
-      };
+
+    // Build the ACME options for SmartProxy from the DB-backed AcmeConfigManager.
+    // If no config exists or it's disabled, SmartProxy's own ACME is turned off
+    // and dcrouter's SmartAcme / certProvisionFunction are not wired.
+    const dbAcme = this.acmeConfigManager?.getConfig();
+    const acmeConfig: plugins.smartproxy.IAcmeOptions | undefined =
+      dbAcme && dbAcme.enabled
+        ? {
+            accountEmail: dbAcme.accountEmail,
+            enabled: true,
+            useProduction: dbAcme.useProduction,
+            autoRenew: dbAcme.autoRenew,
+            renewThresholdDays: dbAcme.renewThresholdDays,
+          }
+        : undefined;
+    if (acmeConfig) {
+      logger.log(
+        'info',
+        `ACME config: accountEmail=${acmeConfig.accountEmail}, useProduction=${acmeConfig.useProduction}, autoRenew=${acmeConfig.autoRenew}`,
+      );
+    } else {
+      logger.log('info', 'ACME config: disabled or not yet configured in DB');
     }
-    
-    // Configure DNS-01 challenge if any DnsProviderDoc exists in the DB.
-    // The DnsManager dispatches each challenge to the right provider client
-    // based on the FQDN being certificated.
+
+    // Configure DNS-01 challenge if any DnsProviderDoc exists in the DB AND
+    // ACME is enabled. The DnsManager dispatches each challenge to the right
+    // provider client based on the FQDN being certificated.
     let challengeHandlers: any[] = [];
-    if (this.dnsManager && (await this.dnsManager.hasAcmeCapableProvider())) {
+    if (
+      acmeConfig &&
+      this.dnsManager &&
+      (await this.dnsManager.hasAcmeCapableProvider())
+    ) {
       logger.log('info', 'Configuring DNS-01 challenge for ACME via DnsManager (DB providers)');
       const convenientDnsProvider = this.dnsManager.buildAcmeConvenientDnsProvider();
       const dns01Handler = new plugins.smartacme.handlers.Dns01Handler(convenientDnsProvider);
@@ -977,10 +1022,12 @@ export class DcRouter {
             logger.log('error', 'Error stopping old SmartAcme', { error: String(err) })
           );
         }
+        // Safe non-null: challengeHandlers.length > 0 implies both dnsManager
+        // and acmeConfig exist (enforced above).
         this.smartAcme = new plugins.smartacme.SmartAcme({
-          accountEmail: acmeConfig?.accountEmail || this.options.tls?.contactEmail || 'admin@example.com',
+          accountEmail: dbAcme!.accountEmail,
           certManager: new StorageBackedCertManager(),
-          environment: 'production',
+          environment: dbAcme!.useProduction ? 'production' : 'integration',
           challengeHandlers: challengeHandlers,
           challengePriority: ['dns-01'],
         });
@@ -1745,7 +1792,8 @@ export class DcRouter {
       logger.log('info', `Registered ${allRecords.length} DNS records (${authoritativeRecords.length} authoritative, ${emailDnsRecords.length} email, ${dkimRecords.length} DKIM, ${this.options.dnsRecords?.length || 0} user-defined)`);
     }
 
-    // Hand the DnsServer to DnsManager so DB-backed manual records get registered too.
+    // Hand the DnsServer to DnsManager so DB-backed local records on
+    // dcrouter-hosted domains get registered too.
     if (this.dnsManager && this.dnsServer) {
       await this.dnsManager.attachDnsServer(this.dnsServer);
     }

ts/db/documents/classes.acme-config.doc.ts

@@ -0,0 +1,49 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+/**
+ * Singleton ACME configuration document. One row per dcrouter instance,
+ * keyed on the fixed `configId = 'acme-config'` following the
+ * `VpnServerKeysDoc` pattern.
+ *
+ * Replaces the legacy `tls.contactEmail` and `smartProxyConfig.acme.*`
+ * constructor fields. Managed via the OpsServer UI at
+ * **Domains > Certificates > Settings**.
+ */
+@plugins.smartdata.Collection(() => getDb())
+export class AcmeConfigDoc extends plugins.smartdata.SmartDataDbDoc<AcmeConfigDoc, AcmeConfigDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public configId: string = 'acme-config';
+
+  @plugins.smartdata.svDb()
+  public accountEmail: string = '';
+
+  @plugins.smartdata.svDb()
+  public enabled: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public useProduction: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public autoRenew: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public renewThresholdDays: number = 30;
+
+  @plugins.smartdata.svDb()
+  public updatedAt: number = 0;
+
+  @plugins.smartdata.svDb()
+  public updatedBy: string = '';
+
+  constructor() {
+    super();
+  }
+
+  public static async load(): Promise<AcmeConfigDoc | null> {
+    return await AcmeConfigDoc.getInstance({ configId: 'acme-config' });
+  }
+}

ts/db/documents/index.ts

@@ -30,3 +30,6 @@ export * from './classes.accounting-session.doc.js';
 export * from './classes.dns-provider.doc.js';
 export * from './classes.domain.doc.js';
 export * from './classes.dns-record.doc.js';
+
+// ACME configuration (singleton)
+export * from './classes.acme-config.doc.js';

ts/dns/manager.dns.ts

@@ -25,9 +25,9 @@ import type {
  * Responsibilities:
  *  - Load Domain/DnsRecord docs from the DB on start
  *  - First-boot seeding from legacy constructor config (dnsScopes/dnsRecords/dnsNsDomains)
- *  - Register manual-domain records with smartdns.DnsServer at startup
- *  - Provide CRUD methods used by OpsServer handlers (manual domains hit smartdns,
- *    provider domains hit the provider API)
+ *  - Register dcrouter-hosted domain records with smartdns.DnsServer at startup
+ *  - Provide CRUD methods used by OpsServer handlers (dcrouter-hosted domains hit
+ *    smartdns, provider domains hit the provider API)
  *  - Expose a provider lookup used by the ACME DNS-01 wiring in setupSmartProxy()
  *
  * Provider-managed domains are NEVER served from the embedded DnsServer — the
@@ -69,12 +69,12 @@ export class DnsManager {
 
   /**
    * Wire the embedded DnsServer instance after it has been created by
-   * DcRouter.setupDnsWithSocketHandler(). After this, manual records loaded
-   * from the DB are registered with the server.
+   * DcRouter.setupDnsWithSocketHandler(). After this, local records on
+   * dcrouter-hosted domains loaded from the DB are registered with the server.
    */
   public async attachDnsServer(dnsServer: plugins.smartdns.dnsServerMod.DnsServer): Promise<void> {
     this.dnsServer = dnsServer;
-    await this.applyManualDomainsToDnsServer();
+    await this.applyDcrouterDomainsToDnsServer();
   }
 
   // ==========================================================================
@@ -83,7 +83,8 @@ export class DnsManager {
 
   /**
    * If no DomainDocs exist yet but the constructor has legacy DNS fields,
-   * seed them as `source: 'manual'` records. On subsequent boots (DB has
+   * seed them as dcrouter-hosted (`domain.source: 'dcrouter'`) zones with
+   * local (`record.source: 'local'`) records. On subsequent boots (DB has
    * entries), constructor config is ignored with a warning.
    */
   private async seedFromConstructorConfigIfEmpty(): Promise<void> {
@@ -117,7 +118,7 @@ export class DnsManager {
       const domain = new DomainDoc();
       domain.id = plugins.uuid.v4();
       domain.name = scope.toLowerCase();
-      domain.source = 'manual';
+      domain.source = 'dcrouter';
       domain.authoritative = true;
       domain.createdAt = now;
       domain.updatedAt = now;
@@ -144,7 +145,7 @@ export class DnsManager {
       record.type = rec.type as TDnsRecordType;
       record.value = rec.value;
       record.ttl = rec.ttl ?? 300;
-      record.source = 'manual';
+      record.source = 'local';
       record.createdAt = now;
       record.updatedAt = now;
       record.createdBy = 'seed';
@@ -174,28 +175,31 @@ export class DnsManager {
   }
 
   // ==========================================================================
-  // Manual-domain DnsServer wiring
+  // DcRouter-hosted domain DnsServer wiring
   // ==========================================================================
 
