v13.17.6

AGENTS.md

@@ -0,0 +1,17 @@
+# Agent Instructions for dcrouter
+
+## Database & Migrations
+
+### Collection Names
+smartdata uses the **exact class name** as the MongoDB collection name. No lowercasing.
+- `StoredRouteDoc` → collection `StoredRouteDoc`
+- `TargetProfileDoc` → collection `TargetProfileDoc`
+- `RouteDoc` → collection `RouteDoc`
+
+When writing migrations in `ts_migrations/index.ts`, use the exact class name casing in `ctx.mongo!.collection('ClassName')` and `db.listCollections({ name: 'ClassName' })`.
+
+### Migration Rules
+- All DB schema migrations go EXCLUSIVELY in `ts_migrations/index.ts` as smartmigration steps.
+- NEVER put migration logic in application code (services, managers, startup hooks).
+- Migration step `.to()` version must match the release version so smartmigration can plan the step.
+- Steps must be idempotent — smartmigration may re-run them in skip-forward resume mode.

changelog.md

@@ -1,5 +1,129 @@
 # Changelog
 
+## 2026-04-14 - 13.17.6 - fix(dns,routes)
+keep DoH socket-handler routes runtime-only and prune stale persisted entries
+
+- stops persisting generated DNS-over-HTTPS routes that depend on live socket handlers
+- removes stale persisted runtime-only DoH routes from RouteDoc during startup
+- applies runtime DNS routes alongside DB-backed routes through RouteConfigManager
+- updates DnsManager warning to clarify that dnsNsDomains is still required for nameserver and DoH bootstrap
+- adds tests covering runtime DoH route application, stale route pruning, and updated DNS warning behavior
+
+## 2026-04-13 - 13.17.5 - fix(vpn,target-profiles)
+normalize target profile route references and stabilize VPN host-IP client routing behavior
+
+- Normalize legacy target profile route name references to route IDs, reject ambiguous names, and display labeled route references in the UI.
+- Skip wildcard VPN domains when generating WireGuard AllowedIPs and log a deduplicated warning instead of attempting DNS resolution.
+- Normalize persisted VPN client host-IP settings, include routing fields in runtime updates, and restart in hybrid mode when a host-IP client requires it.
+- Add a repair migration for previously missed TargetProfile target host-to-ip document updates.
+
+## 2026-04-13 - 13.17.3 - fix(ops-view-routes)
+sync route filter toggle selection via component changeSubject
+
+- Replaces the inline change handler on the route filter toggle with a subscription to the component's changeSubject in firstUpdated.
+- Ensures switching between user and system routes updates the view reliably and is cleaned up through existing rxSubscriptions management.
+
+## 2026-04-13 - 13.17.2 - fix(monitoring)
+exclude unconfigured routes from domain activity aggregation
+
+- Removes fallback aggregation that reported routes without domain configuration as synthetic domain entries based on route names
+- Keeps domain activity focused on configured domain mappings when splitting connection and throughput metrics
+
+## 2026-04-13 - 13.17.1 - fix(monitoring)
+stop allocating route metrics to domains when no request data exists
+
+- Removes the equal-split fallback for shared routes in MetricsManager.
+- Sets the proportional share to zero when a route has no recorded requests, avoiding inflated per-domain connection and throughput totals.
+
+## 2026-04-13 - 13.17.0 - feat(monitoring,network-ui,routes)
+add request-based domain activity metrics and split routes into user and system views
+
+- Domain activity now includes per-domain request counts and distributes route throughput and connections using request-level metrics instead of equal route sharing.
+- Network activity UI displays request counts and updates the domain activity description to reflect request-level aggregation.
+- Routes UI adds a toggle to filter between user-created and system-generated routes, updates summary card labels, and adjusts empty states accordingly.
+
+## 2026-04-13 - 13.16.2 - fix(deps)
+bump @push.rocks/smartproxy to ^27.6.0
+
+- updates @push.rocks/smartproxy from ^27.5.0 to ^27.6.0 in package.json
+
+## 2026-04-13 - 13.16.1 - fix(migrations)
+use exact smartdata collection names in route unification migration
+
+- Update the 13.16.0 migration to rename StoredRouteDoc to RouteDoc using case-sensitive collection names
+- Apply the origin backfill against the RouteDoc collection and drop RouteOverrideDoc with matching class-name casing
+- Clarify migration description and comments to reflect smartdata's exact class-name collection mapping
+
+## 2026-04-13 - 13.16.0 - feat(routes)
+unify route storage and management across config, email, dns, and API origins
+
+- Persist config-, email-, and dns-seeded routes in the database alongside API-created routes using a single RouteDoc model with origin tracking
+- Remove hardcoded-route override handling in favor of direct route CRUD and toggle operations by route id across the API client, handlers, and web UI
+- Add a migration that renames stored route storage, sets migrated routes to origin="api", and drops obsolete route override data
+
+## 2026-04-13 - 13.15.1 - fix(monitoring)
+improve domain activity aggregation for multi-domain and wildcard routes
+
+- map route metrics across all configured domains instead of only the first domain
+- resolve wildcard domain patterns against active protocol cache entries
+- distribute shared route traffic across matched domains and preserve fallback reporting for routes without domain configuration
+
+## 2026-04-13 - 13.15.0 - feat(stats)
+add typed network stats response fields for bandwidth, domain activity, and protocol distribution
+
+- extends the network stats request interface with top IP bandwidth, domain activity, and frontend/backend protocol distribution data
+- updates app state to use a typed getNetworkStats request instead of casting the response to any
+
+## 2026-04-13 - 13.14.0 - feat(network)
+add bandwidth-ranked IP and domain activity metrics to network monitoring
+
+- Expose top IPs by bandwidth and aggregated domain activity from route metrics.
+- Replace estimated per-connection values with real per-IP throughput data in ops handlers and stats responses.
+- Update the network UI to show bandwidth-ranked IPs and domain activity while removing the recent request table.
+
+## 2026-04-13 - 13.13.0 - feat(dns)
+add domain migration between dcrouter and provider-managed DNS with unified ACME managed-domain handling
+
+- adds domain migration support in DnsManager, API handlers, request interfaces, app state, and domains UI
+- routes ACME DNS-01 challenges through managed domains using createRecord/deleteRecord for both dcrouter-hosted and provider-managed zones
+- enables immediate unregister of deleted dcrouter-hosted DNS records from the embedded DNS server
+
+## 2026-04-12 - 13.12.0 - feat(email-domains)
+support creating email domains on optional subdomains
+
+- Add optional subdomain support to email domain creation, persistence, and API interfaces.
+- Update the ops UI to collect and submit a subdomain prefix when creating an email domain.
+- Bump @design.estate/dees-catalog from ^3.78.0 to ^3.78.2.
+
+## 2026-04-12 - 13.11.0 - feat(email-domains)
+add email domain management with DNS provisioning, validation, and ops dashboard support
+
+- Introduce EmailDomainManager with persisted email domain records, DKIM configuration, DNS record generation, provisioning, and validation.
+- Add opsserver typed request handlers and shared interfaces for listing, creating, updating, deleting, validating, and provisioning email domains.
+- Add ops dashboard email domains view and app state integration for managing domains and inspecting required DNS records.
+
+## 2026-04-12 - 13.10.0 - feat(web-ui)
+standardize settings views for ACME and email security panels
+
+- replace custom ACME settings layouts with the reusable dees-settings component for configured and empty states
+- update the email security view to present settings through dees-settings and open a modal-based read-only edit dialog
+- bump @design.estate/dees-catalog to ^3.78.0 to support the updated UI components
+
+## 2026-04-12 - 13.9.2 - fix(web-ui)
+improve form field descriptions and align certificate settings with tile components
+
+- Refines labels and adds descriptive helper text across API token, DNS, domain, route, edge, target profile, and VPN forms for clearer operator input
+- Updates the DNS provider form to surface provider and credential guidance through built-in input metadata instead of custom help blocks
+- Restyles the certificates ACME settings section to use tile-based layout and improves related form wording and file upload metadata
+- Refreshes the Cloudflare DNS provider description and bumps UI-related dependencies
+
+## 2026-04-08 - 13.9.1 - fix(network-ui)
+enable flashing table updates for network activity, remote ingress, and VPN views
+
+- adds stable row keys to dees-table instances so existing rows can be diffed correctly
+- enables flash highlighting for changed rows and cells across network activity, top IPs, backends, remote ingress edges, and VPN clients
+- updates network activity request data on every refresh so live metrics like duration and byte counts visibly refresh
+
 ## 2026-04-08 - 13.9.0 - feat(dns)
 add built-in dcrouter DNS provider support and rename manual domains to dcrouter-hosted/local
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.9.0",
+  "version": "13.17.6",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -27,7 +27,7 @@
     "@git.zone/tsrun": "^2.0.2",
     "@git.zone/tstest": "^3.6.3",
     "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^25.5.2"
+    "@types/node": "^25.6.0"
   },
   "dependencies": {
     "@api.global/typedrequest": "^3.3.0",
@@ -35,7 +35,7 @@
     "@api.global/typedserver": "^8.4.6",
     "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.70.0",
+    "@design.estate/dees-catalog": "^3.78.2",
     "@design.estate/dees-element": "^2.2.4",
     "@push.rocks/lik": "^6.4.0",
     "@push.rocks/projectinfo": "^5.1.0",
@@ -51,10 +51,10 @@
     "@push.rocks/smartmetrics": "^3.0.3",
     "@push.rocks/smartmigration": "1.2.0",
     "@push.rocks/smartmta": "^5.3.1",
-    "@push.rocks/smartnetwork": "^4.5.2",
+    "@push.rocks/smartnetwork": "^4.6.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^27.5.0",
+    "@push.rocks/smartproxy": "^27.7.0",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
@@ -62,12 +62,12 @@
     "@push.rocks/smartunique": "^3.0.9",
     "@push.rocks/smartvpn": "1.19.2",
     "@push.rocks/taskbuffer": "^8.0.2",
-    "@serve.zone/catalog": "^2.12.3",
+    "@serve.zone/catalog": "^2.12.4",
     "@serve.zone/interfaces": "^5.3.0",
     "@serve.zone/remoteingress": "^4.15.3",
     "@tsclass/tsclass": "^9.5.0",
     "@types/qrcode": "^1.5.6",
-    "lru-cache": "^11.3.2",
+    "lru-cache": "^11.3.5",
     "qrcode": "^1.5.4",
     "uuid": "^13.0.0"
   },

pnpm-lock.yaml

@@ -24,8 +24,8 @@ importers:
         specifier: ^7.1.0
         version: 7.1.0
       '@design.estate/dees-catalog':
-        specifier: ^3.70.0
-        version: 3.70.0(@tiptap/pm@2.27.2)
+        specifier: ^3.78.2
+        version: 3.78.2(@tiptap/pm@2.27.2)
       '@design.estate/dees-element':
         specifier: ^2.2.4
         version: 2.2.4
@@ -72,8 +72,8 @@ importers:
         specifier: ^5.3.1
         version: 5.3.1
       '@push.rocks/smartnetwork':
-        specifier: ^4.5.2
-        version: 4.5.2
+        specifier: ^4.6.0
+        version: 4.6.0
       '@push.rocks/smartpath':
         specifier: ^6.0.0
         version: 6.0.0
@@ -81,8 +81,8 @@ importers:
         specifier: ^4.2.3
         version: 4.2.3
       '@push.rocks/smartproxy':
-        specifier: ^27.5.0
-        version: 27.5.0
+        specifier: ^27.7.0
+        version: 27.7.0
       '@push.rocks/smartradius':
         specifier: ^1.1.1
         version: 1.1.1
@@ -105,8 +105,8 @@ importers:
         specifier: ^8.0.2
         version: 8.0.2
       '@serve.zone/catalog':
-        specifier: ^2.12.3
-        version: 2.12.3(@tiptap/pm@2.27.2)
+        specifier: ^2.12.4
+        version: 2.12.4(@tiptap/pm@2.27.2)
       '@serve.zone/interfaces':
         specifier: ^5.3.0
         version: 5.3.0
@@ -120,8 +120,8 @@ importers:
         specifier: ^1.5.6
         version: 1.5.6
       lru-cache:
-        specifier: ^11.3.2
-        version: 11.3.2
+        specifier: ^11.3.5
+        version: 11.3.5
       qrcode:
         specifier: ^1.5.4
         version: 1.5.4
@@ -145,8 +145,8 @@ importers:
         specifier: ^3.3.2
         version: 3.3.2(@emnapi/core@1.9.2)(@emnapi/runtime@1.9.2)(@tiptap/pm@2.27.2)
       '@types/node':
-        specifier: ^25.5.2
-        version: 25.5.2
+        specifier: ^25.6.0
+        version: 25.6.0
 
 packages:
 
@@ -353,8 +353,8 @@ packages:
   '@configvault.io/interfaces@1.0.17':
     resolution: {integrity: sha512-bEcCUR2VBDJsTin8HQh8Uw/mlYl2v8A3jMIaQ+MTB9Hrqd6CZL2dL7iJdWyFl/3EIX+LDxWFR+Oq7liIq7w+1Q==}
 
-  '@design.estate/dees-catalog@3.70.0':
-    resolution: {integrity: sha512-bNqOxxl83FNCCV+7QoUj6oeRC0VTExWOClrLrHNMoLIU0TCtzhcmQqiuJhdWrcCwZ5RBhXHGMSFsR62d2RcWpw==}
+  '@design.estate/dees-catalog@3.78.2':
+    resolution: {integrity: sha512-9MKKCvx+vxoIp6UpqVQklreokdg7ZSSODz4FlKyNFqjfZiDDme6pjwxWoMSA+Tn4bkboYyCBosUrVfc0nxa1HA==}
 
   '@design.estate/dees-comms@1.0.30':
     resolution: {integrity: sha512-KchMlklJfKAjQiJiR0xmofXtQ27VgZtBIxcMwPE9d+h3jJRv+lPZxzBQVOM0eyM0uS44S5vJMZ11IeV4uDXSHg==}
@@ -365,8 +365,8 @@ packages:
   '@design.estate/dees-element@2.2.4':
     resolution: {integrity: sha512-O9cA6flBMMd+pBwMQrZXwAWel9yVxgokolb+Em6gvkXxPJ0P/B5UDn4Vc2d4ts3ta55PTBm+l2dPeDVGx/bl7Q==}
 