   /**
-   * Register all manual-domain records from the DB with the embedded DnsServer.
-   * Called once after attachDnsServer().
+   * Register all records from dcrouter-hosted domains in the DB with the
+   * embedded DnsServer. Called once after attachDnsServer().
    */
-  private async applyManualDomainsToDnsServer(): Promise<void> {
+  private async applyDcrouterDomainsToDnsServer(): Promise<void> {
     if (!this.dnsServer) {
       return;
     }
     const allDomains = await DomainDoc.findAll();
-    const manualDomains = allDomains.filter((d) => d.source === 'manual');
+    const dcrouterDomains = allDomains.filter((d) => d.source === 'dcrouter');
     let registered = 0;
-    for (const domain of manualDomains) {
+    for (const domain of dcrouterDomains) {
       const records = await DnsRecordDoc.findByDomainId(domain.id);
       for (const rec of records) {
         this.registerRecordWithDnsServer(rec);
         registered++;
       }
     }
-    logger.log('info', `DnsManager: registered ${registered} manual DNS record(s) from DB`);
+    logger.log(
+      'info',
+      `DnsManager: registered ${registered} dcrouter-hosted DNS record(s) from DB`,
+    );
   }
 
   /**
@@ -302,7 +306,9 @@ export class DnsManager {
 
   /**
    * Build an IConvenientDnsProvider that dispatches each ACME challenge to
-   * the right CloudflareDnsProvider based on the challenge's hostName.
+   * the right provider client (whichever provider type owns the parent zone),
+   * based on the challenge's hostName. Provider-agnostic — uses the IDnsProviderClient
+   * interface, so any registered provider implementation works.
    * Returned object plugs directly into smartacme's Dns01Handler.
    */
   public buildAcmeConvenientDnsProvider(): plugins.tsclass.network.IConvenientDnsProvider {
@@ -379,6 +385,12 @@ export class DnsManager {
     credentials: TDnsProviderCredentials;
     createdBy: string;
   }): Promise<string> {
+    if (args.type === 'dcrouter') {
+      throw new Error(
+        'createProvider: cannot create a DnsProviderDoc with type "dcrouter" — ' +
+          'that type is reserved for the built-in pseudo-provider surfaced at read time.',
+      );
+    }
     const now = Date.now();
     const doc = new DnsProviderDoc();
     doc.id = plugins.uuid.v4();
@@ -471,10 +483,10 @@ export class DnsManager {
   }
 
   /**
-   * Create a manual (authoritative) domain. dcrouter will serve DNS records
-   * for this domain via the embedded smartdns.DnsServer.
+   * Create a dcrouter-hosted (authoritative) domain. dcrouter will serve
+   * DNS records for this domain via the embedded smartdns.DnsServer.
    */
-  public async createManualDomain(args: {
+  public async createDcrouterDomain(args: {
     name: string;
     description?: string;
     createdBy: string;
@@ -483,7 +495,7 @@ export class DnsManager {
     const doc = new DomainDoc();
     doc.id = plugins.uuid.v4();
     doc.name = args.name.toLowerCase();
-    doc.source = 'manual';
+    doc.source = 'dcrouter';
     doc.authoritative = true;
     doc.description = args.description;
     doc.createdAt = now;
@@ -569,10 +581,11 @@ export class DnsManager {
   /**
    * Delete a domain and all of its DNS records. For provider domains, only
    * removes the local mirror — does NOT touch the provider.
-   * For manual domains, also unregisters records from the embedded DnsServer.
+   * For dcrouter-hosted domains, also unregisters records from the embedded
+   * DnsServer.
    *
    * Note: smartdns has no public unregister-by-name API in the version pinned
-   * here, so manual record deletes only take effect after a restart. The DB
+   * here, so local record deletes only take effect after a restart. The DB
    * is the source of truth and the next start will not register the deleted
    * record.
    */
@@ -650,7 +663,7 @@ export class DnsManager {
     doc.value = args.value;
     doc.ttl = args.ttl ?? 300;
     if (args.proxied !== undefined) doc.proxied = args.proxied;
-    doc.source = 'manual';
+    doc.source = 'local';
     doc.createdAt = now;
     doc.updatedAt = now;
     doc.createdBy = args.createdBy;
@@ -676,7 +689,7 @@ export class DnsManager {
         return { success: false, message: `Provider rejected record: ${(err as Error).message}` };
       }
     } else {
-      // Manual / authoritative — register with embedded DnsServer immediately
+      // dcrouter-hosted / authoritative — register with embedded DnsServer immediately
       this.registerRecordWithDnsServer(doc);
     }
 
@@ -720,7 +733,7 @@ export class DnsManager {
         return { success: false, message: `Provider rejected update: ${(err as Error).message}` };
       }
     } else {
-      // Re-register the manual record so the new closure picks up the updated fields
+      // Re-register the local record so the new closure picks up the updated fields
       this.registerRecordWithDnsServer(doc);
     }
 
@@ -746,7 +759,7 @@ export class DnsManager {
         }
       }
     }
-    // For manual records: smartdns has no unregister API in the pinned version,
+    // For local records: smartdns has no unregister API in the pinned version,
     // so the record stays served until the next restart. The DB delete still
     // takes effect — on restart, the record will not be re-registered.
 
@@ -805,7 +818,7 @@ export class DnsManager {
   public toPublicDomain(doc: DomainDoc): {
     id: string;
     name: string;
-    source: 'manual' | 'provider';
+    source: 'dcrouter' | 'provider';
     providerId?: string;
     authoritative: boolean;
     nameservers?: string[];

ts/dns/providers/cloudflare.provider.ts

@@ -27,14 +27,6 @@ export class CloudflareDnsProvider implements IDnsProviderClient {
     this.cfAccount = new plugins.cloudflare.CloudflareAccount(apiToken);
   }
 
-  /**
-   * Returns the underlying CloudflareAccount — used by ACME DNS-01
-   * to wrap into a smartacme Dns01Handler.
-   */
-  public getCloudflareAccount(): plugins.cloudflare.CloudflareAccount {
-    return this.cfAccount;
-  }
-
   public async testConnection(): Promise<IConnectionTestResult> {
     try {
       // Listing zones is the lightest-weight call that proves the token works.

ts/dns/providers/factory.ts

@@ -9,6 +9,21 @@ import { CloudflareDnsProvider } from './cloudflare.provider.js';
  * Instantiate a runtime DNS provider client from a stored DnsProviderDoc.
  *
  * @throws if the provider type is not supported.
+ *
+ * ## Adding a new provider (e.g. Route53)
+ *
+ * 1. **Type union** — extend `TDnsProviderType` in
+ *    `ts_interfaces/data/dns-provider.ts` (e.g. `'cloudflare' | 'route53'`).
+ * 2. **Credentials interface** — add `IRoute53Credentials` and append it to
+ *    the `TDnsProviderCredentials` discriminated union.
+ * 3. **Descriptor** — append a new entry to `dnsProviderTypeDescriptors` so
+ *    the OpsServer UI picks up the new type and renders the right credential
+ *    form fields automatically.
+ * 4. **Provider class** — create `ts/dns/providers/route53.provider.ts`
+ *    implementing `IDnsProviderClient`.
+ * 5. **Factory case** — add a new `case 'route53':` below. The
+ *    `_exhaustive: never` line will fail to compile until you do.
+ * 6. **Index** — re-export the new class from `ts/dns/providers/index.ts`.
  */
 export function createDnsProvider(
   type: TDnsProviderType,
@@ -23,7 +38,20 @@ export function createDnsProvider(
       }
       return new CloudflareDnsProvider(credentials.apiToken);
     }
+    case 'dcrouter': {
+      // The built-in DcRouter pseudo-provider has no runtime client — dcrouter
+      // itself serves the records via the embedded smartdns.DnsServer. This
+      // case exists only to satisfy the exhaustive switch; it should never
+      // actually run because the handler layer rejects any CRUD that would
+      // result in a DnsProviderDoc with type: 'dcrouter'.
+      throw new Error(
+        `createDnsProvider: 'dcrouter' is a built-in pseudo-provider — no runtime client exists. ` +
+          `This call indicates a DnsProviderDoc with type: 'dcrouter' was persisted, which should never happen.`,
+      );
+    }
     default: {
+      // If you see a TypeScript error here after extending TDnsProviderType,
+      // add a `case` for the new type above. The `never` enforces exhaustiveness.
       const _exhaustive: never = type;
       throw new Error(`createDnsProvider: unsupported provider type: ${_exhaustive}`);
     }