-  '@design.estate/dees-wcctools@3.8.0':
-    resolution: {integrity: sha512-CC14iVKUrguzD9jIrdPBd9fZ4egVJEZMxl5y8iy0l7WLumeoYvGsoXj5INVkRPLRVLqziIdi4Je1hXqHt2NU+g==}
+  '@design.estate/dees-wcctools@3.9.0':
+    resolution: {integrity: sha512-0vZBaGBEGIbl8hx+8BezIIea3U5T7iSHHF9VqlJZGf+nOFIW4zBAxcCljH8YzZ1Yayp6BEjxp/pQXjHN2YB3Jg==}
 
   '@emnapi/core@1.9.2':
     resolution: {integrity: sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==}
@@ -1257,8 +1257,8 @@ packages:
   '@push.rocks/smartmustache@3.0.2':
     resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}
 
-  '@push.rocks/smartnetwork@4.5.2':
-    resolution: {integrity: sha512-lbMMyc2f/WWd5+qzZyF1ynXndjCtasxPWmj/d8GUuis9rDrW7sLIT1PlAPC2F6Qsy4H/K32JrYU+01d/6sWObg==}
+  '@push.rocks/smartnetwork@4.6.0':
+    resolution: {integrity: sha512-ubaO/Qp8r30A+qwk33M/0+nQi+o8gNHEI9zq3jv1MwqiLxhiV1hnbr4CL9AUcvs4EhwUBiw0EswKjCJROwDqvQ==}
 
   '@push.rocks/smartnftables@1.1.0':
     resolution: {integrity: sha512-7JNzerlW20HEl2wKMBIHltwneCQRpXiD2lJkXZZc02ctnfjgFejXVDIeWomhPx6PZ0Z6zmqdF6rrFDtDHyqqfA==}
@@ -1284,8 +1284,8 @@ packages:
   '@push.rocks/smartpromise@4.2.3':
     resolution: {integrity: sha512-Ycg/TJR+tMt+S3wSFurOpEoW6nXv12QBtKXgBcjMZ4RsdO28geN46U09osPn9N9WuwQy1PkmTV5J/V4F9U8qEw==}
 
-  '@push.rocks/smartproxy@27.5.0':
-    resolution: {integrity: sha512-QIXrVQtAoqBCv+9ScLOdGcizN55svJuGCfMDsDaBVtwS3Tva30IxuEL3usNTHABveuI8slaWzSxTabmTULDOwA==}
+  '@push.rocks/smartproxy@27.7.0':
+    resolution: {integrity: sha512-0u8HF5ocQ2xmfCN1FWyulGTddZ4ZkWaip1j0alT8Bc/LdIYerjKtNJCU4N2wMk/Zz0Wl5UQOmBm4qIWmgRiEcg==}
 
   '@push.rocks/smartpuppeteer@2.0.5':
     resolution: {integrity: sha512-yK/qSeWVHIGWRp3c8S5tfdGP6WCKllZC4DR8d8CQlEjszOSBmHtlTdyyqOMBZ/BA4kd+eU5f3A1r4K2tGYty1g==}
@@ -1588,8 +1588,8 @@ packages:
   '@selderee/plugin-htmlparser2@0.11.0':
     resolution: {integrity: sha512-P33hHGdldxGabLFjPPpaTxVolMrzrcegejx+0GxjrIb9Zv48D8yAIA/QTDR2dFl7Uz7urX8aX6+5bCZslr+gWQ==}
 
-  '@serve.zone/catalog@2.12.3':
-    resolution: {integrity: sha512-/QLFjFcy/ig6cdr4517smSc/VCutW/qF/8lCM3v7tpQ5yLApjqiL314Dyvk9zzSwHpw69IeuM9EmPOeTuCY0iQ==}
+  '@serve.zone/catalog@2.12.4':
+    resolution: {integrity: sha512-GRfJZ0yQxChUy7Gp4mxhuN5y4GXZMOEk0W7rJiyZbezA938q+pFTplb9ahSaEHjiUht1MmTu/5WtoJFwgAP8SQ==}
 
   '@serve.zone/interfaces@5.3.0':
     resolution: {integrity: sha512-venO7wtDR9ixzD9NhdERBGjNKbFA5LL0yHw4eqGh0UpmvtXVc3SFG0uuHDilOKMZqZ8bttV88qVsFy1aSTJrtA==}
@@ -1994,6 +1994,12 @@ packages:
   '@types/debug@4.1.13':
     resolution: {integrity: sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==}
 
+  '@types/dom-mediacapture-transform@0.1.11':
+    resolution: {integrity: sha512-Y2p+nGf1bF2XMttBnsVPHUWzRRZzqUoJAKmiP10b5umnO6DDrWI0BrGDJy1pOHoOULVmGSfFNkQrAlC5dcj6nQ==}
+
+  '@types/dom-webcodecs@0.1.13':
+    resolution: {integrity: sha512-O5hkiFIcjjszPIYyUSyvScyvrBoV3NOEEZx/pMlsu44TKzWNkLVBBxnxJz42in5n3QIolYOcBYFCPZZ0h8SkwQ==}
+
   '@types/fs-extra@11.0.4':
     resolution: {integrity: sha512-yTbItCNreRooED33qjunPthRcSjERP1r4MqCZc7wv0u2sUkzTFp45tgUfS5+r7FrZPdmCCNflLhVSP/o+SemsQ==}
 
@@ -2054,8 +2060,8 @@ packages:
   '@types/node@22.19.17':
     resolution: {integrity: sha512-wGdMcf+vPYM6jikpS/qhg6WiqSV/OhG+jeeHT/KlVqxYfD40iYJf9/AE1uQxVWFvU7MipKRkRv8NSHiCGgPr8Q==}
 
-  '@types/node@25.5.2':
-    resolution: {integrity: sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg==}
+  '@types/node@25.6.0':
+    resolution: {integrity: sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==}
 
   '@types/qrcode@1.5.6':
     resolution: {integrity: sha512-te7NQcV2BOvdj2b1hCAHzAoMNuj65kNBMz0KBaxM6c3VGBOhU0dURQKOtH8CFNI/dsKkwlv32p26qYQTWoB5bw==}
@@ -2858,8 +2864,8 @@ packages:
   humanize-ms@1.2.1:
     resolution: {integrity: sha1-xG4xWaKT9riW2ikxbYtv6Lt5u+0=}
 
-  ibantools@4.5.2:
-    resolution: {integrity: sha512-is+8TgZcKS/AMv/z9nW1zz0bhjhoyjpA1p0nc3A6GkW/InOdcQiUZpkufADzh/aO/LY/TOD/P3oPWncNRn5QMA==}
+  ibantools@4.5.4:
+    resolution: {integrity: sha512-6jX1gh4aH6XH+o0ey+wtkMTzkcvsEta7DakIOZSng9voZYpMw3U+gK1+tZChk3aRcPcloEt0NOzksjaRZiqXbw==}
 
   iconv-lite@0.4.24:
     resolution: {integrity: sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==}
@@ -3076,16 +3082,16 @@ packages:
     resolution: {integrity: sha512-ozCC6gdQ+glXOQsveKD0YsDy8DSQFjDTz4zyzEHNV5+JP5D62LmfDZ6o1cycFx9ouG940M5dE8C8CTewdj2YWQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  lru-cache@11.3.2:
-    resolution: {integrity: sha512-wgWa6FWQ3QRRJbIjbsldRJZxdxYngT/dO0I5Ynmlnin8qy7tC6xYzbcJjtN4wHLXtkbVwHzk0C+OejVw1XM+DQ==}
+  lru-cache@11.3.5:
+    resolution: {integrity: sha512-NxVFwLAnrd9i7KUBxC4DrUhmgjzOs+1Qm50D3oF1/oL+r1NpZ4gA7xvG0/zJ8evR7zIKn4vLf7qTNduWFtCrRw==}
     engines: {node: 20 || >=22}
 
   lru-cache@7.18.3:
     resolution: {integrity: sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==}
     engines: {node: '>=12'}
 
-  lucide@0.577.0:
-    resolution: {integrity: sha512-PpC/m5eOItp/WU/GlQPFBXDOhq6HibL73KzYP37OX3LM7VmzWQF8voEj8QRWUFvy9FIKfeDQkWYoyS1D/MdWFA==}
+  lucide@1.8.0:
+    resolution: {integrity: sha512-JjV/QnadgFLj1Pyu9IKl0lknrolFEzo04B64QcYLLeRzZl/iEHpdbSrRRKbyXcv45SZNv+WGjIUCT33e7xHO6Q==}
 
   mailparser@3.9.6:
     resolution: {integrity: sha512-EJYTDWMrOS1kddK1mTsRkrx2Ngh2nYsg54SRMWVVWGVEGbHH4tod8tqqU9hIRPgGQVboSjFubDn9cboSitbM3Q==}
@@ -3163,6 +3169,9 @@ packages:
   mdurl@2.0.0:
     resolution: {integrity: sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==}
 
+  mediabunny@1.40.1:
+    resolution: {integrity: sha512-HU/stGzAkdWaJIly6ypbUVgAUvT9kt39DIg0IaErR7/1fwtTmgUYs4i8uEPYcgcjPjbB9gtBmUXOLnXi6J2LDw==}
+
   memory-pager@1.5.0:
     resolution: {integrity: sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg==}
 
@@ -4098,8 +4107,8 @@ packages:
   undici-types@6.21.0:
     resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
 
-  undici-types@7.18.2:
-    resolution: {integrity: sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==}
+  undici-types@7.19.2:
+    resolution: {integrity: sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==}
 
   unified@11.0.5:
     resolution: {integrity: sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA==}
@@ -4315,7 +4324,7 @@ snapshots:
       '@api.global/typedrequest-interfaces': 3.0.19
       '@api.global/typedsocket': 4.1.2(@push.rocks/smartserve@2.0.3)
       '@cloudflare/workers-types': 4.20260405.1
-      '@design.estate/dees-catalog': 3.70.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.78.2(@tiptap/pm@2.27.2)
       '@design.estate/dees-comms': 1.0.30
       '@push.rocks/lik': 6.4.0
       '@push.rocks/smartdelay': 3.0.5
@@ -4844,11 +4853,11 @@ snapshots:
     dependencies:
       '@api.global/typedrequest-interfaces': 3.0.19
 
-  '@design.estate/dees-catalog@3.70.0(@tiptap/pm@2.27.2)':
+  '@design.estate/dees-catalog@3.78.2(@tiptap/pm@2.27.2)':
     dependencies:
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
-      '@design.estate/dees-wcctools': 3.8.0
+      '@design.estate/dees-wcctools': 3.9.0
       '@fortawesome/fontawesome-svg-core': 7.2.0
       '@fortawesome/free-brands-svg-icons': 7.2.0
       '@fortawesome/free-regular-svg-icons': 7.2.0
@@ -4866,9 +4875,9 @@ snapshots:
       '@tsclass/tsclass': 9.5.0
       echarts: 5.6.0
       highlight.js: 11.11.1
-      ibantools: 4.5.2
+      ibantools: 4.5.4
       lightweight-charts: 5.1.0
-      lucide: 0.577.0
+      lucide: 1.8.0
       monaco-editor: 0.55.1
       pdfjs-dist: 4.10.38
       xterm: 5.3.0
@@ -4925,12 +4934,13 @@ snapshots:
       - supports-color
       - vue
 
-  '@design.estate/dees-wcctools@3.8.0':
+  '@design.estate/dees-wcctools@3.9.0':
     dependencies:
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
       '@push.rocks/smartdelay': 3.0.5
       lit: 3.3.2
+      mediabunny: 1.40.1
     transitivePeerDependencies:
       - '@nuxt/kit'
       - react
@@ -5144,7 +5154,7 @@ snapshots:
       '@push.rocks/smartjson': 6.0.0
       '@push.rocks/smartlog': 3.2.2
       '@push.rocks/smartmongo': 5.1.1(socks@2.8.7)
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartrequest': 5.0.1
@@ -5947,7 +5957,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartdns': 7.9.0
       '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartstring': 4.1.0
       '@push.rocks/smarttime': 4.2.3
       '@push.rocks/smartunique': 3.0.9
@@ -6404,7 +6414,7 @@ snapshots:
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartrust': 1.3.2
       '@tsclass/tsclass': 9.5.0
-      lru-cache: 11.3.2
+      lru-cache: 11.3.5
       mailparser: 3.9.6
       uuid: 13.0.0
     transitivePeerDependencies:
@@ -6414,7 +6424,7 @@ snapshots:
     dependencies:
       handlebars: 4.7.9
 
-  '@push.rocks/smartnetwork@4.5.2':
+  '@push.rocks/smartnetwork@4.6.0':
     dependencies:
       '@push.rocks/smartdns': 7.9.0
       '@push.rocks/smartrust': 1.3.2
@@ -6475,7 +6485,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartfs': 1.5.0
       '@push.rocks/smartjimp': 1.2.0
-      '@push.rocks/smartnetwork': 4.5.2
+      '@push.rocks/smartnetwork': 4.6.0
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartpuppeteer': 2.0.5(typescript@6.0.2)
@@ -6496,7 +6506,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.3': {}
 
-  '@push.rocks/smartproxy@27.5.0':
+  '@push.rocks/smartproxy@27.7.0':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.2
@@ -6898,12 +6908,12 @@ snapshots:
       domhandler: 5.0.3
       selderee: 0.11.0
 
-  '@serve.zone/catalog@2.12.3(@tiptap/pm@2.27.2)':
+  '@serve.zone/catalog@2.12.4(@tiptap/pm@2.27.2)':
     dependencies:
-      '@design.estate/dees-catalog': 3.70.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.78.2(@tiptap/pm@2.27.2)
       '@design.estate/dees-domtools': 2.5.4
       '@design.estate/dees-element': 2.2.4
-      '@design.estate/dees-wcctools': 3.8.0
+      '@design.estate/dees-wcctools': 3.9.0
     transitivePeerDependencies:
       - '@nuxt/kit'
       - '@tiptap/pm'
@@ -7442,17 +7452,23 @@ snapshots:
 
   '@types/clean-css@4.2.11':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
       source-map: 0.6.1
 
   '@types/debug@4.1.13':
     dependencies:
       '@types/ms': 2.1.0
 
+  '@types/dom-mediacapture-transform@0.1.11':
+    dependencies:
+      '@types/dom-webcodecs': 0.1.13
+
+  '@types/dom-webcodecs@0.1.13': {}
+
   '@types/fs-extra@11.0.4':
     dependencies:
       '@types/jsonfile': 6.1.4
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/hast@3.0.4':
     dependencies:
@@ -7472,12 +7488,12 @@ snapshots:
 
   '@types/jsonfile@6.1.4':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/jsonwebtoken@9.0.10':
     dependencies:
       '@types/ms': 2.1.0
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/linkify-it@5.0.0': {}
 
@@ -7498,16 +7514,16 @@ snapshots:
 
   '@types/mute-stream@0.0.4':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/node-fetch@2.6.13':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
       form-data: 4.0.5
 
   '@types/node-forge@1.3.14':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/node@16.9.1': {}
 
@@ -7519,13 +7535,13 @@ snapshots:
     dependencies:
       undici-types: 6.21.0
 
-  '@types/node@25.5.2':
+  '@types/node@25.6.0':
     dependencies:
-      undici-types: 7.18.2
+      undici-types: 7.19.2
 
   '@types/qrcode@1.5.6':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/randomatic@3.1.5': {}
 
@@ -7535,11 +7551,11 @@ snapshots:
 
   '@types/tar-stream@3.1.4':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/through2@2.0.41':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/trusted-types@2.0.7': {}
 
@@ -7569,11 +7585,11 @@ snapshots:
 
   '@types/ws@8.18.1':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
 
   '@types/yauzl@2.10.3':
     dependencies:
-      '@types/node': 25.5.2
+      '@types/node': 25.6.0
     optional: true
 
   '@ungap/structured-clone@1.3.0': {}
@@ -8390,7 +8406,7 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
-  ibantools@4.5.2: {}
+  ibantools@4.5.4: {}
 
   iconv-lite@0.4.24:
     dependencies:
@@ -8628,11 +8644,11 @@ snapshots:
 
   lowercase-keys@3.0.0: {}
 
-  lru-cache@11.3.2: {}
+  lru-cache@11.3.5: {}
 
   lru-cache@7.18.3: {}
 
-  lucide@0.577.0: {}
+  lucide@1.8.0: {}
 
   mailparser@3.9.6:
     dependencies:
@@ -8804,6 +8820,11 @@ snapshots:
 
   mdurl@2.0.0: {}
 
+  mediabunny@1.40.1:
+    dependencies:
+      '@types/dom-mediacapture-transform': 0.1.11
+      '@types/dom-webcodecs': 0.1.13
+
   memory-pager@1.5.0: {}
 
   micromark-core-commonmark@2.0.3:
@@ -9268,7 +9289,7 @@ snapshots:
 
   path-scurry@2.0.2:
     dependencies:
-      lru-cache: 11.3.2
+      lru-cache: 11.3.5
       minipass: 7.1.3
 
   path-to-regexp@8.4.2: {}
@@ -9942,7 +9963,7 @@ snapshots:
 
   undici-types@6.21.0: {}
 
-  undici-types@7.18.2: {}
+  undici-types@7.19.2: {}
 
   unified@11.0.5:
     dependencies:

test/test.apiclient.ts

@@ -174,62 +174,20 @@ tap.test('Route - should hydrate from IMergedRoute data', async () => {
       match: { ports: 443, domains: 'example.com' },
       action: { type: 'forward', targets: [{ host: 'backend', port: 8080 }] },
     },
-    source: 'programmatic',
+    id: 'route-123',
     enabled: true,
-    overridden: false,
-    storedRouteId: 'route-123',
+    origin: 'api',
     createdAt: 1000,
     updatedAt: 2000,
   });
 
   expect(route.name).toEqual('test-route');
-  expect(route.source).toEqual('programmatic');
+  expect(route.id).toEqual('route-123');
   expect(route.enabled).toEqual(true);
-  expect(route.overridden).toEqual(false);
-  expect(route.storedRouteId).toEqual('route-123');
+  expect(route.origin).toEqual('api');
   expect(route.routeConfig.match.ports).toEqual(443);
 });
 
-tap.test('Route - should throw on update/delete/toggle for hardcoded routes', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const route = new Route(client, {
-    route: {
-      name: 'hardcoded-route',
-      match: { ports: 80 },
-      action: { type: 'forward', targets: [{ host: 'localhost', port: 8080 }] },
-    },
-    source: 'hardcoded',
-    enabled: true,
-    overridden: false,
-    // No storedRouteId for hardcoded routes
-  });
-
-  let updateError: Error | undefined;
-  try {
-    await route.update({ name: 'new-name' });
-  } catch (e) {
-    updateError = e as Error;
-  }
-  expect(updateError).toBeTruthy();
-  expect(updateError!.message).toInclude('hardcoded');
-
-  let deleteError: Error | undefined;
-  try {
-    await route.delete();
-  } catch (e) {
-    deleteError = e as Error;
-  }
-  expect(deleteError).toBeTruthy();
-
-  let toggleError: Error | undefined;
-  try {
-    await route.toggle(false);
-  } catch (e) {
-    toggleError = e as Error;
-  }
-  expect(toggleError).toBeTruthy();
-});
-
 // =============================================================================
 // Certificate resource class
 // =============================================================================

test/test.dns-runtime-routes.node.ts

@@ -0,0 +1,230 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/classes.dcrouter.js';
+import { RouteConfigManager } from '../ts/config/index.js';
+import { DcRouterDb, DomainDoc, RouteDoc } from '../ts/db/index.js';
+import { DnsManager } from '../ts/dns/manager.dns.js';
+import { logger } from '../ts/logger.js';
+import * as plugins from '../ts/plugins.js';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-dns-runtime-routes-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-test-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const route of await RouteDoc.findAll()) {
+    await route.delete();
+  }
+  for (const domain of await DomainDoc.findAll()) {
+    await domain.delete();
+  }
+};
+
+tap.test('RouteConfigManager applies runtime DoH routes without persisting them', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const dcRouter = new DcRouter({
+    dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
+    dnsScopes: ['example.com'],
+    smartProxyConfig: { routes: [] },
+    dbConfig: { enabled: false },
+  });
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(
+    () => smartProxy as any,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    () => (dcRouter as any).generateDnsRoutes(),
+  );
+
+  await routeManager.initialize([], [], []);
+  await routeManager.applyRoutes();
+
+  const persistedRoutes = await RouteDoc.findAll();
+  expect(persistedRoutes.length).toEqual(0);
+  expect(appliedRoutes.length).toEqual(2);
+
+  for (const routeSet of appliedRoutes) {
+    const dnsQueryRoute = routeSet.find((route) => route.name === 'dns-over-https-dns-query');
+    const resolveRoute = routeSet.find((route) => route.name === 'dns-over-https-resolve');
+
+    expect(dnsQueryRoute).toBeDefined();
+    expect(resolveRoute).toBeDefined();
+    expect(typeof dnsQueryRoute.action.socketHandler).toEqual('function');
+    expect(typeof resolveRoute.action.socketHandler).toEqual('function');
+  }
+});
+
+tap.test('RouteConfigManager removes stale persisted DoH socket-handler routes on startup', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const staleDnsQueryRoute = new RouteDoc();
+  staleDnsQueryRoute.id = 'stale-doh-query';
+  staleDnsQueryRoute.route = {
+    name: 'dns-over-https-dns-query',
+    match: {
+      ports: [443],
+      domains: ['ns1.example.com'],
+      path: '/dns-query',
+    },
+    action: {
+      type: 'socket-handler' as any,
+    } as any,
+  };
+  staleDnsQueryRoute.enabled = true;
+  staleDnsQueryRoute.createdAt = Date.now();
+  staleDnsQueryRoute.updatedAt = Date.now();
+  staleDnsQueryRoute.createdBy = 'test';
+  staleDnsQueryRoute.origin = 'dns';
+  await staleDnsQueryRoute.save();
+
+  const staleResolveRoute = new RouteDoc();
+  staleResolveRoute.id = 'stale-doh-resolve';
+  staleResolveRoute.route = {
+    name: 'dns-over-https-resolve',
+    match: {
+      ports: [443],
+      domains: ['ns1.example.com'],
+      path: '/resolve',
+    },
+    action: {
+      type: 'socket-handler' as any,
+    } as any,
+  };
+  staleResolveRoute.enabled = true;
+  staleResolveRoute.createdAt = Date.now();
+  staleResolveRoute.updatedAt = Date.now();
+  staleResolveRoute.createdBy = 'test';
+  staleResolveRoute.origin = 'dns';
+  await staleResolveRoute.save();
+
+  const validRoute = new RouteDoc();
+  validRoute.id = 'valid-forward-route';
+  validRoute.route = {
+    name: 'valid-forward-route',
+    match: {
+      ports: [443],
+      domains: ['app.example.com'],
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: '127.0.0.1', port: 8443 }],
+      tls: { mode: 'terminate' as const },
+    },
+  } as any;
+  validRoute.enabled = true;
+  validRoute.createdAt = Date.now();
+  validRoute.updatedAt = Date.now();
+  validRoute.createdBy = 'test';
+  validRoute.origin = 'api';
+  await validRoute.save();
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(() => smartProxy as any);
+  await routeManager.initialize([], [], []);
+
+  expect((await RouteDoc.findByName('dns-over-https-dns-query'))).toEqual(null);
+  expect((await RouteDoc.findByName('dns-over-https-resolve'))).toEqual(null);
+
+  const remainingRoutes = await RouteDoc.findAll();
+  expect(remainingRoutes.length).toEqual(1);
+  expect(remainingRoutes[0].route.name).toEqual('valid-forward-route');
+
+  expect(appliedRoutes.length).toEqual(1);
+  expect(appliedRoutes[0].length).toEqual(1);
+  expect(appliedRoutes[0][0].name).toEqual('valid-forward-route');
+});
+
+tap.test('DnsManager warning keeps dnsNsDomains in scope', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const originalLog = logger.log.bind(logger);
+  const warningMessages: string[] = [];
+
+  (logger as any).log = (level: 'error' | 'warn' | 'info' | 'success' | 'debug', message: string, context?: Record<string, any>) => {
+    if (level === 'warn') {
+      warningMessages.push(message);
+    }
+    return originalLog(level, message, context || {});
+  };
+
+  try {
+    const existingDomain = new DomainDoc();
+    existingDomain.id = 'existing-domain';
+    existingDomain.name = 'example.com';
+    existingDomain.source = 'dcrouter';
+    existingDomain.authoritative = true;
+    existingDomain.createdAt = Date.now();
+    existingDomain.updatedAt = Date.now();
+    existingDomain.createdBy = 'test';
+    await existingDomain.save();
+
+    const dnsManager = new DnsManager({
+      dnsNsDomains: ['ns1.example.com'],
+      dnsScopes: ['example.com'],
+      dnsRecords: [{ name: 'www.example.com', type: 'A', value: '127.0.0.1' }],
+      smartProxyConfig: { routes: [] },
+    });
+
+    await dnsManager.start();
+
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords constructor config')
+        && message.includes('dnsNsDomains is still required for nameserver and DoH bootstrap'),
+      ),
+    ).toEqual(true);
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords/dnsNsDomains constructor config'),
+      ),
+    ).toEqual(false);
+  } finally {
+    (logger as any).log = originalLog;
+  }
+});
+
+tap.test('cleanup test db', async () => {
+  await clearTestState();
+  const testDb = await testDbPromise;
+  await testDb.cleanup();
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.9.0',
+  version: '13.17.6',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -29,6 +29,7 @@ import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
+import { EmailDomainManager } from './email/classes.email-domain.manager.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -279,6 +280,7 @@ export class DcRouter {
 
   // ACME configuration (DB-backed singleton, replaces tls.contactEmail)
   public acmeConfigManager?: AcmeConfigManager;
+  public emailDomainManager?: EmailDomainManager;
 
   // Auto-discovered public IP (populated by generateAuthoritativeRecords)
   public detectedPublicIp: string | null = null;
@@ -310,8 +312,11 @@ export class DcRouter {
   // TypedRouter for API endpoints
   public typedrouter = new plugins.typedrequest.TypedRouter();
 
-  // Cached constructor routes (computed once during setupSmartProxy, used by RouteConfigManager)
-  private constructorRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  // Seed routes assembled during setupSmartProxy, passed to RouteConfigManager for DB seeding
+  private seedConfigRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  private seedEmailRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  // Runtime-only DoH routes. These carry live socket handlers and must never be persisted.
+  private runtimeDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
 
   // Environment access
   private qenv = new plugins.qenv.Qenv('./', '.nogit/');
@@ -439,6 +444,21 @@ export class DcRouter {
       );
     }
 
+    // Email Domain Manager: optional, depends on DcRouterDb
+    if (this.options.dbConfig?.enabled !== false) {
+      this.serviceManager.addService(
+        new plugins.taskbuffer.Service('EmailDomainManager')
+          .optional()
+          .dependsOn('DcRouterDb')
+          .withStart(async () => {
+            this.emailDomainManager = new EmailDomainManager(this);
+          })
+          .withStop(async () => {
+            this.emailDomainManager = undefined;
+          }),
+      );
+    }
+
     // SmartProxy: critical, depends on DcRouterDb + DnsManager + AcmeConfigManager (if enabled)
     const smartProxyDeps: string[] = [];
     if (this.options.dbConfig?.enabled !== false) {
@@ -528,11 +548,12 @@ export class DcRouter {
             await this.referenceResolver.initialize();
 
             // Initialize target profile manager
-            this.targetProfileManager = new TargetProfileManager();
+            this.targetProfileManager = new TargetProfileManager(
+              () => this.routeConfigManager?.getRoutes() || new Map(),
+            );
             await this.targetProfileManager.initialize();
 
             this.routeConfigManager = new RouteConfigManager(
-              () => this.getConstructorRoutes(),
               () => this.smartProxy,
               () => this.options.http3,
               this.options.vpnConfig?.enabled
@@ -542,12 +563,15 @@ export class DcRouter {
                       return [];
                     }
                     return this.targetProfileManager.getMatchingClientIps(
-                      route, routeId, this.vpnManager.listClients(),
+                      route,
+                      routeId,
+                      this.vpnManager.listClients(),
+                      this.routeConfigManager?.getRoutes() || new Map(),
                     );
                   }
                 : undefined,
               this.referenceResolver,
-              // Sync merged routes to RemoteIngressManager whenever routes change,
+              // Sync routes to RemoteIngressManager whenever routes change,
               // then push updated derived ports to the Rust hub binary
               (routes) => {
                 if (this.remoteIngressManager) {
@@ -557,10 +581,15 @@ export class DcRouter {
                   this.tunnelManager.syncAllowedEdges();
                 }
               },
+              () => this.runtimeDnsRoutes,
             );
             this.apiTokenManager = new ApiTokenManager();
             await this.apiTokenManager.initialize();
-            await this.routeConfigManager.initialize();
+            await this.routeConfigManager.initialize(
+              this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+              this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+            );
+            await this.targetProfileManager.normalizeAllRouteRefs();
 