ts/opsserver/classes.opsserver.ts

@@ -36,6 +36,7 @@ export class OpsServer {
   private dnsProviderHandler!: handlers.DnsProviderHandler;
   private domainHandler!: handlers.DomainHandler;
   private dnsRecordHandler!: handlers.DnsRecordHandler;
+  private acmeConfigHandler!: handlers.AcmeConfigHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -102,6 +103,7 @@ export class OpsServer {
     this.dnsProviderHandler = new handlers.DnsProviderHandler(this);
     this.domainHandler = new handlers.DomainHandler(this);
     this.dnsRecordHandler = new handlers.DnsRecordHandler(this);
+    this.acmeConfigHandler = new handlers.AcmeConfigHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }

ts/opsserver/handlers/acme-config.handler.ts

@@ -0,0 +1,94 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD handler for the singleton `AcmeConfigDoc`.
+ *
+ * Auth: same dual-mode pattern as other handlers — admin JWT or API token
+ * with `acme-config:read` / `acme-config:write` scope.
+ */
+export class AcmeConfigHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get current ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAcmeConfig>(
+        'getAcmeConfig',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'acme-config:read');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) return { config: null };
+          return { config: mgr.getConfig() };
+        },
+      ),
+    );
+
+    // Update (upsert) the ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateAcmeConfig>(
+        'updateAcmeConfig',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'acme-config:write');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) {
+            return {
+              success: false,
+              message: 'AcmeConfigManager not initialized (DB disabled?)',
+            };
+          }
+          try {
+            const updated = await mgr.updateConfig(
+              {
+                accountEmail: dataArg.accountEmail,
+                enabled: dataArg.enabled,
+                useProduction: dataArg.useProduction,
+                autoRenew: dataArg.autoRenew,
+                renewThresholdDays: dataArg.renewThresholdDays,
+              },
+              userId,
+            );
+            return { success: true, config: updated };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/dns-provider.handler.ts

@@ -46,15 +46,28 @@ export class DnsProviderHandler {
   }
 
   private registerHandlers(): void {
-    // Get all providers
+    // Get all providers — prepends the built-in DcRouter pseudo-provider
+    // so operators see a uniform "who serves this?" list that includes the
+    // authoritative dcrouter alongside external accounts.
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsProviders>(
         'getDnsProviders',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
-          if (!dnsManager) return { providers: [] };
-          return { providers: await dnsManager.listProviders() };
+          const synthetic: interfaces.data.IDnsProviderPublic = {
+            id: interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID,
+            name: 'DcRouter',
+            type: 'dcrouter',
+            status: 'ok',
+            createdAt: 0,
+            updatedAt: 0,
+            createdBy: 'system',
+            hasCredentials: false,
+            builtIn: true,
+          };
+          const real = dnsManager ? await dnsManager.listProviders() : [];
+          return { providers: [synthetic, ...real] };
         },
       ),
     );
@@ -78,6 +91,12 @@ export class DnsProviderHandler {
         'createDnsProvider',
         async (dataArg) => {
           const userId = await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.type === 'dcrouter') {
+            return {
+              success: false,
+              message: 'cannot create built-in provider',
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) {
             return { success: false, message: 'DnsManager not initialized (DB disabled?)' };
@@ -99,6 +118,9 @@ export class DnsProviderHandler {
         'updateDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot edit built-in provider' };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           const ok = await dnsManager.updateProvider(dataArg.id, {
@@ -116,6 +138,9 @@ export class DnsProviderHandler {
         'deleteDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot delete built-in provider' };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           return await dnsManager.deleteProvider(dataArg.id, dataArg.force ?? false);
@@ -129,6 +154,13 @@ export class DnsProviderHandler {
         'testDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              ok: false,
+              error: 'built-in provider has no external connection to test',
+              testedAt: Date.now(),
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) {
             return { ok: false, error: 'DnsManager not initialized', testedAt: Date.now() };
@@ -144,6 +176,12 @@ export class DnsProviderHandler {
         'listProviderDomains',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.providerId === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              success: false,
+              message: 'built-in provider has no external domain listing — use "Add DcRouter Domain" instead',
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           try {

ts/opsserver/handlers/domain.handler.ts

@@ -71,7 +71,7 @@ export class DomainHandler {
       ),
     );
 
-    // Create manual domain
+    // Create dcrouter-hosted domain
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDomain>(
         'createDomain',
@@ -80,7 +80,7 @@ export class DomainHandler {
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           try {
-            const id = await dnsManager.createManualDomain({
+            const id = await dnsManager.createDcrouterDomain({
               name: dataArg.name,
               description: dataArg.description,
               createdBy: userId,

ts/opsserver/handlers/index.ts

@@ -16,4 +16,5 @@ export * from './network-target.handler.js';
 export * from './users.handler.js';
 export * from './dns-provider.handler.js';
 export * from './domain.handler.js';
-export * from './dns-record.handler.js';
+export * from './dns-record.handler.js';
+export * from './acme-config.handler.js';

ts_interfaces/data/acme-config.ts

@@ -0,0 +1,25 @@
+/**
+ * ACME configuration for automated TLS certificate issuance via Let's Encrypt.
+ *
+ * Persisted as a singleton `AcmeConfigDoc` in the DcRouterDb. Replaces the
+ * legacy constructor fields `tls.contactEmail` / `smartProxyConfig.acme.*`
+ * which are now seed-only (used once on first boot if the DB is empty).
+ *
+ * Managed via the OpsServer UI at **Domains > Certificates > Settings**.
+ */
+export interface IAcmeConfig {
+  /** Contact email used for Let's Encrypt account registration. */
+  accountEmail: string;
+  /** Whether ACME is enabled. If false, no certs are issued via ACME. */
+  enabled: boolean;
+  /** True = Let's Encrypt production, false = staging. */
+  useProduction: boolean;
+  /** Whether to automatically renew certs before expiry. */
+  autoRenew: boolean;
+  /** Renew when a cert has fewer than this many days of validity left. */
+  renewThresholdDays: number;
+  /** Unix ms timestamp of last config change. */
+  updatedAt: number;
+  /** Who last updated the config (userId or 'seed' / 'system'). */
+  updatedBy: string;
+}

ts_interfaces/data/dns-provider.ts

@@ -1,9 +1,28 @@
 /**
- * Supported DNS provider types. Initially Cloudflare; the abstraction is
- * designed so additional providers (Route53, Gandi, DigitalOcean…) can be
- * added by implementing the IDnsProvider class interface in ts/dns/providers/.
+ * Stable ID for the built-in DcRouter pseudo-provider. The Providers list
+ * surfaces this as the first, non-deletable row so operators see a uniform
+ * "who serves this?" answer for every domain. The ID is magic — it never
+ * exists in the DnsProviderDoc collection; handlers inject it at read time
+ * and reject any mutation that targets it.
  */
-export type TDnsProviderType = 'cloudflare';
+export const DCROUTER_BUILTIN_PROVIDER_ID = '__dcrouter__';
+
+/**
+ * Supported DNS provider types.
+ *
+ * - 'cloudflare' → Cloudflare account (API token-based). Provider stays
+ *                  authoritative; dcrouter pushes record changes via API.
+ * - 'dcrouter'   → Built-in pseudo-provider for dcrouter-hosted zones.
+ *                  dcrouter itself is the authoritative DNS server. No
+ *                  credentials, cannot be created/edited/deleted through
+ *                  the provider CRUD — the Providers view renders it from
+ *                  a handler-level synthetic row.
+ *
+ * The abstraction is designed so additional providers (Route53, Gandi,
+ * DigitalOcean, foreign dcrouters…) can be added by implementing the
+ * IDnsProvider class interface in ts/dns/providers/.
+ */
+export type TDnsProviderType = 'cloudflare' | 'dcrouter';
 