             // Seed default profiles/targets if DB is empty and seeding is enabled
             const seeder = new DbSeeder(this.referenceResolver);
@@ -864,31 +893,30 @@ export class DcRouter {
       this.smartProxy = undefined;
     }
 
-    let routes: plugins.smartproxy.IRouteConfig[] = [];
+    // Assemble serializable seed routes from constructor config — these will be seeded into DB
+    // by RouteConfigManager.initialize() when the ConfigManagers service starts.
+    this.seedConfigRoutes = (this.options.smartProxyConfig?.routes || []) as plugins.smartproxy.IRouteConfig[];
+    logger.log('info', `Found ${this.seedConfigRoutes.length} routes in config`);
 
-    // If user provides full SmartProxy config, use its routes.
-    // NOTE: `smartProxyConfig.acme` is now seed-only — consumed by
-    // AcmeConfigManager on first boot. The live ACME config always comes
-    // from the DB via `this.acmeConfigManager.getConfig()`.
-    if (this.options.smartProxyConfig) {
-      routes = this.options.smartProxyConfig.routes || [];
-      logger.log('info', `Found ${routes.length} routes in config`);
-    }
-
-    // If email config exists, automatically add email routes
+    this.seedEmailRoutes = [];
     if (this.options.emailConfig) {
-      const emailRoutes = this.generateEmailRoutes(this.options.emailConfig);
-      logger.log('debug', 'Email routes generated', { routes: JSON.stringify(emailRoutes) });
-      routes = [...routes, ...emailRoutes]; // Enable email routing through SmartProxy
+      this.seedEmailRoutes = this.generateEmailRoutes(this.options.emailConfig);
+      logger.log('debug', 'Email routes generated', { routes: JSON.stringify(this.seedEmailRoutes) });
     }
 
-    // If DNS is configured, add DNS routes
+    this.runtimeDnsRoutes = [];
     if (this.options.dnsNsDomains && this.options.dnsNsDomains.length > 0) {
-      const dnsRoutes = this.generateDnsRoutes();
-      logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(dnsRoutes) });
-      routes = [...routes, ...dnsRoutes];
+      this.runtimeDnsRoutes = this.generateDnsRoutes();
+      logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(this.runtimeDnsRoutes) });
     }
 
+    // Combined routes for SmartProxy bootstrap (before DB routes are loaded)
+    let routes: plugins.smartproxy.IRouteConfig[] = [
+      ...this.seedConfigRoutes,
+      ...this.seedEmailRoutes,
+      ...this.runtimeDnsRoutes,
+    ];
+
     // Build the ACME options for SmartProxy from the DB-backed AcmeConfigManager.
     // If no config exists or it's disabled, SmartProxy's own ACME is turned off
     // and dcrouter's SmartAcme / certProvisionFunction are not wired.
@@ -913,15 +941,16 @@ export class DcRouter {
     }
 
     // Configure DNS-01 challenge if any DnsProviderDoc exists in the DB AND
-    // ACME is enabled. The DnsManager dispatches each challenge to the right
-    // provider client based on the FQDN being certificated.
+    // ACME is enabled. The DnsManager dispatches each challenge through the
+    // unified createRecord()/deleteRecord() path — works for both dcrouter-hosted
+    // zones and provider-managed zones. Only domains under management get certs.
     let challengeHandlers: any[] = [];
     if (
       acmeConfig &&
       this.dnsManager &&
-      (await this.dnsManager.hasAcmeCapableProvider())
+      (await this.dnsManager.hasAnyManagedDomain())
     ) {
-      logger.log('info', 'Configuring DNS-01 challenge for ACME via DnsManager (DB providers)');
+      logger.log('info', 'Configuring DNS-01 challenge for ACME via DnsManager (managed domains)');
       const convenientDnsProvider = this.dnsManager.buildAcmeConvenientDnsProvider();
       const dns01Handler = new plugins.smartacme.handlers.Dns01Handler(convenientDnsProvider);
       challengeHandlers.push(dns01Handler);
@@ -934,10 +963,6 @@ export class DcRouter {
       logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
     }
 
-    // Cache constructor routes for RouteConfigManager (without VPN security baked in —
-    // applyRoutes() injects VPN security dynamically so it stays current with client changes)
-    this.constructorRoutes = [...routes];
-
     // If we have routes or need a basic SmartProxy instance, create it
     if (routes.length > 0 || this.options.smartProxyConfig) {
       logger.log('info', 'Setting up SmartProxy with combined configuration');
@@ -1388,14 +1413,6 @@ export class DcRouter {
     return names;
   }
 
-  /**
-   * Get the routes derived from constructor config (smartProxy + email + DNS).
-   * Used by RouteConfigManager as the "hardcoded" base.
-   */
-  public getConstructorRoutes(): plugins.smartproxy.IRouteConfig[] {
-    return this.constructorRoutes;
-  }
-
   public async stop() {
     logger.log('info', 'Stopping DcRouter services...');
 
@@ -1439,17 +1456,15 @@ export class DcRouter {
     // Update configuration
     this.options.smartProxyConfig = config;
 
-    // Update routes on RemoteIngressManager so derived ports stay in sync
-    if (this.remoteIngressManager && config.routes) {
-      this.remoteIngressManager.setRoutes(config.routes as any[]);
-    }
-
-    // Start new SmartProxy with updated configuration (will include email routes if configured)
+    // Start new SmartProxy with updated configuration (rebuilds seed routes)
     await this.setupSmartProxy();
 
-    // Re-apply programmatic routes and overrides after SmartProxy restart
+    // Re-seed and re-apply all routes after SmartProxy restart
     if (this.routeConfigManager) {
-      await this.routeConfigManager.initialize();
+      await this.routeConfigManager.initialize(
+        this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+        this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+      );
     }
 
     logger.log('info', 'SmartProxy configuration updated');
@@ -2167,13 +2182,14 @@ export class DcRouter {
     this.remoteIngressManager = new RemoteIngressManager();
     await this.remoteIngressManager.initialize();
 
-    // Pass current routes so the manager can derive edge ports from remoteIngress-tagged routes
-    const currentRoutes = this.constructorRoutes;
-    this.remoteIngressManager.setRoutes(currentRoutes as any[]);
+    // Pass current bootstrap routes so the manager can derive edge ports initially.
+    // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
+    // will push the complete merged routes here.
+    const bootstrapRoutes = [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.runtimeDnsRoutes];
+    this.remoteIngressManager.setRoutes(bootstrapRoutes as any[]);
 
-    // Race-condition fix: if ConfigManagers finished before us, re-apply routes
-    // so the callback delivers the full merged set (including DB-stored routes)
-    // to our newly-created remoteIngressManager.
+    // If ConfigManagers finished before us, re-apply routes
+    // so the callback delivers the full DB set to our newly-created remoteIngressManager.
     if (this.routeConfigManager) {
       await this.routeConfigManager.applyRoutes();
     }
@@ -2260,11 +2276,10 @@ export class DcRouter {
 
         if (!this.targetProfileManager) return [...ips];
 
-        const routes = (this.options.smartProxyConfig?.routes || []) as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[];
-        const storedRoutes = this.routeConfigManager?.getStoredRoutes() || new Map();
+        const allRoutes = this.routeConfigManager?.getRoutes() || new Map();
 
         const { domains, targetIps } = this.targetProfileManager.getClientAccessSpec(
-          targetProfileIds, routes, storedRoutes,
+          targetProfileIds, allRoutes,
         );
 
         // Add target IPs directly
@@ -2274,8 +2289,11 @@ export class DcRouter {
 
         // Resolve DNS A records for matched domains (with caching)
         for (const domain of domains) {
-          const stripped = domain.replace(/^\*\./, '');
-          const resolvedIps = await this.resolveVpnDomainIPs(stripped);
+          if (this.isWildcardVpnDomain(domain)) {
+            this.logSkippedWildcardAllowedIp(domain);
+            continue;
+          }
+          const resolvedIps = await this.resolveVpnDomainIPs(domain);
           for (const ip of resolvedIps) {
             ips.add(`${ip}/32`);
           }
@@ -2287,14 +2305,15 @@ export class DcRouter {
 
     await this.vpnManager.start();
 
-    // Re-apply routes now that VPN clients are loaded — ensures hardcoded routes
-    // get correct profile-based ipAllowLists (not possible during setupSmartProxy since
-    // VPN server wasn't ready yet)
+    // Re-apply routes now that VPN clients are loaded — ensures vpnOnly routes
+    // get correct profile-based ipAllowLists
     await this.routeConfigManager?.applyRoutes();
   }
 
   /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
   private vpnDomainIpCache = new Map<string, { ips: string[]; expiresAt: number }>();
+  /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
+  private warnedWildcardVpnDomains = new Set<string>();
 
   /**
    * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
@@ -2320,6 +2339,19 @@ export class DcRouter {
     }
   }
 
+  private isWildcardVpnDomain(domain: string): boolean {
+    return domain.includes('*');
+  }
+
+  private logSkippedWildcardAllowedIp(domain: string): void {
+    if (this.warnedWildcardVpnDomains.has(domain)) return;
+    this.warnedWildcardVpnDomains.add(domain);
+    logger.log(
+      'warn',
+      `VPN: Skipping wildcard domain '${domain}' for WireGuard AllowedIPs; wildcard patterns must be resolved to concrete hostnames by matching routes.`,
+    );
+  }
+
   // VPN security injection is now handled dynamically by RouteConfigManager.applyRoutes()
   // via the getVpnAllowList callback — no longer a separate method here.
 

ts/config/classes.reference-resolver.ts

@@ -1,11 +1,11 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { SourceProfileDoc, NetworkTargetDoc, StoredRouteDoc } from '../db/index.js';
+import { SourceProfileDoc, NetworkTargetDoc, RouteDoc } from '../db/index.js';
 import type {
   ISourceProfile,
   INetworkTarget,
   IRouteMetadata,
-  IStoredRoute,
+  IRoute,
   IRouteSecurity,
 } from '../../ts_interfaces/data/route-management.js';
 
@@ -81,7 +81,7 @@ export class ReferenceResolver {
   public async deleteProfile(
     id: string,
     force: boolean,
-    storedRoutes?: Map<string, IStoredRoute>,
+    storedRoutes?: Map<string, IRoute>,
   ): Promise<{ success: boolean; message?: string }> {
     const profile = this.profiles.get(id);
     if (!profile) {
@@ -131,7 +131,7 @@ export class ReferenceResolver {
     return [...this.profiles.values()];
   }
 
-  public getProfileUsage(storedRoutes: Map<string, IStoredRoute>): Map<string, Array<{ id: string; routeName: string }>> {
+  public getProfileUsage(storedRoutes: Map<string, IRoute>): Map<string, Array<{ id: string; routeName: string }>> {
     const usage = new Map<string, Array<{ id: string; routeName: string }>>();
     for (const profile of this.profiles.values()) {
       usage.set(profile.id, []);
@@ -147,7 +147,7 @@ export class ReferenceResolver {
 
   public getProfileUsageForId(
     profileId: string,
-    storedRoutes: Map<string, IStoredRoute>,
+    storedRoutes: Map<string, IRoute>,
   ): Array<{ id: string; routeName: string }> {
     const routes: Array<{ id: string; routeName: string }> = [];
     for (const [routeId, stored] of storedRoutes) {
@@ -214,7 +214,7 @@ export class ReferenceResolver {
   public async deleteTarget(
     id: string,
     force: boolean,
-    storedRoutes?: Map<string, IStoredRoute>,
+    storedRoutes?: Map<string, IRoute>,
   ): Promise<{ success: boolean; message?: string }> {
     const target = this.targets.get(id);
     if (!target) {
@@ -263,7 +263,7 @@ export class ReferenceResolver {
 
   public getTargetUsageForId(
     targetId: string,
-    storedRoutes: Map<string, IStoredRoute>,
+    storedRoutes: Map<string, IRoute>,
   ): Array<{ id: string; routeName: string }> {
     const routes: Array<{ id: string; routeName: string }> = [];
     for (const [routeId, stored] of storedRoutes) {
@@ -334,20 +334,20 @@ export class ReferenceResolver {
   // =========================================================================
 
   public async findRoutesByProfileRef(profileId: string): Promise<string[]> {
-    const docs = await StoredRouteDoc.findAll();
+    const docs = await RouteDoc.findAll();
     return docs
       .filter((doc) => doc.metadata?.sourceProfileRef === profileId)
       .map((doc) => doc.id);
   }
 
   public async findRoutesByTargetRef(targetId: string): Promise<string[]> {
-    const docs = await StoredRouteDoc.findAll();
+    const docs = await RouteDoc.findAll();
     return docs
       .filter((doc) => doc.metadata?.networkTargetRef === targetId)
       .map((doc) => doc.id);
   }
 
-  public findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IStoredRoute>): string[] {
+  public findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IRoute>): string[] {
     const ids: string[] = [];
     for (const [routeId, stored] of storedRoutes) {
       if (stored.metadata?.sourceProfileRef === profileId) {
@@ -357,7 +357,7 @@ export class ReferenceResolver {
     return ids;
   }
 
-  public findRoutesByTargetRefSync(targetId: string, storedRoutes: Map<string, IStoredRoute>): string[] {
+  public findRoutesByTargetRefSync(targetId: string, storedRoutes: Map<string, IRoute>): string[] {
     const ids: string[] = [];
     for (const [routeId, stored] of storedRoutes) {
       if (stored.metadata?.networkTargetRef === targetId) {
@@ -547,7 +547,7 @@ export class ReferenceResolver {
 
   private async clearProfileRefsOnRoutes(routeIds: string[]): Promise<void> {
     for (const routeId of routeIds) {
-      const doc = await StoredRouteDoc.findById(routeId);
+      const doc = await RouteDoc.findById(routeId);
       if (doc?.metadata) {
         doc.metadata = {
           ...doc.metadata,
@@ -562,7 +562,7 @@ export class ReferenceResolver {
 
   private async clearTargetRefsOnRoutes(routeIds: string[]): Promise<void> {
     for (const routeId of routeIds) {
-      const doc = await StoredRouteDoc.findById(routeId);
+      const doc = await RouteDoc.findById(routeId);
       if (doc?.metadata) {
         doc.metadata = {
           ...doc.metadata,

ts/config/classes.route-config-manager.ts

@@ -1,9 +1,8 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { StoredRouteDoc, RouteOverrideDoc } from '../db/index.js';
+import { RouteDoc } from '../db/index.js';
 import type {
-  IStoredRoute,
-  IRouteOverride,
+  IRoute,
   IMergedRoute,
   IRouteWarning,
   IRouteMetadata,
@@ -46,66 +45,58 @@ class RouteUpdateMutex {
 }
 
 export class RouteConfigManager {
-  private storedRoutes = new Map<string, IStoredRoute>();
-  private overrides = new Map<string, IRouteOverride>();
+  private routes = new Map<string, IRoute>();
   private warnings: IRouteWarning[] = [];
   private routeUpdateMutex = new RouteUpdateMutex();
 
   constructor(
-    private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
     private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
     private getHttp3Config?: () => IHttp3Config | undefined,
     private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
     private referenceResolver?: ReferenceResolver,
     private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void,
+    private getRuntimeRoutes?: () => plugins.smartproxy.IRouteConfig[],
   ) {}
 
-  /** Expose stored routes map for reference resolution lookups. */
-  public getStoredRoutes(): Map<string, IStoredRoute> {
-    return this.storedRoutes;
+  /** Expose routes map for reference resolution lookups. */
+  public getRoutes(): Map<string, IRoute> {
+    return this.routes;
   }
 
   /**
-   * Load persisted routes and overrides, compute warnings, apply to SmartProxy.
+   * Load persisted routes, seed serializable config/email/dns routes,
+   * compute warnings, and apply the combined DB-backed + runtime route set to SmartProxy.
    */
-  public async initialize(): Promise<void> {
-    await this.loadStoredRoutes();
-    await this.loadOverrides();
+  public async initialize(
+    configRoutes: IDcRouterRouteConfig[] = [],
+    emailRoutes: IDcRouterRouteConfig[] = [],
+    dnsRoutes: IDcRouterRouteConfig[] = [],
+  ): Promise<void> {
+    await this.loadRoutes();
+    await this.seedRoutes(configRoutes, 'config');
+    await this.seedRoutes(emailRoutes, 'email');
+    await this.seedRoutes(dnsRoutes, 'dns');
     this.computeWarnings();
     this.logWarnings();
     await this.applyRoutes();
   }
 
   // =========================================================================
-  // Merged view
+  // Route listing
   // =========================================================================
 
   public getMergedRoutes(): { routes: IMergedRoute[]; warnings: IRouteWarning[] } {
     const merged: IMergedRoute[] = [];
 
-    // Hardcoded routes
-    for (const route of this.getHardcodedRoutes()) {
-      const name = route.name || '';
-      const override = this.overrides.get(name);
+    for (const route of this.routes.values()) {
       merged.push({
-        route,
-        source: 'hardcoded',
-        enabled: override ? override.enabled : true,
-        overridden: !!override,
-      });
-    }
-
-    // Programmatic routes
-    for (const stored of this.storedRoutes.values()) {
-      merged.push({
-        route: stored.route,
-        source: 'programmatic',
-        enabled: stored.enabled,
-        overridden: false,
-        storedRouteId: stored.id,
-        createdAt: stored.createdAt,
-        updatedAt: stored.updatedAt,
-        metadata: stored.metadata,
+        route: route.route,
+        id: route.id,
+        enabled: route.enabled,
+        origin: route.origin,
+        createdAt: route.createdAt,
+        updatedAt: route.updatedAt,
+        metadata: route.metadata,
       });
     }
 
@@ -113,7 +104,7 @@ export class RouteConfigManager {
   }
 
   // =========================================================================
-  // Programmatic route CRUD
+  // Route CRUD
   // =========================================================================
 
   public async createRoute(
@@ -127,7 +118,7 @@ export class RouteConfigManager {
 
     // Ensure route has a name
     if (!route.name) {
-      route.name = `programmatic-${id.slice(0, 8)}`;
+      route.name = `route-${id.slice(0, 8)}`;
     }
 
     // Resolve references if metadata has refs and resolver is available
@@ -138,17 +129,18 @@ export class RouteConfigManager {
       resolvedMetadata = resolved.metadata;
     }
 
-    const stored: IStoredRoute = {
+    const stored: IRoute = {
       id,
       route,
       enabled,
       createdAt: now,
       updatedAt: now,
       createdBy,
+      origin: 'api',
       metadata: resolvedMetadata,
     };
 
-    this.storedRoutes.set(id, stored);
+    this.routes.set(id, stored);
     await this.persistRoute(stored);
     await this.applyRoutes();
     return id;
@@ -162,7 +154,7 @@ export class RouteConfigManager {
       metadata?: Partial<IRouteMetadata>;
     },
   ): Promise<boolean> {
-    const stored = this.storedRoutes.get(id);
+    const stored = this.routes.get(id);
     if (!stored) return false;
 
     if (patch.route) {
@@ -201,9 +193,9 @@ export class RouteConfigManager {
   }
 
   public async deleteRoute(id: string): Promise<boolean> {
-    if (!this.storedRoutes.has(id)) return false;
-    this.storedRoutes.delete(id);
-    const doc = await StoredRouteDoc.findById(id);
+    if (!this.routes.has(id)) return false;
+    this.routes.delete(id);
+    const doc = await RouteDoc.findById(id);
     if (doc) await doc.delete();
     await this.applyRoutes();
     return true;
@@ -214,103 +206,141 @@ export class RouteConfigManager {
   }
 
   // =========================================================================
-  // Hardcoded route overrides
+  // Private: seed routes from constructor config
   // =========================================================================
 
-  public async setOverride(routeName: string, enabled: boolean, updatedBy: string): Promise<void> {
-    const override: IRouteOverride = {
-      routeName,
-      enabled,
-      updatedAt: Date.now(),
-      updatedBy,
-    };
-    this.overrides.set(routeName, override);
-    const existingDoc = await RouteOverrideDoc.findByRouteName(routeName);
-    if (existingDoc) {
-      existingDoc.enabled = override.enabled;
-      existingDoc.updatedAt = override.updatedAt;
-      existingDoc.updatedBy = override.updatedBy;
-      await existingDoc.save();
-    } else {
-      const doc = new RouteOverrideDoc();
-      doc.routeName = override.routeName;
-      doc.enabled = override.enabled;
-      doc.updatedAt = override.updatedAt;
-      doc.updatedBy = override.updatedBy;
-      await doc.save();
-    }
-    this.computeWarnings();
-    await this.applyRoutes();
-  }
+  /**
+   * Upsert seed routes by name+origin. Preserves user's `enabled` state.
+   * Deletes stale DB routes whose origin matches but name is not in the seed set.
+   */
+  private async seedRoutes(
+    seedRoutes: IDcRouterRouteConfig[],
+    origin: 'config' | 'email' | 'dns',
+  ): Promise<void> {
+    if (seedRoutes.length === 0) return;
 
-  public async removeOverride(routeName: string): Promise<boolean> {
-    if (!this.overrides.has(routeName)) return false;
-    this.overrides.delete(routeName);
-    const doc = await RouteOverrideDoc.findByRouteName(routeName);
-    if (doc) await doc.delete();
-    this.computeWarnings();
-    await this.applyRoutes();
-    return true;
+    const seedNames = new Set<string>();
+    let seeded = 0;
+    let updated = 0;
+
+    for (const route of seedRoutes) {
+      const name = route.name || '';
+      seedNames.add(name);
+
+      // Check if a route with this name+origin already exists in memory
+      let existingId: string | undefined;
+      for (const [id, r] of this.routes) {
+        if (r.origin === origin && r.route.name === name) {
+          existingId = id;
+          break;
+        }
+      }
+
+      if (existingId) {
+        // Update route config but preserve enabled state
+        const existing = this.routes.get(existingId)!;
+        existing.route = route;
+        existing.updatedAt = Date.now();
+        await this.persistRoute(existing);
+        updated++;
+      } else {
+        // Insert new seed route
+        const id = plugins.uuid.v4();
+        const now = Date.now();
+        const newRoute: IRoute = {
+          id,
+          route,
+          enabled: true,
+          createdAt: now,
+          updatedAt: now,
+          createdBy: 'system',
+          origin,
+        };
+        this.routes.set(id, newRoute);
+        await this.persistRoute(newRoute);
+        seeded++;
+      }
+    }
+
+    // Delete stale routes: same origin but name not in current seed set
+    const staleIds: string[] = [];
+    for (const [id, r] of this.routes) {
+      if (r.origin === origin && !seedNames.has(r.route.name || '')) {
+        staleIds.push(id);
+      }
+    }
+    for (const id of staleIds) {
+      this.routes.delete(id);
+      const doc = await RouteDoc.findById(id);
+      if (doc) await doc.delete();
+    }
+
+    if (seeded > 0 || updated > 0 || staleIds.length > 0) {
+      logger.log('info', `Seed routes (${origin}): ${seeded} new, ${updated} updated, ${staleIds.length} stale removed`);
+    }
   }
 
   // =========================================================================
   // Private: persistence
   // =========================================================================
 
-  private async loadStoredRoutes(): Promise<void> {
-    const docs = await StoredRouteDoc.findAll();
+  private async loadRoutes(): Promise<void> {
+    const docs = await RouteDoc.findAll();
+    let prunedRuntimeRoutes = 0;
+
     for (const doc of docs) {
-      if (doc.id) {
-        this.storedRoutes.set(doc.id, {
-          id: doc.id,
-          route: doc.route,
-          enabled: doc.enabled,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-          metadata: doc.metadata,
-        });
+      if (!doc.id) continue;
+
+      const storedRoute: IRoute = {
+        id: doc.id,
+        route: doc.route,
+        enabled: doc.enabled,
+        createdAt: doc.createdAt,
+        updatedAt: doc.updatedAt,
+        createdBy: doc.createdBy,
+        origin: doc.origin || 'api',
+        metadata: doc.metadata,
+      };
+
+      if (this.isPersistedRuntimeRoute(storedRoute)) {
+        await doc.delete();
+        prunedRuntimeRoutes++;
+        logger.log(
+          'warn',
+          `Removed persisted runtime-only route '${storedRoute.route.name || storedRoute.id}' (${storedRoute.id}) from RouteDoc`,
+        );
+        continue;
       }
+
+      this.routes.set(doc.id, storedRoute);
     }
-    if (this.storedRoutes.size > 0) {
-      logger.log('info', `Loaded ${this.storedRoutes.size} programmatic route(s) from storage`);
+    if (this.routes.size > 0) {
+      logger.log('info', `Loaded ${this.routes.size} route(s) from database`);
+    }
+    if (prunedRuntimeRoutes > 0) {
+      logger.log('info', `Pruned ${prunedRuntimeRoutes} persisted runtime-only route(s) from RouteDoc`);
     }
   }
 
-  private async loadOverrides(): Promise<void> {
-    const docs = await RouteOverrideDoc.findAll();
-    for (const doc of docs) {
-      if (doc.routeName) {
-        this.overrides.set(doc.routeName, {
-          routeName: doc.routeName,
-          enabled: doc.enabled,
-          updatedAt: doc.updatedAt,
-          updatedBy: doc.updatedBy,
-        });
-      }
-    }
-    if (this.overrides.size > 0) {
-      logger.log('info', `Loaded ${this.overrides.size} route override(s) from storage`);
-    }
-  }
-
-  private async persistRoute(stored: IStoredRoute): Promise<void> {
-    const existingDoc = await StoredRouteDoc.findById(stored.id);
+  private async persistRoute(stored: IRoute): Promise<void> {
+    const existingDoc = await RouteDoc.findById(stored.id);
     if (existingDoc) {
       existingDoc.route = stored.route;
       existingDoc.enabled = stored.enabled;
       existingDoc.updatedAt = stored.updatedAt;
       existingDoc.createdBy = stored.createdBy;
+      existingDoc.origin = stored.origin;
       existingDoc.metadata = stored.metadata;
       await existingDoc.save();
     } else {
-      const doc = new StoredRouteDoc();
+      const doc = new RouteDoc();
       doc.id = stored.id;
       doc.route = stored.route;
       doc.enabled = stored.enabled;
       doc.createdAt = stored.createdAt;
       doc.updatedAt = stored.updatedAt;
       doc.createdBy = stored.createdBy;
+      doc.origin = stored.origin;
       doc.metadata = stored.metadata;
       await doc.save();
     }
@@ -322,33 +352,14 @@ export class RouteConfigManager {
 
   private computeWarnings(): void {
     this.warnings = [];
-    const hardcodedNames = new Set(this.getHardcodedRoutes().map((r) => r.name || ''));
 
-    // Check overrides
-    for (const [routeName, override] of this.overrides) {
-      if (!hardcodedNames.has(routeName)) {
+    for (const route of this.routes.values()) {
+      if (!route.enabled) {
+        const name = route.route.name || route.id;
         this.warnings.push({
-          type: 'orphaned-override',
-          routeName,
-          message: `Orphaned override for route '${routeName}' — hardcoded route no longer exists`,
-        });
-      } else if (!override.enabled) {
-        this.warnings.push({
-          type: 'disabled-hardcoded',
-          routeName,
-          message: `Route '${routeName}' is disabled via API override`,
-        });
-      }
-    }
-
-    // Check disabled programmatic routes
-    for (const stored of this.storedRoutes.values()) {
-      if (!stored.enabled) {
-        const name = stored.route.name || stored.id;
-        this.warnings.push({
-          type: 'disabled-programmatic',
+          type: 'disabled-route',
           routeName: name,
-          message: `Programmatic route '${name}' (id: ${stored.id}) is disabled`,
+          message: `Route '${name}' (id: ${route.id}) is disabled`,
         });
       }
     }
@@ -372,7 +383,7 @@ export class RouteConfigManager {
     if (!this.referenceResolver || routeIds.length === 0) return;
 
     for (const routeId of routeIds) {
-      const stored = this.storedRoutes.get(routeId);
+      const stored = this.routes.get(routeId);
       if (!stored?.metadata) continue;
 
       const resolved = this.referenceResolver.resolveRoute(stored.route, stored.metadata);
@@ -387,7 +398,7 @@ export class RouteConfigManager {
   }
 