 /**
  * Status of the last connection test against a provider.
@@ -58,6 +77,12 @@ export interface IDnsProviderPublic {
   createdBy: string;
   /** Whether credentials are configured (true after creation). Never the secret itself. */
   hasCredentials: boolean;
+  /**
+   * True for the built-in DcRouter pseudo-provider — read-only, cannot be
+   * created / edited / deleted. Injected by the handler layer, never
+   * persisted in the DnsProviderDoc collection.
+   */
+  builtIn?: boolean;
 }
 
 /**
@@ -71,3 +96,79 @@ export interface IProviderDomainListing {
   /** Authoritative nameservers reported by the provider. */
   nameservers: string[];
 }
+
+/**
+ * Schema entry for a single credential field, used by the OpsServer UI to
+ * render a provider's credential form dynamically.
+ */
+export interface IDnsProviderCredentialField {
+  /** Key under which the value is stored in the credentials object. */
+  key: string;
+  /** Label shown to the user. */
+  label: string;
+  /** Optional inline help text. */
+  helpText?: string;
+  /** Whether the field must be filled. */
+  required: boolean;
+  /** True for secret fields (rendered as password input, never echoed back). */
+  secret: boolean;
+}
+
+/**
+ * Metadata describing a DNS provider type. Drives:
+ *  - the OpsServer UI's provider type picker + credential form,
+ *  - documentation of which credentials each provider needs,
+ *  - end-to-end consistency between the type union, the discriminated
+ *    credentials union, the runtime factory, and the form rendering.
+ *
+ * To add a new provider, append a new entry to `dnsProviderTypeDescriptors`
+ * below — and follow the checklist in `ts/dns/providers/factory.ts`.
+ */
+export interface IDnsProviderTypeDescriptor {
+  type: TDnsProviderType;
+  /** Human-readable name for the UI. */
+  displayName: string;
+  /** One-line description shown next to the type picker. */
+  description: string;
+  /** Schema for the credentials form. */
+  credentialFields: IDnsProviderCredentialField[];
+}
+
+/**
+ * Single source of truth for which DNS provider types exist and what
+ * credentials each one needs. Used by both backend and frontend.
+ */
+export const dnsProviderTypeDescriptors: ReadonlyArray<IDnsProviderTypeDescriptor> = [
+  {
+    type: 'dcrouter',
+    displayName: 'DcRouter (built-in)',
+    description:
+      'Built-in authoritative DNS. Records are served directly by dcrouter — delegate the domain\'s NS records to make this effective.',
+    credentialFields: [],
+  },
+  {
+    type: 'cloudflare',
+    displayName: 'Cloudflare',
+    description:
+      'Manages records via the Cloudflare API. Provider stays authoritative; dcrouter pushes record changes.',
+    credentialFields: [
+      {
+        key: 'apiToken',
+        label: 'API Token',
+        helpText:
+          'A Cloudflare API token with Zone:Read and DNS:Edit permissions for the target zones.',
+        required: true,
+        secret: true,
+      },
+    ],
+  },
+];
+
+/**
+ * Look up the descriptor for a given provider type.
+ */
+export function getDnsProviderTypeDescriptor(
+  type: TDnsProviderType,
+): IDnsProviderTypeDescriptor | undefined {
+  return dnsProviderTypeDescriptors.find((d) => d.type === type);
+}

ts_interfaces/data/dns-record.ts

@@ -6,16 +6,18 @@ export type TDnsRecordType = 'A' | 'AAAA' | 'CNAME' | 'MX' | 'TXT' | 'NS' | 'SOA
 /**
  * Where a DNS record came from.
  *
- * - 'manual' → created in the dcrouter UI / API
- * - 'synced' → pulled from a provider during a sync operation
+ * - 'local'  → originated in this dcrouter (created via UI / API)
+ * - 'synced' → pulled from an upstream provider (Cloudflare, foreign
+ *              dcrouter, …) during a sync operation
  */
-export type TDnsRecordSource = 'manual' | 'synced';
+export type TDnsRecordSource = 'local' | 'synced';
 
 /**
- * A DNS record. For manual (authoritative) domains, the record is registered
- * with the embedded smartdns.DnsServer. For provider-managed domains, the
- * record is mirrored from / pushed to the provider API and `providerRecordId`
- * holds the provider's internal record id (for updates and deletes).
+ * A DNS record. For dcrouter-hosted (authoritative) domains, the record is
+ * registered with the embedded smartdns.DnsServer. For provider-managed
+ * domains, the record is mirrored from / pushed to the provider API and
+ * `providerRecordId` holds the provider's internal record id (for updates
+ * and deletes).
  */
 export interface IDnsRecord {
   id: string;

ts_interfaces/data/domain.ts

@@ -1,14 +1,15 @@
 /**
  * Where a domain came from / how it is managed.
  *
- * - 'manual'   → operator added the domain manually. dcrouter is the
- *               authoritative DNS server for it; records are served by
- *               the embedded smartdns.DnsServer.
+ * - 'dcrouter' → dcrouter is the authoritative DNS server for this domain;
+ *                records are served by the embedded smartdns.DnsServer.
+ *                Operators delegate the domain's NS records to make this
+ *                effective.
  * - 'provider' → domain was imported from an external DNS provider
- *               (e.g. Cloudflare). The provider stays authoritative;
- *               dcrouter only reads/writes records via the provider API.
+ *                (e.g. Cloudflare). The provider stays authoritative;
+ *                dcrouter only reads/writes records via the provider API.
  */
-export type TDomainSource = 'manual' | 'provider';
+export type TDomainSource = 'dcrouter' | 'provider';
 
 /**
  * A domain under management by dcrouter.
@@ -20,7 +21,7 @@ export interface IDomain {
   source: TDomainSource;
   /** ID of the DnsProvider that owns this domain — only set when source === 'provider'. */
   providerId?: string;
-  /** True when dcrouter is the authoritative DNS server for this domain (source === 'manual'). */
+  /** True when dcrouter is the authoritative DNS server for this domain (source === 'dcrouter'). */
   authoritative: boolean;
   /** Authoritative nameservers (display only — populated from provider for imported domains). */
   nameservers?: string[];

ts_interfaces/data/index.ts

@@ -6,4 +6,5 @@ export * from './target-profile.js';
 export * from './vpn.js';
 export * from './dns-provider.js';
 export * from './domain.js';
-export * from './dns-record.js';
+export * from './dns-record.js';
+export * from './acme-config.js';

ts_interfaces/data/route-management.ts

@@ -17,7 +17,8 @@ export type TApiTokenScope =
   | 'targets:read' | 'targets:write'
   | 'dns-providers:read' | 'dns-providers:write'
   | 'domains:read' | 'domains:write'
-  | 'dns-records:read' | 'dns-records:write';
+  | 'dns-records:read' | 'dns-records:write'
+  | 'acme-config:read' | 'acme-config:write';
 
 // ============================================================================
 // Source Profile Types (source-side: who can access)

ts_interfaces/requests/acme-config.ts

@@ -0,0 +1,54 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type { IAcmeConfig } from '../data/acme-config.js';
+
+// ============================================================================
+// ACME Config Endpoints
+// ============================================================================
+
+/**
+ * Get the current ACME configuration. Returns null if no config has been
+ * set yet (neither from DB nor seeded from the constructor).
+ */
+export interface IReq_GetAcmeConfig extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetAcmeConfig
+> {
+  method: 'getAcmeConfig';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    config: IAcmeConfig | null;
+  };
+}
+
+/**
+ * Update the ACME configuration (upsert). All fields are required on first
+ * create, optional on subsequent updates (partial update).
+ *
+ * NOTE: Most fields take effect on the next dcrouter restart — SmartAcme is
+ * instantiated once at startup. `renewThresholdDays` applies immediately to
+ * the next renewal check.
+ */
+export interface IReq_UpdateAcmeConfig extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateAcmeConfig
+> {
+  method: 'updateAcmeConfig';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    accountEmail?: string;
+    enabled?: boolean;
+    useProduction?: boolean;
+    autoRenew?: boolean;
+    renewThresholdDays?: number;
+  };
+  response: {
+    success: boolean;
+    config?: IAcmeConfig;
+    message?: string;
+  };
+}

ts_interfaces/requests/dns-records.ts

@@ -45,7 +45,7 @@ export interface IReq_GetDnsRecord extends plugins.typedrequestInterfaces.implem
 /**
  * Create a new DNS record.
  *
- * For manual domains: registers the record with the embedded DnsServer.
+ * For dcrouter-hosted domains: registers the record with the embedded DnsServer.
  * For provider domains: pushes the record to the provider API.
  */
 export interface IReq_CreateDnsRecord extends plugins.typedrequestInterfaces.implementsTR<

ts_interfaces/requests/domains.ts

@@ -42,8 +42,8 @@ export interface IReq_GetDomain extends plugins.typedrequestInterfaces.implement
 }
 
 /**
- * Create a manual (authoritative) domain. dcrouter will serve DNS
- * records for this domain via the embedded smartdns.DnsServer.
+ * Create a dcrouter-hosted (authoritative) domain. dcrouter will serve
+ * DNS records for this domain via the embedded smartdns.DnsServer.
  */
 export interface IReq_CreateDomain extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -130,7 +130,7 @@ export interface IReq_DeleteDomain extends plugins.typedrequestInterfaces.implem
 /**
  * Force-resync a provider-managed domain: re-pulls all records from the
  * provider API, replacing the cached DnsRecordDocs.
- * No-op for manual domains.
+ * No-op for dcrouter-hosted domains.
  */
 export interface IReq_SyncDomain extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,

ts_interfaces/requests/index.ts

@@ -16,4 +16,5 @@ export * from './network-targets.js';
 export * from './users.js';
 export * from './dns-providers.js';
 export * from './domains.js';
-export * from './dns-records.js';
+export * from './dns-records.js';
+export * from './acme-config.js';

ts_migrations/index.ts

@@ -64,6 +64,34 @@ export async function createMigrationRunner(
         migrated++;
       }
       ctx.log.log('info', `rename-target-profile-host-to-ip: migrated ${migrated} profile(s)`);
+    })
+    .step('rename-domain-source-manual-to-dcrouter')
+    .from('13.1.0').to('13.8.1')
+    .description('Rename DomainDoc.source value from "manual" to "dcrouter"')
+    .up(async (ctx) => {
+      const collection = ctx.mongo!.collection('domaindoc');
+      const result = await collection.updateMany(
+        { source: 'manual' },
+        { $set: { source: 'dcrouter' } },
+      );
+      ctx.log.log(
+        'info',
+        `rename-domain-source-manual-to-dcrouter: migrated ${result.modifiedCount} domain(s)`,
+      );
+    })
+    .step('rename-record-source-manual-to-local')
+    .from('13.8.1').to('13.8.2')
+    .description('Rename DnsRecordDoc.source value from "manual" to "local"')
+    .up(async (ctx) => {
+      const collection = ctx.mongo!.collection('dnsrecorddoc');
+      const result = await collection.updateMany(
+        { source: 'manual' },
+        { $set: { source: 'local' } },
+      );
+      ctx.log.log(
+        'info',
+        `rename-record-source-manual-to-local: migrated ${result.modifiedCount} record(s)`,
+      );
     });
 
   return migration;

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.6.0',
+  version: '13.9.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -197,6 +197,28 @@ export const certificateStatePart = await appState.getStatePart<ICertificateStat
   'soft'
 );
 
+// ============================================================================
+// ACME Config State (DB-backed singleton, managed via Domains > Certificates)
+// ============================================================================
+
+export interface IAcmeConfigState {
+  config: interfaces.data.IAcmeConfig | null;
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const acmeConfigStatePart = await appState.getStatePart<IAcmeConfigState>(
+  'acmeConfig',
+  {
+    config: null,
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
 // ============================================================================
 // Remote Ingress State
 // ============================================================================
@@ -1771,7 +1793,7 @@ export async function fetchProviderDomains(
   return await request.fire({ identity: context.identity, providerId });
 }
 
-export const createManualDomainAction = domainsStatePart.createAction<{
+export const createDcrouterDomainAction = domainsStatePart.createAction<{
   name: string;
   description?: string;
 }>(async (statePartArg, dataArg, actionContext): Promise<IDomainsState> => {
@@ -1953,6 +1975,72 @@ export const deleteDnsRecordAction = domainsStatePart.createAction<{ id: string;
   },
 );
 
+// ============================================================================
+// ACME Config Actions
+// ============================================================================
+
+export const fetchAcmeConfigAction = acmeConfigStatePart.createAction(
+  async (statePartArg): Promise<IAcmeConfigState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetAcmeConfig
+      >('/typedrequest', 'getAcmeConfig');
+      const response = await request.fire({ identity: context.identity });
+      return {
+        config: response.config,
+        isLoading: false,
+        error: null,
+        lastUpdated: Date.now(),
+      };
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        isLoading: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch ACME config',
+      };
+    }
+  },
+);
+
+export const updateAcmeConfigAction = acmeConfigStatePart.createAction<{
+  accountEmail?: string;
+  enabled?: boolean;
+  useProduction?: boolean;
+  autoRenew?: boolean;
+  renewThresholdDays?: number;
+}>(async (statePartArg, dataArg, actionContext): Promise<IAcmeConfigState> => {
+  const context = getActionContext();
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateAcmeConfig
+    >('/typedrequest', 'updateAcmeConfig');
+    const response = await request.fire({
+      identity: context.identity!,
+      accountEmail: dataArg.accountEmail,
+      enabled: dataArg.enabled,
+      useProduction: dataArg.useProduction,
+      autoRenew: dataArg.autoRenew,
+      renewThresholdDays: dataArg.renewThresholdDays,
+    });
+    if (!response.success) {
+      return {
+        ...statePartArg.getState()!,
+        error: response.message || 'Failed to update ACME config',
+      };
+    }
+    return await actionContext!.dispatch(fetchAcmeConfigAction, null);
+  } catch (error: unknown) {
+    return {
+      ...statePartArg.getState()!,
+      error: error instanceof Error ? error.message : 'Failed to update ACME config',
+    };
+  }
+});
+
 // ============================================================================
 // Route Management Actions
 // ============================================================================