   // =========================================================================
-  // Private: apply merged routes to SmartProxy
+  // Apply routes to SmartProxy
   // =========================================================================
 
   public async applyRoutes(): Promise<void> {
@@ -397,54 +408,69 @@ export class RouteConfigManager {
 
       const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
 
-      const http3Config = this.getHttp3Config?.();
-      const vpnCallback = this.getVpnClientIpsForRoute;
-
-      // Helper: inject VPN security into a vpnOnly route
-      const injectVpn = (route: plugins.smartproxy.IRouteConfig, routeId?: string): plugins.smartproxy.IRouteConfig => {
-        if (!vpnCallback) return route;
-        const dcRoute = route as IDcRouterRouteConfig;
-        if (!dcRoute.vpnOnly) return route;
-        const vpnEntries = vpnCallback(dcRoute, routeId);
-        const existingEntries = route.security?.ipAllowList || [];
-        return {
-          ...route,
-          security: {
-            ...route.security,
-            ipAllowList: [...existingEntries, ...vpnEntries],
-          },
-        };
-      };
-
-      // Add enabled hardcoded routes (respecting overrides, with fresh VPN injection)
-      for (const route of this.getHardcodedRoutes()) {
-        const name = route.name || '';
-        const override = this.overrides.get(name);
-        if (override && !override.enabled) {
-          continue; // Skip disabled hardcoded route
+      // Add all enabled routes with HTTP/3 and VPN augmentation
+      for (const route of this.routes.values()) {
+        if (route.enabled) {
+          enabledRoutes.push(this.prepareRouteForApply(route.route, route.id));
         }
-        enabledRoutes.push(injectVpn(route));
       }
 
-      // Add enabled programmatic routes (with HTTP/3 and VPN augmentation)
-      for (const stored of this.storedRoutes.values()) {
-        if (stored.enabled) {
-          let route = stored.route;
-          if (http3Config?.enabled !== false) {
-            route = augmentRouteWithHttp3(route, { enabled: true, ...http3Config });
-          }
-          enabledRoutes.push(injectVpn(route, stored.id));
-        }
+      const runtimeRoutes = this.getRuntimeRoutes?.() || [];
+      for (const route of runtimeRoutes) {
+        enabledRoutes.push(this.prepareRouteForApply(route));
       }
 
       await smartProxy.updateRoutes(enabledRoutes);
 
-      // Notify listeners (e.g. RemoteIngressManager) of the merged route set
+      // Notify listeners (e.g. RemoteIngressManager) of the route set
       if (this.onRoutesApplied) {
         this.onRoutesApplied(enabledRoutes);
       }
 
-      logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.storedRoutes.size} programmatic, ${this.overrides.size} overrides)`);
+      logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.routes.size} total)`);
     });
   }
+
+  private prepareRouteForApply(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    let preparedRoute = route;
+    const http3Config = this.getHttp3Config?.();
+
+    if (http3Config?.enabled !== false) {
+      preparedRoute = augmentRouteWithHttp3(preparedRoute, { enabled: true, ...http3Config });
+    }
+
+    return this.injectVpnSecurity(preparedRoute, routeId);
+  }
+
+  private injectVpnSecurity(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    const vpnCallback = this.getVpnClientIpsForRoute;
+    if (!vpnCallback) return route;
+
+    const dcRoute = route as IDcRouterRouteConfig;
+    if (!dcRoute.vpnOnly) return route;
+
+    const vpnEntries = vpnCallback(dcRoute, routeId);
+    const existingEntries = route.security?.ipAllowList || [];
+    return {
+      ...route,
+      security: {
+        ...route.security,
+        ipAllowList: [...existingEntries, ...vpnEntries],
+      },
+    };
+  }
+
+  private isPersistedRuntimeRoute(storedRoute: IRoute): boolean {
+    const routeName = storedRoute.route.name || '';
+    const actionType = storedRoute.route.action?.type;
+
+    return (routeName.startsWith('dns-over-https-') && actionType === 'socket-handler')
+      || (storedRoute.origin === 'dns' && actionType === 'socket-handler');
+  }
 }

ts/config/classes.target-profile-manager.ts

@@ -3,7 +3,7 @@ import { logger } from '../logger.js';
 import { TargetProfileDoc, VpnClientDoc } from '../db/index.js';
 import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/data/target-profile.js';
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import type { IStoredRoute } from '../../ts_interfaces/data/route-management.js';
+import type { IRoute } from '../../ts_interfaces/data/route-management.js';
 
 /**
  * Manages TargetProfiles (target-side: what can be accessed).
@@ -13,6 +13,10 @@ import type { IStoredRoute } from '../../ts_interfaces/data/route-management.js'
 export class TargetProfileManager {
   private profiles = new Map<string, ITargetProfile>();
 
+  constructor(
+    private getAllRoutes?: () => Map<string, IRoute>,
+  ) {}
+
   // =========================================================================
   // Lifecycle
   // =========================================================================
@@ -43,13 +47,14 @@ export class TargetProfileManager {
     const id = plugins.uuid.v4();
     const now = Date.now();
 
+    const routeRefs = this.normalizeRouteRefs(data.routeRefs);
     const profile: ITargetProfile = {
       id,
       name: data.name,
       description: data.description,
       domains: data.domains,
       targets: data.targets,
-      routeRefs: data.routeRefs,
+      routeRefs,
       createdAt: now,
       updatedAt: now,
       createdBy: data.createdBy,
@@ -70,11 +75,19 @@ export class TargetProfileManager {
       throw new Error(`Target profile '${id}' not found`);
     }
 
+    if (patch.name !== undefined && patch.name !== profile.name) {
+      for (const existing of this.profiles.values()) {
+        if (existing.id !== id && existing.name === patch.name) {
+          throw new Error(`Target profile with name '${patch.name}' already exists (id: ${existing.id})`);
+        }
+      }
+    }
+
     if (patch.name !== undefined) profile.name = patch.name;
     if (patch.description !== undefined) profile.description = patch.description;
     if (patch.domains !== undefined) profile.domains = patch.domains;
     if (patch.targets !== undefined) profile.targets = patch.targets;
-    if (patch.routeRefs !== undefined) profile.routeRefs = patch.routeRefs;
+    if (patch.routeRefs !== undefined) profile.routeRefs = this.normalizeRouteRefs(patch.routeRefs);
     profile.updatedAt = Date.now();
 
     await this.persistProfile(profile);
@@ -127,6 +140,29 @@ export class TargetProfileManager {
     return this.profiles.get(id);
   }
 
+  /**
+   * Normalize stored route references to route IDs when they can be resolved
+   * uniquely against the current route registry.
+   */
+  public async normalizeAllRouteRefs(): Promise<void> {
+    const allRoutes = this.getAllRoutes?.();
+    if (!allRoutes?.size) return;
+
+    for (const profile of this.profiles.values()) {
+      const normalizedRouteRefs = this.normalizeRouteRefsAgainstRoutes(
+        profile.routeRefs,
+        allRoutes,
+        'bestEffort',
+      );
+      if (this.sameStringArray(profile.routeRefs, normalizedRouteRefs)) continue;
+
+      profile.routeRefs = normalizedRouteRefs;
+      profile.updatedAt = Date.now();
+      await this.persistProfile(profile);
+      logger.log('info', `Normalized route refs for target profile '${profile.name}' (${profile.id})`);
+    }
+  }
+
   public listProfiles(): ITargetProfile[] {
     return [...this.profiles.values()];
   }
@@ -178,9 +214,11 @@ export class TargetProfileManager {
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     clients: VpnClientDoc[],
+    allRoutes: Map<string, IRoute> = new Map(),
   ): Array<string | { ip: string; domains: string[] }> {
     const entries: Array<string | { ip: string; domains: string[] }> = [];
     const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     for (const client of clients) {
       if (!client.enabled || !client.assignedIp) continue;
@@ -194,7 +232,13 @@ export class TargetProfileManager {
         const profile = this.profiles.get(profileId);
         if (!profile) continue;
 
-        const matchResult = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
+        const matchResult = this.routeMatchesProfileDetailed(
+          route,
+          routeId,
+          profile,
+          routeDomains,
+          routeNameIndex,
+        );
         if (matchResult === 'full') {
           fullAccess = true;
           break; // No need to check more profiles
@@ -220,11 +264,11 @@ export class TargetProfileManager {
    */
   public getClientAccessSpec(
     targetProfileIds: string[],
-    allRoutes: IDcRouterRouteConfig[],
-    storedRoutes: Map<string, IStoredRoute>,
+    allRoutes: Map<string, IRoute>,
   ): { domains: string[]; targetIps: string[] } {
     const domains = new Set<string>();
     const targetIps = new Set<string>();
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     // Collect all access specifiers from assigned profiles
     for (const profileId of targetProfileIds) {
@@ -245,23 +289,16 @@ export class TargetProfileManager {
         }
       }
 
-      // Route references: scan constructor routes
-      for (const route of allRoutes) {
-        if (this.routeMatchesProfile(route as IDcRouterRouteConfig, undefined, profile)) {
-          const routeDomains = (route.match as any)?.domains;
-          if (Array.isArray(routeDomains)) {
-            for (const d of routeDomains) {
-              domains.add(d);
-            }
-          }
-        }
-      }
-
-      // Route references: scan stored routes
-      for (const [storedId, stored] of storedRoutes) {
-        if (!stored.enabled) continue;
-        if (this.routeMatchesProfile(stored.route as IDcRouterRouteConfig, storedId, profile)) {
-          const routeDomains = (stored.route.match as any)?.domains;
+      // Route references: scan all routes
+      for (const [routeId, route] of allRoutes) {
+        if (!route.enabled) continue;
+        if (this.routeMatchesProfile(
+          route.route as IDcRouterRouteConfig,
+          routeId,
+          profile,
+          routeNameIndex,
+        )) {
+          const routeDomains = (route.route.match as any)?.domains;
           if (Array.isArray(routeDomains)) {
             for (const d of routeDomains) {
               domains.add(d);
@@ -288,9 +325,16 @@ export class TargetProfileManager {
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     profile: ITargetProfile,
+    routeNameIndex: Map<string, string[]>,
   ): boolean {
     const routeDomains: string[] = (route.match as any)?.domains || [];
-    const result = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
+    const result = this.routeMatchesProfileDetailed(
+      route,
+      routeId,
+      profile,
+      routeDomains,
+      routeNameIndex,
+    );
     return result !== 'none';
   }
 
@@ -307,11 +351,17 @@ export class TargetProfileManager {
     routeId: string | undefined,
     profile: ITargetProfile,
     routeDomains: string[],
+    routeNameIndex: Map<string, string[]>,
   ): 'full' | { type: 'scoped'; domains: string[] } | 'none' {
     // 1. Route reference match → full access
     if (profile.routeRefs?.length) {
       if (routeId && profile.routeRefs.includes(routeId)) return 'full';
-      if (route.name && profile.routeRefs.includes(route.name)) return 'full';
+      if (routeId && route.name && profile.routeRefs.includes(route.name)) {
+        const matchingRouteIds = routeNameIndex.get(route.name) || [];
+        if (matchingRouteIds.length === 1 && matchingRouteIds[0] === routeId) {
+          return 'full';
+        }
+      }
     }
 
     // 2. Domain match
@@ -375,6 +425,66 @@ export class TargetProfileManager {
     return false;
   }
 
+  private normalizeRouteRefs(routeRefs?: string[]): string[] | undefined {
+    const allRoutes = this.getAllRoutes?.() || new Map<string, IRoute>();
+    return this.normalizeRouteRefsAgainstRoutes(routeRefs, allRoutes, 'strict');
+  }
+
+  private normalizeRouteRefsAgainstRoutes(
+    routeRefs: string[] | undefined,
+    allRoutes: Map<string, IRoute>,
+    mode: 'strict' | 'bestEffort',
+  ): string[] | undefined {
+    if (!routeRefs?.length) return undefined;
+    if (!allRoutes.size) return [...new Set(routeRefs)];
+
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
+    const normalizedRefs = new Set<string>();
+
+    for (const routeRef of routeRefs) {
+      if (allRoutes.has(routeRef)) {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      const matchingRouteIds = routeNameIndex.get(routeRef) || [];
+      if (matchingRouteIds.length === 1) {
+        normalizedRefs.add(matchingRouteIds[0]);
+        continue;
+      }
+
+      if (mode === 'bestEffort') {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      if (matchingRouteIds.length > 1) {
+        throw new Error(`Route reference '${routeRef}' is ambiguous; use a route ID instead`);
+      }
+      throw new Error(`Route reference '${routeRef}' not found`);
+    }
+
+    return [...normalizedRefs];
+  }
+
+  private buildRouteNameIndex(allRoutes: Map<string, IRoute>): Map<string, string[]> {
+    const routeNameIndex = new Map<string, string[]>();
+    for (const [routeId, route] of allRoutes) {
+      const routeName = route.route.name;
+      if (!routeName) continue;
+      const matchingRouteIds = routeNameIndex.get(routeName) || [];
+      matchingRouteIds.push(routeId);
+      routeNameIndex.set(routeName, matchingRouteIds);
+    }
+    return routeNameIndex;
+  }
+
+  private sameStringArray(left?: string[], right?: string[]): boolean {
+    if (!left?.length && !right?.length) return true;
+    if (!left || !right || left.length !== right.length) return false;
+    return left.every((value, index) => value === right[index]);
+  }
+
   // =========================================================================
   // Private: persistence
   // =========================================================================

ts/db/documents/classes.email-domain.doc.ts

@@ -0,0 +1,56 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type {
+  IEmailDomainDkim,
+  IEmailDomainRateLimits,
+  IEmailDomainDnsStatus,
+} from '../../../ts_interfaces/data/email-domain.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class EmailDomainDoc extends plugins.smartdata.SmartDataDbDoc<EmailDomainDoc, EmailDomainDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public domain: string = '';
+
+  @plugins.smartdata.svDb()
+  public linkedDomainId: string = '';
+
+  @plugins.smartdata.svDb()
+  public subdomain?: string;
+
+  @plugins.smartdata.svDb()
+  public dkim!: IEmailDomainDkim;
+
+  @plugins.smartdata.svDb()
+  public rateLimits?: IEmailDomainRateLimits;
+
+  @plugins.smartdata.svDb()
+  public dnsStatus!: IEmailDomainDnsStatus;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: string;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<EmailDomainDoc | null> {
+    return await EmailDomainDoc.getInstance({ id });
+  }
+
+  public static async findByDomain(domain: string): Promise<EmailDomainDoc | null> {
+    return await EmailDomainDoc.getInstance({ domain: domain.toLowerCase() });
+  }
+
+  public static async findAll(): Promise<EmailDomainDoc[]> {
+    return await EmailDomainDoc.getInstances({});
+  }
+}

ts/db/documents/classes.route-override.doc.ts

@@ -1,32 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class RouteOverrideDoc extends plugins.smartdata.SmartDataDbDoc<RouteOverrideDoc, RouteOverrideDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public routeName!: string;
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedBy!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findByRouteName(routeName: string): Promise<RouteOverrideDoc | null> {
-    return await RouteOverrideDoc.getInstance({ routeName });
-  }
-
-  public static async findAll(): Promise<RouteOverrideDoc[]> {
-    return await RouteOverrideDoc.getInstances({});
-  }
-}

ts/db/documents/classes.route.doc.ts

@@ -6,7 +6,7 @@ import type { IDcRouterRouteConfig } from '../../../ts_interfaces/data/remoteing
 const getDb = () => DcRouterDb.getInstance().getDb();
 