ts_web/elements/domains/dns-provider-form.ts

@@ -0,0 +1,224 @@
+import {
+  DeesElement,
+  html,
+  customElement,
+  type TemplateResult,
+  css,
+  state,
+  property,
+  cssManager,
+} from '@design.estate/dees-element';
+import * as interfaces from '../../../dist_ts_interfaces/index.js';
+
+declare global {
+  interface HTMLElementTagNameMap {
+    'dns-provider-form': DnsProviderForm;
+  }
+}
+
+/**
+ * Reactive credential form for a DNS provider. Renders the type picker
+ * and the credential fields for the currently-selected type.
+ *
+ * Provider-agnostic — driven entirely by `dnsProviderTypeDescriptors` from
+ * `ts_interfaces/data/dns-provider.ts`. Adding a new provider type means
+ * appending one entry to the descriptors array; this form picks it up
+ * automatically.
+ *
+ * Usage:
+ *
+ *     const formEl = document.createElement('dns-provider-form');
+ *     formEl.providerName = 'My provider';
+ *     // ... pass element into a DeesModal as content ...
+ *     // on submit:
+ *     const data = formEl.collectData();
+ *     // → { name, type, credentials }
+ *
+ * In edit mode, set `lockType = true` so the user cannot change provider
+ * type after creation (credentials shapes don't transfer between types).
+ */
+@customElement('dns-provider-form')
+export class DnsProviderForm extends DeesElement {
+  /** Pre-populated provider name. */
+  @property({ type: String })
+  accessor providerName: string = '';
+
+  /**
+   * Currently selected provider type. Initialized to the first user-creatable
+   * descriptor; caller can override before mounting (e.g. for edit dialogs).
+   * The built-in 'dcrouter' pseudo-provider is excluded from the picker —
+   * operators cannot create another one.
+   */
+  @state()
+  accessor selectedType: interfaces.data.TDnsProviderType =
+    interfaces.data.dnsProviderTypeDescriptors.find((d) => d.type !== 'dcrouter')?.type ??
+    'cloudflare';
+
+  /** When true, hide the type picker — used in edit dialogs. */
+  @property({ type: Boolean })
+  accessor lockType: boolean = false;
+
+  /**
+   * Help text shown above credentials. Useful for edit dialogs to indicate
+   * that fields can be left blank to keep current values.
+   */
+  @property({ type: String })
+  accessor credentialsHint: string = '';
+
+  /** Internal map of credential field values, keyed by the descriptor's `key`. */
+  @state()
+  accessor credentialValues: Record<string, string> = {};
+
+  public static styles = [
+    cssManager.defaultStyles,
+    css`
+      :host {
+        display: block;
+      }
+
+      .field {
+        margin-bottom: 12px;
+      }
+
+      .helpText {
+        font-size: 12px;
+        opacity: 0.7;
+        margin-top: -6px;
+        margin-bottom: 8px;
+      }
+
+      .typeDescription {
+        font-size: 12px;
+        opacity: 0.8;
+        margin: 4px 0 16px;
+        padding: 8px 12px;
+        background: ${cssManager.bdTheme('#f3f4f6', '#1f2937')};
+        border-radius: 6px;
+      }
+
+      .credentialsHint {
+        font-size: 12px;
+        opacity: 0.7;
+        margin-bottom: 12px;
+      }
+    `,
+  ];
+
+  public render(): TemplateResult {
+    // Exclude the built-in 'dcrouter' pseudo-provider from the type picker —
+    // operators cannot create another one, it's surfaced at read time by the
+    // backend handler instead.
+    const descriptors = interfaces.data.dnsProviderTypeDescriptors.filter(
+      (d) => d.type !== 'dcrouter',
+    );
+    const descriptor = interfaces.data.getDnsProviderTypeDescriptor(this.selectedType);
+
+    return html`
+      <dees-form>
+        <div class="field">
+          <dees-input-text
+            .key=${'name'}
+            .label=${'Provider name'}
+            .value=${this.providerName}
+            .required=${true}
+          ></dees-input-text>
+        </div>
+
+        ${this.lockType
+          ? html`
+              <div class="field">
+                <dees-input-text
+                  .key=${'__type_display'}
+                  .label=${'Type'}
+                  .value=${descriptor?.displayName ?? this.selectedType}
+                  .disabled=${true}
+                ></dees-input-text>
+              </div>
+            `
+          : html`
+              <div class="field">
+                <dees-input-dropdown
+                  .key=${'__type'}
+                  .label=${'Provider type'}
+                  .options=${descriptors.map((d) => ({ option: d.displayName, key: d.type }))}
+                  .selectedOption=${descriptor
+                    ? { option: descriptor.displayName, key: descriptor.type }
+                    : undefined}
+                  @selectedOption=${(e: CustomEvent) => {
+                    const newType = (e.detail as any)?.key as
+                      | interfaces.data.TDnsProviderType
+                      | undefined;
+                    if (newType && newType !== this.selectedType) {
+                      this.selectedType = newType;
+                      this.credentialValues = {};
+                    }
+                  }}
+                ></dees-input-dropdown>
+              </div>
+            `}
+        ${descriptor
+          ? html`
+              <div class="typeDescription">${descriptor.description}</div>
+              ${this.credentialsHint
+                ? html`<div class="credentialsHint">${this.credentialsHint}</div>`
+                : ''}
+              ${descriptor.credentialFields.map(
+                (f) => html`
+                  <div class="field">
+                    <dees-input-text
+                      .key=${f.key}
+                      .label=${f.label}
+                      .required=${f.required && !this.lockType}
+                    ></dees-input-text>
+                    ${f.helpText ? html`<div class="helpText">${f.helpText}</div>` : ''}
+                  </div>
+                `,
+              )}
+            `
+          : html`<p>No provider types registered.</p>`}
+      </dees-form>
+    `;
+  }
+
+  /**
+   * Read the form values and assemble the create/update payload.
+   * Returns the typed credentials object built from the descriptor's keys.
+   */
+  public async collectData(): Promise<{
+    name: string;
+    type: interfaces.data.TDnsProviderType;
+    credentials: interfaces.data.TDnsProviderCredentials;
+    credentialsTouched: boolean;
+  } | null> {
+    const form = this.shadowRoot?.querySelector('dees-form') as any;
+    if (!form) return null;
+    const data = await form.collectFormData();
+    const descriptor = interfaces.data.getDnsProviderTypeDescriptor(this.selectedType);
+    if (!descriptor) return null;
+
+    // Build the credentials object from the descriptor's field keys.
+    const credsBody: Record<string, string> = {};
+    let credentialsTouched = false;
+    for (const f of descriptor.credentialFields) {
+      const value = data[f.key];
+      if (value !== undefined && value !== null && String(value).length > 0) {
+        credsBody[f.key] = String(value);
+        credentialsTouched = true;
+      }
+    }
+
+    // The discriminator goes on the credentials object so the backend
+    // factory and the discriminated union both stay happy.
+    const credentials = {
+      type: this.selectedType,
+      ...credsBody,
+    } as unknown as interfaces.data.TDnsProviderCredentials;
+
+    return {
+      name: String(data.name ?? ''),
+      type: this.selectedType,
+      credentials,
+      credentialsTouched,
+    };
+  }
+}

ts_web/elements/domains/index.ts

@@ -1,3 +1,4 @@
+export * from './dns-provider-form.js';
 export * from './ops-view-providers.js';
 export * from './ops-view-domains.js';
 export * from './ops-view-dns.js';

ts_web/elements/domains/ops-view-certificates.ts

@@ -23,17 +23,25 @@ export class OpsViewCertificates extends DeesElement {
   @state()
   accessor certState: appstate.ICertificateState = appstate.certificateStatePart.getState()!;
 
+  @state()
+  accessor acmeState: appstate.IAcmeConfigState = appstate.acmeConfigStatePart.getState()!;
+
   constructor() {
     super();
-    const sub = appstate.certificateStatePart.select().subscribe((newState) => {
+    const certSub = appstate.certificateStatePart.select().subscribe((newState) => {
       this.certState = newState;
     });
-    this.rxSubscriptions.push(sub);
+    this.rxSubscriptions.push(certSub);
+    const acmeSub = appstate.acmeConfigStatePart.select().subscribe((newState) => {
+      this.acmeState = newState;
+    });
+    this.rxSubscriptions.push(acmeSub);
   }
 
   async connectedCallback() {
     await super.connectedCallback();
     await appstate.certificateStatePart.dispatchAction(appstate.fetchCertificateOverviewAction, null);
+    await appstate.acmeConfigStatePart.dispatchAction(appstate.fetchAcmeConfigAction, null);
   }
 
   public static styles = [
@@ -46,6 +54,62 @@ export class OpsViewCertificates extends DeesElement {
         gap: 24px;
       }
 
+      .acmeCard {
+        padding: 16px 20px;
+        background: ${cssManager.bdTheme('#f9fafb', '#111827')};
+        border: 1px solid ${cssManager.bdTheme('#e5e7eb', '#374151')};
+        border-radius: 8px;
+      }
+
+      .acmeCard.acmeCardEmpty {
+        background: ${cssManager.bdTheme('#fffbeb', '#1c1917')};
+        border-color: ${cssManager.bdTheme('#fde68a', '#78350f')};
+      }
+
+      .acmeCardHeader {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        margin-bottom: 12px;
+      }
+
+      .acmeCardTitle {
+        font-size: 14px;
+        font-weight: 600;
+        color: ${cssManager.bdTheme('#111827', '#f3f4f6')};
+      }
+
+      .acmeGrid {
+        display: grid;
+        grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+        gap: 12px 24px;
+      }
+
+      .acmeField {
+        display: flex;
+        flex-direction: column;
+        gap: 2px;
+      }
+
+      .acmeLabel {
+        font-size: 11px;
+        text-transform: uppercase;
+        letter-spacing: 0.03em;
+        color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};
+      }
+
+      .acmeValue {
+        font-size: 13px;
+        color: ${cssManager.bdTheme('#111827', '#f3f4f6')};
+      }
+
+      .acmeEmptyHint {
+        margin: 0;
+        font-size: 13px;
+        line-height: 1.5;
+        color: ${cssManager.bdTheme('#78350f', '#fde68a')};
+      }
+
       .statusBadge {
         display: inline-flex;
         align-items: center;
@@ -162,12 +226,151 @@ export class OpsViewCertificates extends DeesElement {
       <dees-heading level="3">Certificates</dees-heading>
 
       <div class="certificatesContainer">
+        ${this.renderAcmeSettingsCard()}
         ${this.renderStatsTiles(summary)}
         ${this.renderCertificateTable()}
       </div>
     `;
   }
 
+  private renderAcmeSettingsCard(): TemplateResult {
+    const config = this.acmeState.config;
+
+    if (!config) {
+      return html`
+        <div class="acmeCard acmeCardEmpty">
+          <div class="acmeCardHeader">
+            <span class="acmeCardTitle">ACME Settings</span>
+            <dees-button
+              eventName="edit-acme"
+              @click=${() => this.showEditAcmeDialog()}
+              .type=${'highlighted'}
+            >Configure</dees-button>
+          </div>
+          <p class="acmeEmptyHint">
+            No ACME configuration yet. Click <strong>Configure</strong> to set up automated TLS
+            certificate issuance via Let's Encrypt. You'll also need at least one DNS provider
+            under <strong>Domains &gt; Providers</strong>.
+          </p>
+        </div>
+      `;
+    }
+
+    return html`
+      <div class="acmeCard">
+        <div class="acmeCardHeader">
+          <span class="acmeCardTitle">ACME Settings</span>
+          <dees-button eventName="edit-acme" @click=${() => this.showEditAcmeDialog()}>Edit</dees-button>
+        </div>
+        <div class="acmeGrid">
+          <div class="acmeField">
+            <span class="acmeLabel">Account email</span>
+            <span class="acmeValue">${config.accountEmail || '(not set)'}</span>
+          </div>
+          <div class="acmeField">
+            <span class="acmeLabel">Status</span>
+            <span class="acmeValue">
+              <span class="statusBadge ${config.enabled ? 'valid' : 'unknown'}">
+                ${config.enabled ? 'enabled' : 'disabled'}
+              </span>
+            </span>
+          </div>
+          <div class="acmeField">
+            <span class="acmeLabel">Mode</span>
+            <span class="acmeValue">
+              <span class="statusBadge ${config.useProduction ? 'valid' : 'provisioning'}">
+                ${config.useProduction ? 'production' : 'staging'}
+              </span>
+            </span>
+          </div>
+          <div class="acmeField">
+            <span class="acmeLabel">Auto-renew</span>
+            <span class="acmeValue">${config.autoRenew ? 'on' : 'off'}</span>
+          </div>
+          <div class="acmeField">
+            <span class="acmeLabel">Renewal threshold</span>
+            <span class="acmeValue">${config.renewThresholdDays} days</span>
+          </div>
+        </div>
+      </div>
+    `;
+  }
+
+  private async showEditAcmeDialog() {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+    const current = this.acmeState.config;
+
+    DeesModal.createAndShow({
+      heading: current ? 'Edit ACME Settings' : 'Configure ACME',
+      content: html`
+        <dees-form>
+          <dees-input-text
+            .key=${'accountEmail'}
+            .label=${'Account email'}
+            .value=${current?.accountEmail ?? ''}
+            .required=${true}
+          ></dees-input-text>
+          <dees-input-checkbox
+            .key=${'enabled'}
+            .label=${'Enabled'}
+            .value=${current?.enabled ?? true}
+          ></dees-input-checkbox>
+          <dees-input-checkbox
+            .key=${'useProduction'}
+            .label=${"Use Let's Encrypt production (uncheck for staging)"}
+            .value=${current?.useProduction ?? true}
+          ></dees-input-checkbox>
+          <dees-input-checkbox
+            .key=${'autoRenew'}
+            .label=${'Auto-renew certificates'}
+            .value=${current?.autoRenew ?? true}
+          ></dees-input-checkbox>
+          <dees-input-text
+            .key=${'renewThresholdDays'}
+            .label=${'Renewal threshold (days)'}
+            .value=${String(current?.renewThresholdDays ?? 30)}
+          ></dees-input-text>
+        </dees-form>
+        <p style="margin-top: 12px; font-size: 12px; opacity: 0.7;">
+          Most fields take effect on the next dcrouter restart (SmartAcme is instantiated once at
+          startup). Changing the account email creates a new Let's Encrypt account — only do this
+          if you know what you're doing.
+        </p>
+      `,
+      menuOptions: [
+        { name: 'Cancel', action: async (modalArg: any) => modalArg.destroy() },
+        {
+          name: 'Save',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot
+              ?.querySelector('.content')
+              ?.querySelector('dees-form');
+            if (!form) return;
+            const data = await form.collectFormData();
+            const email = String(data.accountEmail ?? '').trim();
+            if (!email) {
+              DeesToast.show({
+                message: 'Account email is required',
+                type: 'warning',
+                duration: 2500,
+              });
+              return;
+            }
+            const threshold = parseInt(String(data.renewThresholdDays ?? '30'), 10);
+            await appstate.acmeConfigStatePart.dispatchAction(appstate.updateAcmeConfigAction, {
+              accountEmail: email,
+              enabled: Boolean(data.enabled),
+              useProduction: Boolean(data.useProduction),
+              autoRenew: Boolean(data.autoRenew),
+              renewThresholdDays: Number.isFinite(threshold) ? threshold : 30,
+            });
+            modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
   private renderStatsTiles(summary: appstate.ICertificateState['summary']): TemplateResult {
     const tiles: IStatsTile[] = [
       {

ts_web/elements/domains/ops-view-dns.ts

@@ -80,7 +80,7 @@ export class OpsViewDns extends DeesElement {
         font-weight: 500;
       }
 
-      .sourceBadge.manual {
+      .sourceBadge.local {
         background: ${cssManager.bdTheme('#e0e7ff', '#1e1b4b')};
         color: ${cssManager.bdTheme('#3730a3', '#a5b4fc')};
       }
@@ -184,7 +184,7 @@ export class OpsViewDns extends DeesElement {
   private domainHint(domainId: string): string {
     const domain = this.domainsState.domains.find((d) => d.id === domainId);
     if (!domain) return '';
-    if (domain.source === 'manual') {
+    if (domain.source === 'dcrouter') {
       return 'Records are served by dcrouter (authoritative).';
     }
     return 'Records are stored at the provider — changes here are pushed via the provider API.';

ts_web/elements/domains/ops-view-domains.ts

@@ -55,7 +55,7 @@ export class OpsViewDomains extends DeesElement {
         font-weight: 500;
       }
 
-      .sourceBadge.manual {
+      .sourceBadge.dcrouter {
         background: ${cssManager.bdTheme('#e0e7ff', '#1e1b4b')};
         color: ${cssManager.bdTheme('#3730a3', '#a5b4fc')};
       }
@@ -76,7 +76,7 @@ export class OpsViewDomains extends DeesElement {
       <div class="domainsContainer">
         <dees-table
           .heading1=${'Domains'}
-          .heading2=${'Domains under management — manual (authoritative) or imported from a provider'}
+          .heading2=${'Domains under management — served by dcrouter (authoritative) or imported from a provider'}
           .data=${domains}
           .showColumnFilters=${true}
           .displayFunction=${(d: interfaces.data.IDomain) => ({
@@ -90,11 +90,11 @@ export class OpsViewDomains extends DeesElement {
           })}
           .dataActions=${[
             {
-              name: 'Add Manual Domain',
+              name: 'Add DcRouter Domain',
               iconName: 'lucide:plus',
               type: ['header' as const],
               actionFunc: async () => {
-                await this.showCreateManualDialog();
+                await this.showCreateDcrouterDialog();
               },
             },
             {
@@ -168,17 +168,17 @@ export class OpsViewDomains extends DeesElement {
     d: interfaces.data.IDomain,
     providersById: Map<string, interfaces.data.IDnsProviderPublic>,
   ): TemplateResult {
-    if (d.source === 'manual') {
-      return html`<span class="sourceBadge manual">Manual</span>`;
+    if (d.source === 'dcrouter') {
+      return html`<span class="sourceBadge dcrouter">DcRouter</span>`;
     }
     const provider = d.providerId ? providersById.get(d.providerId) : undefined;
     return html`<span class="sourceBadge provider">${provider?.name || 'Provider'}</span>`;
   }
 