 @plugins.smartdata.Collection(() => getDb())
-export class StoredRouteDoc extends plugins.smartdata.SmartDataDbDoc<StoredRouteDoc, StoredRouteDoc> {
+export class RouteDoc extends plugins.smartdata.SmartDataDbDoc<RouteDoc, RouteDoc> {
   @plugins.smartdata.unI()
   @plugins.smartdata.svDb()
   public id!: string;
@@ -26,6 +26,9 @@ export class StoredRouteDoc extends plugins.smartdata.SmartDataDbDoc<StoredRoute
   @plugins.smartdata.svDb()
   public createdBy!: string;
 
+  @plugins.smartdata.svDb()
+  public origin!: 'config' | 'email' | 'dns' | 'api';
+
   @plugins.smartdata.svDb()
   public metadata?: IRouteMetadata;
 
@@ -33,11 +36,19 @@ export class StoredRouteDoc extends plugins.smartdata.SmartDataDbDoc<StoredRoute
     super();
   }
 
-  public static async findById(id: string): Promise<StoredRouteDoc | null> {
-    return await StoredRouteDoc.getInstance({ id });
+  public static async findById(id: string): Promise<RouteDoc | null> {
+    return await RouteDoc.getInstance({ id });
   }
 
-  public static async findAll(): Promise<StoredRouteDoc[]> {
-    return await StoredRouteDoc.getInstances({});
+  public static async findAll(): Promise<RouteDoc[]> {
+    return await RouteDoc.getInstances({});
+  }
+
+  public static async findByName(name: string): Promise<RouteDoc | null> {
+    return await RouteDoc.getInstance({ 'route.name': name });
+  }
+
+  public static async findByOrigin(origin: 'config' | 'email' | 'dns' | 'api'): Promise<RouteDoc[]> {
+    return await RouteDoc.getInstances({ origin });
   }
 }

ts/db/documents/index.ts

@@ -3,8 +3,7 @@ export * from './classes.cached.email.js';
 export * from './classes.cached.ip.reputation.js';
 
 // Config document classes
-export * from './classes.stored-route.doc.js';
-export * from './classes.route-override.doc.js';
+export * from './classes.route.doc.js';
 export * from './classes.api-token.doc.js';
 export * from './classes.source-profile.doc.js';
 export * from './classes.target-profile.doc.js';
@@ -33,3 +32,6 @@ export * from './classes.dns-record.doc.js';
 
 // ACME configuration (singleton)
 export * from './classes.acme-config.doc.js';
+
+// Email domain management
+export * from './classes.email-domain.doc.js';

ts/dns/manager.dns.ts

@@ -97,8 +97,8 @@ export class DnsManager {
       if (hasLegacyConfig) {
         logger.log(
           'warn',
-          'DnsManager: DB has DomainDoc entries — ignoring legacy dnsScopes/dnsRecords/dnsNsDomains constructor config. ' +
-            'Manage DNS via the Domains UI instead.',
+          'DnsManager: DB has DomainDoc entries — ignoring legacy dnsScopes/dnsRecords constructor config. ' +
+            'dnsNsDomains is still required for nameserver and DoH bootstrap unless that moves into DB-backed config.',
         );
       }
       return;
@@ -296,70 +296,99 @@ export class DnsManager {
   }
 
   /**
-   * True if any cloudflare provider exists in the DB. Used by setupSmartProxy()
-   * to decide whether to wire SmartAcme with a DNS-01 handler.
+   * Find the DomainDoc that covers a given FQDN, regardless of source
+   * (dcrouter-hosted or provider-managed). Uses longest-suffix match.
    */
-  public async hasAcmeCapableProvider(): Promise<boolean> {
-    const providers = await DnsProviderDoc.findAll();
-    return providers.length > 0;
+  public async findDomainForFqdn(fqdn: string): Promise<DomainDoc | null> {
+    const lower = fqdn.toLowerCase().replace(/^\*\./, '').replace(/\.$/, '');
+    const allDomains = await DomainDoc.findAll();
+    // Sort by name length descending for longest-match-wins
+    allDomains.sort((a, b) => b.name.length - a.name.length);
+    for (const domain of allDomains) {
+      if (lower === domain.name || lower.endsWith(`.${domain.name}`)) {
+        return domain;
+      }
+    }
+    return null;
   }
 
   /**
-   * Build an IConvenientDnsProvider that dispatches each ACME challenge to
-   * the right provider client (whichever provider type owns the parent zone),
-   * based on the challenge's hostName. Provider-agnostic — uses the IDnsProviderClient
-   * interface, so any registered provider implementation works.
-   * Returned object plugs directly into smartacme's Dns01Handler.
+   * Delete all DNS records matching a name and type under a domain.
+   * Used for ACME challenge cleanup (may have multiple TXT records at the same name).
+   */
+  public async deleteRecordsByNameAndType(
+    domainId: string,
+    name: string,
+    type: TDnsRecordType,
+  ): Promise<void> {
+    const records = await DnsRecordDoc.findByDomainId(domainId);
+    for (const rec of records) {
+      if (rec.name.toLowerCase() === name.toLowerCase() && rec.type === type) {
+        await this.deleteRecord(rec.id);
+      }
+    }
+  }
+
+  /**
+   * True if any domain is under management (dcrouter-hosted or provider-managed).
+   * Used by setupSmartProxy() to decide whether to wire SmartAcme with a DNS-01 handler.
+   */
+  public async hasAnyManagedDomain(): Promise<boolean> {
+    const domains = await DomainDoc.findAll();
+    return domains.length > 0;
+  }
+
+  /**
+   * Build an IConvenientDnsProvider that routes ACME DNS-01 challenges through
+   * the DnsManager abstraction. Challenges are dispatched via createRecord() /
+   * deleteRecord(), which transparently handle both dcrouter-hosted zones
+   * (embedded DnsServer) and provider-managed zones (e.g. Cloudflare API).
+   *
+   * Only domains under management (with a DomainDoc in DB) are supported —
+   * this acts as the management gate for certificate issuance.
    */
   public buildAcmeConvenientDnsProvider(): plugins.tsclass.network.IConvenientDnsProvider {
     const self = this;
     const adapter = {
       async acmeSetDnsChallenge(dnsChallenge: { hostName: string; challenge: string }) {
-        const client = await self.getProviderClientForDomain(dnsChallenge.hostName);
-        if (!client) {
+        const domainDoc = await self.findDomainForFqdn(dnsChallenge.hostName);
+        if (!domainDoc) {
           throw new Error(
-            `DnsManager: no DNS provider configured for ${dnsChallenge.hostName}. ` +
-              'Add one in the Domains > Providers UI before issuing certificates.',
+            `DnsManager: no managed domain found for ${dnsChallenge.hostName}. ` +
+              'Add the domain in Domains before issuing certificates.',
           );
         }
-        // Clean any leftover challenge records first to avoid duplicates.
+        // Clean leftover challenge records first to avoid duplicates.
         try {
-          const existing = await client.listRecords(dnsChallenge.hostName);
-          for (const r of existing) {
-            if (r.type === 'TXT' && r.name === dnsChallenge.hostName) {
-              await client.deleteRecord(dnsChallenge.hostName, r.providerRecordId).catch(() => {});
-            }
-          }
+          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
         } catch (err: unknown) {
           logger.log('warn', `DnsManager: failed to clean existing TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
         }
-        await client.createRecord(dnsChallenge.hostName, {
+        // Create the challenge TXT record via the unified path
+        await self.createRecord({
+          domainId: domainDoc.id,
           name: dnsChallenge.hostName,
           type: 'TXT',
           value: dnsChallenge.challenge,
           ttl: 120,
+          createdBy: 'acme-dns01',
         });
       },
       async acmeRemoveDnsChallenge(dnsChallenge: { hostName: string; challenge: string }) {
-        const client = await self.getProviderClientForDomain(dnsChallenge.hostName);
-        if (!client) {
+        const domainDoc = await self.findDomainForFqdn(dnsChallenge.hostName);
+        if (!domainDoc) {
           // The domain may have been removed; nothing to clean up.
           return;
         }
         try {
-          const existing = await client.listRecords(dnsChallenge.hostName);
-          for (const r of existing) {
-            if (r.type === 'TXT' && r.name === dnsChallenge.hostName) {
-              await client.deleteRecord(dnsChallenge.hostName, r.providerRecordId);
-            }
-          }
+          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
         } catch (err: unknown) {
           logger.log('warn', `DnsManager: failed to remove TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
         }
       },
       async isDomainSupported(domain: string): Promise<boolean> {
-        const client = await self.getProviderClientForDomain(domain);
-        return !!client;
+        const domainDoc = await self.findDomainForFqdn(domain);
+        return !!domainDoc;
       },
     };
     return { convenience: adapter } as plugins.tsclass.network.IConvenientDnsProvider;
@@ -642,6 +671,151 @@ export class DnsManager {
     return await DnsRecordDoc.findById(id);
   }
 
+  // ==========================================================================
+  // Domain migration
+  // ==========================================================================
+
+  /**
+   * Migrate a domain between dcrouter-hosted and provider-managed.
+   * Transfers all records to the target and updates domain metadata.
+   */
+  public async migrateDomain(args: {
+    id: string;
+    targetSource: 'dcrouter' | 'provider';
+    targetProviderId?: string;
+    deleteExistingProviderRecords?: boolean;
+  }): Promise<{ success: boolean; recordsMigrated?: number; message?: string }> {
+    const domain = await DomainDoc.findById(args.id);
+    if (!domain) return { success: false, message: 'Domain not found' };
+
+    if (domain.source === args.targetSource && domain.providerId === args.targetProviderId) {
+      return { success: false, message: 'Domain is already in the target configuration' };
+    }
+
+    const records = await DnsRecordDoc.findByDomainId(domain.id);
+
+    if (args.targetSource === 'provider') {
+      return this.migrateToDnsProvider(domain, records, args.targetProviderId!, args.deleteExistingProviderRecords ?? false);
+    } else {
+      return this.migrateToDcrouter(domain, records);
+    }
+  }
+
+  /**
+   * Migrate domain from dcrouter-hosted (or another provider) to an external DNS provider.
+   */
+  private async migrateToDnsProvider(
+    domain: DomainDoc,
+    records: DnsRecordDoc[],
+    targetProviderId: string,
+    deleteExistingProviderRecords: boolean,
+  ): Promise<{ success: boolean; recordsMigrated?: number; message?: string }> {
+    // Validate the target provider exists
+    const client = await this.getProviderClientById(targetProviderId);
+    if (!client) {
+      return { success: false, message: 'Target DNS provider not found' };
+    }
+
+    // Find the zone at the provider
+    const providerDomains = await client.listDomains();
+    const zone = providerDomains.find(
+      (z) => z.name.toLowerCase() === domain.name.toLowerCase(),
+    );
+    if (!zone) {
+      return { success: false, message: `Zone "${domain.name}" not found at the target provider` };
+    }
+
+    // Optionally delete existing records at the provider
+    if (deleteExistingProviderRecords) {
+      try {
+        const existingProviderRecords = await client.listRecords(domain.name);
+        for (const pr of existingProviderRecords) {
+          await client.deleteRecord(domain.name, pr.providerRecordId).catch(() => {});
+        }
+        logger.log('info', `Deleted ${existingProviderRecords.length} existing records at provider for ${domain.name}`);
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to clean existing provider records for ${domain.name}: ${(err as Error).message}`);
+      }
+    }
+
+    // Push each local record to the provider
+    let migrated = 0;
+    for (const rec of records) {
+      try {
+        const providerRecord = await client.createRecord(domain.name, {
+          name: rec.name,
+          type: rec.type as any,
+          value: rec.value,
+          ttl: rec.ttl,
+        });
+        // Unregister from embedded DnsServer if it was dcrouter-hosted
+        if (domain.source === 'dcrouter') {
+          this.unregisterRecordFromDnsServer(rec);
+        }
+        // Update the record doc to synced
+        rec.source = 'synced' as TDnsRecordSource;
+        rec.providerRecordId = providerRecord.providerRecordId;
+        await rec.save();
+        migrated++;
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to migrate record ${rec.name} ${rec.type} to provider: ${(err as Error).message}`);
+      }
+    }
+
+    // Update domain metadata
+    domain.source = 'provider';
+    domain.authoritative = false;
+    domain.providerId = targetProviderId;
+    domain.externalZoneId = zone.externalId;
+    domain.nameservers = zone.nameservers;
+    domain.lastSyncedAt = Date.now();
+    domain.updatedAt = Date.now();
+    await domain.save();
+
+    logger.log('info', `Domain ${domain.name} migrated to provider (${migrated} records)`);
+    return { success: true, recordsMigrated: migrated };
+  }
+
+  /**
+   * Migrate domain from provider-managed to dcrouter-hosted (authoritative).
+   */
+  private async migrateToDcrouter(
+    domain: DomainDoc,
+    records: DnsRecordDoc[],
+  ): Promise<{ success: boolean; recordsMigrated?: number; message?: string }> {
+    // Register each record with the embedded DnsServer
+    let migrated = 0;
+    for (const rec of records) {
+      try {
+        this.registerRecordWithDnsServer(rec);
+        // Update the record doc to local
+        rec.source = 'local' as TDnsRecordSource;
+        rec.providerRecordId = undefined;
+        await rec.save();
+        migrated++;
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to register record ${rec.name} ${rec.type} with DnsServer: ${(err as Error).message}`);
+      }
+    }
+
+    // Update domain metadata
+    domain.source = 'dcrouter';
+    domain.authoritative = true;
+    domain.providerId = undefined;
+    domain.externalZoneId = undefined;
+    domain.nameservers = undefined;
+    domain.lastSyncedAt = undefined;
+    domain.updatedAt = Date.now();
+    await domain.save();
+
+    logger.log('info', `Domain ${domain.name} migrated to dcrouter (${migrated} records)`);
+    return { success: true, recordsMigrated: migrated };
+  }
+
+  // ==========================================================================
+  // Record CRUD
+  // ==========================================================================
+
   public async createRecord(args: {
     domainId: string;
     name: string;
@@ -759,14 +933,24 @@ export class DnsManager {
         }
       }
     }
-    // For local records: smartdns has no unregister API in the pinned version,
-    // so the record stays served until the next restart. The DB delete still
-    // takes effect — on restart, the record will not be re-registered.
+    // For dcrouter-hosted records: unregister the handler from the embedded DnsServer
+    // so the record stops being served immediately (not just after restart).
+    if (domain.source === 'dcrouter' && this.dnsServer) {
+      this.unregisterRecordFromDnsServer(doc);
+    }
 