-  private async showCreateManualDialog() {
+  private async showCreateDcrouterDialog() {
     const { DeesModal } = await import('@design.estate/dees-catalog');
     DeesModal.createAndShow({
-      heading: 'Add Manual Domain',
+      heading: 'Add DcRouter Domain',
       content: html`
         <dees-form>
           <dees-input-text .key=${'name'} .label=${'FQDN (e.g. example.com)'} .required=${true}></dees-input-text>
@@ -199,7 +199,7 @@ export class OpsViewDomains extends DeesElement {
               ?.querySelector('dees-form');
             if (!form) return;
             const data = await form.collectFormData();
-            await appstate.domainsStatePart.dispatchAction(appstate.createManualDomainAction, {
+            await appstate.domainsStatePart.dispatchAction(appstate.createDcrouterDomainAction, {
               name: String(data.name),
               description: data.description ? String(data.description) : undefined,
             });

ts_web/elements/domains/ops-view-providers.ts

@@ -10,6 +10,8 @@ import {
 import * as appstate from '../../appstate.js';
 import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
+import './dns-provider-form.js';
+import type { DnsProviderForm } from './dns-provider-form.js';
 
 declare global {
   interface HTMLElementTagNameMap {
@@ -69,6 +71,11 @@ export class OpsViewProviders extends DeesElement {
         background: ${cssManager.bdTheme('#f3f4f6', '#1f2937')};
         color: ${cssManager.bdTheme('#4b5563', '#9ca3af')};
       }
+
+      .statusBadge.builtin {
+        background: ${cssManager.bdTheme('#e0e7ff', '#1e1b4b')};
+        color: ${cssManager.bdTheme('#3730a3', '#a5b4fc')};
+      }
     `,
   ];
 
@@ -80,15 +87,21 @@ export class OpsViewProviders extends DeesElement {
       <div class="providersContainer">
         <dees-table
           .heading1=${'Providers'}
-          .heading2=${'External DNS provider accounts (Cloudflare, etc.)'}
+          .heading2=${'Built-in dcrouter + external DNS provider accounts'}
           .data=${providers}
           .showColumnFilters=${true}
           .displayFunction=${(p: interfaces.data.IDnsProviderPublic) => ({
             Name: p.name,
-            Type: p.type,
-            Status: this.renderStatusBadge(p.status),
-            'Last Tested': p.lastTestedAt ? new Date(p.lastTestedAt).toLocaleString() : 'never',
-            Error: p.lastError || '-',
+            Type: this.providerTypeLabel(p.type),
+            Status: p.builtIn
+              ? html`<span class="statusBadge builtin">built-in</span>`
+              : this.renderStatusBadge(p.status),
+            'Last Tested': p.builtIn
+              ? '—'
+              : p.lastTestedAt
+                ? new Date(p.lastTestedAt).toLocaleString()
+                : 'never',
+            Error: p.builtIn ? '—' : p.lastError || '-',
           })}
           .dataActions=${[
             {
@@ -114,6 +127,7 @@ export class OpsViewProviders extends DeesElement {
               name: 'Test Connection',
               iconName: 'lucide:plug',
               type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (p: interfaces.data.IDnsProviderPublic) => !p.builtIn,
               actionFunc: async (actionData: any) => {
                 const provider = actionData.item as interfaces.data.IDnsProviderPublic;
                 await this.testProvider(provider);
@@ -123,6 +137,7 @@ export class OpsViewProviders extends DeesElement {
               name: 'Edit',
               iconName: 'lucide:pencil',
               type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (p: interfaces.data.IDnsProviderPublic) => !p.builtIn,
               actionFunc: async (actionData: any) => {
                 const provider = actionData.item as interfaces.data.IDnsProviderPublic;
                 await this.showEditDialog(provider);
@@ -132,6 +147,7 @@ export class OpsViewProviders extends DeesElement {
               name: 'Delete',
               iconName: 'lucide:trash2',
               type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (p: interfaces.data.IDnsProviderPublic) => !p.builtIn,
               actionFunc: async (actionData: any) => {
                 const provider = actionData.item as interfaces.data.IDnsProviderPublic;
                 await this.deleteProvider(provider);
@@ -147,34 +163,39 @@ export class OpsViewProviders extends DeesElement {
     return html`<span class="statusBadge ${status}">${status}</span>`;
   }
 
+  private providerTypeLabel(type: interfaces.data.TDnsProviderType): string {
+    return interfaces.data.getDnsProviderTypeDescriptor(type)?.displayName ?? type;
+  }
+
   private async showCreateDialog() {
-    const { DeesModal } = await import('@design.estate/dees-catalog');
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+    const formEl = document.createElement('dns-provider-form') as DnsProviderForm;
     DeesModal.createAndShow({
       heading: 'Add DNS Provider',
-      content: html`
-        <dees-form>
-          <dees-input-text .key=${'name'} .label=${'Provider name'} .required=${true}></dees-input-text>
-          <dees-input-text
-            .key=${'apiToken'}
-            .label=${'Cloudflare API token'}
-            .required=${true}
-          ></dees-input-text>
-        </dees-form>
-      `,
+      content: html`${formEl}`,
       menuOptions: [
         { name: 'Cancel', action: async (modalArg: any) => modalArg.destroy() },
         {
           name: 'Create',
           action: async (modalArg: any) => {
-            const form = modalArg.shadowRoot
-              ?.querySelector('.content')
-              ?.querySelector('dees-form');
-            if (!form) return;
-            const data = await form.collectFormData();
+            const data = await formEl.collectData();
+            if (!data) return;
+            if (!data.name) {
+              DeesToast.show({ message: 'Name is required', type: 'warning', duration: 2500 });
+              return;
+            }
+            if (!data.credentialsTouched) {
+              DeesToast.show({
+                message: 'Fill in the provider credentials',
+                type: 'warning',
+                duration: 2500,
+              });
+              return;
+            }
             await appstate.domainsStatePart.dispatchAction(appstate.createDnsProviderAction, {
-              name: String(data.name),
-              type: 'cloudflare',
-              credentials: { type: 'cloudflare', apiToken: String(data.apiToken) },
+              name: data.name,
+              type: data.type,
+              credentials: data.credentials,
             });
             modalArg.destroy();
           },
@@ -185,34 +206,28 @@ export class OpsViewProviders extends DeesElement {
 
   private async showEditDialog(provider: interfaces.data.IDnsProviderPublic) {
     const { DeesModal } = await import('@design.estate/dees-catalog');
+    const formEl = document.createElement('dns-provider-form') as DnsProviderForm;
+    formEl.providerName = provider.name;
+    formEl.selectedType = provider.type;
+    formEl.lockType = true;
+    formEl.credentialsHint =
+      'Leave credential fields blank to keep the current values. Fill them to rotate.';
     DeesModal.createAndShow({
       heading: `Edit Provider: ${provider.name}`,
-      content: html`
-        <dees-form>
-          <dees-input-text .key=${'name'} .label=${'Provider name'} .value=${provider.name}></dees-input-text>
-          <dees-input-text
-            .key=${'apiToken'}
-            .label=${'New API token (leave blank to keep current)'}
-          ></dees-input-text>
-        </dees-form>
-      `,
+      content: html`${formEl}`,
       menuOptions: [
         { name: 'Cancel', action: async (modalArg: any) => modalArg.destroy() },
         {
           name: 'Save',
           action: async (modalArg: any) => {
-            const form = modalArg.shadowRoot
-              ?.querySelector('.content')
-              ?.querySelector('dees-form');
-            if (!form) return;
-            const data = await form.collectFormData();
-            const apiToken = data.apiToken ? String(data.apiToken) : '';
+            const data = await formEl.collectData();
+            if (!data) return;
             await appstate.domainsStatePart.dispatchAction(appstate.updateDnsProviderAction, {
               id: provider.id,
-              name: String(data.name),
-              credentials: apiToken
-                ? { type: 'cloudflare', apiToken }
-                : undefined,
+              name: data.name || provider.name,
+              // Only send credentials if the user actually entered something —
+              // otherwise we keep the current secret untouched.
+              credentials: data.credentialsTouched ? data.credentials : undefined,
             });
             modalArg.destroy();
           },