     await doc.delete();
     return { success: true };
   }
 
+  /**
+   * Unregister a record's handler from the embedded DnsServer.
+   */
+  public unregisterRecordFromDnsServer(rec: DnsRecordDoc): void {
+    if (!this.dnsServer) return;
+    this.dnsServer.unregisterHandler(rec.name, [rec.type]);
+  }
+
   // ==========================================================================
   // Internal helpers
   // ==========================================================================

ts/email/classes.email-domain.manager.ts

@@ -0,0 +1,321 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { EmailDomainDoc } from '../db/documents/classes.email-domain.doc.js';
+import { DomainDoc } from '../db/documents/classes.domain.doc.js';
+import { DnsRecordDoc } from '../db/documents/classes.dns-record.doc.js';
+import type { DnsManager } from '../dns/manager.dns.js';
+import type { IEmailDomain, IEmailDnsRecord, TDnsRecordStatus } from '../../ts_interfaces/data/email-domain.js';
+
+/**
+ * EmailDomainManager — orchestrates email domain setup.
+ *
+ * Wires smartmta's DKIMCreator (key generation) with dcrouter's DnsManager
+ * (record creation for dcrouter-hosted and provider-managed zones) to provide
+ * a single entry point for setting up an email domain from A to Z.
+ */
+export class EmailDomainManager {
+  private dcRouter: any; // DcRouter — avoids circular import
+
+  constructor(dcRouterRef: any) {
+    this.dcRouter = dcRouterRef;
+  }
+
+  private get dnsManager(): DnsManager | undefined {
+    return this.dcRouter.dnsManager;
+  }
+
+  private get dkimCreator(): any | undefined {
+    return this.dcRouter.emailServer?.dkimCreator;
+  }
+
+  private get emailHostname(): string {
+    return this.dcRouter.options?.emailConfig?.hostname || this.dcRouter.options?.tls?.domain || 'localhost';
+  }
+
+  // ---------------------------------------------------------------------------
+  // CRUD
+  // ---------------------------------------------------------------------------
+
+  public async getAll(): Promise<IEmailDomain[]> {
+    const docs = await EmailDomainDoc.findAll();
+    return docs.map((d) => this.docToInterface(d));
+  }
+
+  public async getById(id: string): Promise<IEmailDomain | null> {
+    const doc = await EmailDomainDoc.findById(id);
+    return doc ? this.docToInterface(doc) : null;
+  }
+
+  public async createEmailDomain(opts: {
+    linkedDomainId: string;
+    subdomain?: string;
+    dkimSelector?: string;
+    dkimKeySize?: number;
+    rotateKeys?: boolean;
+    rotationIntervalDays?: number;
+  }): Promise<IEmailDomain> {
+    // Resolve the linked DNS domain
+    const domainDoc = await DomainDoc.findById(opts.linkedDomainId);
+    if (!domainDoc) {
+      throw new Error(`DNS domain not found: ${opts.linkedDomainId}`);
+    }
+    const baseDomain = domainDoc.name;
+    const subdomain = opts.subdomain?.trim() || undefined;
+    const domainName = subdomain ? `${subdomain}.${baseDomain}` : baseDomain;
+
+    // Check for duplicates
+    const existing = await EmailDomainDoc.findByDomain(domainName);
+    if (existing) {
+      throw new Error(`Email domain already exists for ${domainName}`);
+    }
+
+    const selector = opts.dkimSelector || 'default';
+    const keySize = opts.dkimKeySize || 2048;
+    const now = new Date().toISOString();
+
+    // Generate DKIM keys
+    let publicKey: string | undefined;
+    if (this.dkimCreator) {
+      try {
+        await this.dkimCreator.handleDKIMKeysForDomain(domainName);
+        const dnsRecord = await this.dkimCreator.getDNSRecordForSelector(domainName, selector);
+        // Extract public key from the DNS record value
+        const match = dnsRecord?.value?.match(/p=([A-Za-z0-9+/=]+)/);
+        publicKey = match ? match[1] : undefined;
+        logger.log('info', `DKIM keys generated for ${domainName} (selector: ${selector})`);
+      } catch (err: unknown) {
+        logger.log('warn', `DKIM key generation failed for ${domainName}: ${(err as Error).message}`);
+      }
+    }
+
+    // Create the document
+    const doc = new EmailDomainDoc();
+    doc.id = plugins.smartunique.shortId();
+    doc.domain = domainName.toLowerCase();
+    doc.linkedDomainId = opts.linkedDomainId;
+    doc.subdomain = subdomain;
+    doc.dkim = {
+      selector,
+      keySize,
+      publicKey,
+      rotateKeys: opts.rotateKeys ?? false,
+      rotationIntervalDays: opts.rotationIntervalDays ?? 90,
+    };
+    doc.dnsStatus = {
+      mx: 'unchecked',
+      spf: 'unchecked',
+      dkim: 'unchecked',
+      dmarc: 'unchecked',
+    };
+    doc.createdAt = now;
+    doc.updatedAt = now;
+    await doc.save();
+
+    logger.log('info', `Email domain created: ${domainName}`);
+    return this.docToInterface(doc);
+  }
+
+  public async updateEmailDomain(
+    id: string,
+    changes: {
+      rotateKeys?: boolean;
+      rotationIntervalDays?: number;
+      rateLimits?: IEmailDomain['rateLimits'];
+    },
+  ): Promise<void> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    if (changes.rotateKeys !== undefined) doc.dkim.rotateKeys = changes.rotateKeys;
+    if (changes.rotationIntervalDays !== undefined) doc.dkim.rotationIntervalDays = changes.rotationIntervalDays;
+    if (changes.rateLimits !== undefined) doc.rateLimits = changes.rateLimits;
+    doc.updatedAt = new Date().toISOString();
+    await doc.save();
+  }
+
+  public async deleteEmailDomain(id: string): Promise<void> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+    await doc.delete();
+    logger.log('info', `Email domain deleted: ${doc.domain}`);
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS record computation
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Compute the 4 required DNS records for an email domain.
+   */
+  public async getRequiredDnsRecords(id: string): Promise<IEmailDnsRecord[]> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    const domain = doc.domain;
+    const selector = doc.dkim.selector;
+    const publicKey = doc.dkim.publicKey || '';
+    const hostname = this.emailHostname;
+
+    const records: IEmailDnsRecord[] = [
+      {
+        type: 'MX',
+        name: domain,
+        value: `10 ${hostname}`,
+        status: doc.dnsStatus.mx,
+      },
+      {
+        type: 'TXT',
+        name: domain,
+        value: 'v=spf1 a mx ~all',
+        status: doc.dnsStatus.spf,
+      },
+      {
+        type: 'TXT',
+        name: `${selector}._domainkey.${domain}`,
+        value: `v=DKIM1; h=sha256; k=rsa; p=${publicKey}`,
+        status: doc.dnsStatus.dkim,
+      },
+      {
+        type: 'TXT',
+        name: `_dmarc.${domain}`,
+        value: `v=DMARC1; p=none; rua=mailto:dmarc@${domain}`,
+        status: doc.dnsStatus.dmarc,
+      },
+    ];
+
+    return records;
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS provisioning
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Auto-create missing DNS records via the linked domain's DNS path.
+   */
+  public async provisionDnsRecords(id: string): Promise<number> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+    if (!this.dnsManager) throw new Error('DnsManager not available');
+
+    const requiredRecords = await this.getRequiredDnsRecords(id);
+    const domainId = doc.linkedDomainId;
+
+    // Get existing DNS records for the linked domain
+    const existingRecords = await DnsRecordDoc.findByDomainId(domainId);
+    let provisioned = 0;
+
+    for (const required of requiredRecords) {
+      // Check if a matching record already exists
+      const exists = existingRecords.some((r) => {
+        if (required.type === 'MX') {
+          return r.type === 'MX' && r.name.toLowerCase() === required.name.toLowerCase();
+        }
+        // For TXT records, match by name AND check value prefix (v=spf1, v=DKIM1, v=DMARC1)
+        if (r.type !== 'TXT' || r.name.toLowerCase() !== required.name.toLowerCase()) return false;
+        if (required.value.startsWith('v=spf1')) return r.value.includes('v=spf1');
+        if (required.value.startsWith('v=DKIM1')) return r.value.includes('v=DKIM1');
+        if (required.value.startsWith('v=DMARC1')) return r.value.includes('v=DMARC1');
+        return false;
+      });
+
+      if (!exists) {
+        try {
+          await this.dnsManager.createRecord({
+            domainId,
+            name: required.name,
+            type: required.type as any,
+            value: required.value,
+            ttl: 3600,
+            createdBy: 'email-domain-manager',
+          });
+          provisioned++;
+          logger.log('info', `Provisioned ${required.type} record for ${required.name}`);
+        } catch (err: unknown) {
+          logger.log('warn', `Failed to provision ${required.type} for ${required.name}: ${(err as Error).message}`);
+        }
+      }
+    }
+
+    // Re-validate after provisioning
+    await this.validateDns(id);
+
+    return provisioned;
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS validation
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Validate DNS records via live lookups.
+   */
+  public async validateDns(id: string): Promise<IEmailDnsRecord[]> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    const domain = doc.domain;
+    const selector = doc.dkim.selector;
+    const resolver = new plugins.dns.promises.Resolver();
+
+    // MX check
+    doc.dnsStatus.mx = await this.checkMx(resolver, domain);
+
+    // SPF check
+    doc.dnsStatus.spf = await this.checkTxtRecord(resolver, domain, 'v=spf1');
+
+    // DKIM check
+    doc.dnsStatus.dkim = await this.checkTxtRecord(resolver, `${selector}._domainkey.${domain}`, 'v=DKIM1');
+
+    // DMARC check
+    doc.dnsStatus.dmarc = await this.checkTxtRecord(resolver, `_dmarc.${domain}`, 'v=DMARC1');
+
+    doc.dnsStatus.lastCheckedAt = new Date().toISOString();
+    doc.updatedAt = new Date().toISOString();
+    await doc.save();
+
+    return this.getRequiredDnsRecords(id);
+  }
+
+  private async checkMx(resolver: plugins.dns.promises.Resolver, domain: string): Promise<TDnsRecordStatus> {
+    try {
+      const records = await resolver.resolveMx(domain);
+      return records && records.length > 0 ? 'valid' : 'missing';
+    } catch {
+      return 'missing';
+    }
+  }
+
+  private async checkTxtRecord(
+    resolver: plugins.dns.promises.Resolver,
+    name: string,
+    prefix: string,
+  ): Promise<TDnsRecordStatus> {
+    try {
+      const records = await resolver.resolveTxt(name);
+      const flat = records.map((r) => r.join(''));
+      const found = flat.some((r) => r.startsWith(prefix));
+      return found ? 'valid' : 'missing';
+    } catch {
+      return 'missing';
+    }
+  }
+
+  // ---------------------------------------------------------------------------
+  // Helpers
+  // ---------------------------------------------------------------------------
+
+  private docToInterface(doc: EmailDomainDoc): IEmailDomain {
+    return {
+      id: doc.id,
+      domain: doc.domain,
+      linkedDomainId: doc.linkedDomainId,
+      subdomain: doc.subdomain,
+      dkim: doc.dkim,
+      rateLimits: doc.rateLimits,
+      dnsStatus: doc.dnsStatus,
+      createdAt: doc.createdAt,
+      updatedAt: doc.updatedAt,
+    };
+  }
+}

ts/email/index.ts

@@ -0,0 +1 @@
+export * from './classes.email-domain.manager.js';

ts/monitoring/classes.metricsmanager.ts

@@ -553,12 +553,14 @@ export class MetricsManager {
           connectionsByIP: new Map<string, number>(),
           throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
           topIPs: [] as Array<{ ip: string; count: number }>,
+          topIPsByBandwidth: [] as Array<{ ip: string; count: number; bwIn: number; bwOut: number }>,
           totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
           throughputHistory: [] as Array<{ timestamp: number; in: number; out: number }>,
           throughputByIP: new Map<string, { in: number; out: number }>(),
           requestsPerSecond: 0,
           requestsTotal: 0,
           backends: [] as Array<any>,
+          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number }>,
         };
       }
 
@@ -572,7 +574,7 @@ export class MetricsManager {
         bytesOutPerSecond: instantThroughput.out
       };
 
-      // Get top IPs
+      // Get top IPs by connection count
       const topIPs = proxyMetrics.connections.topIPs(10);
 
       // Get total data transferred
@@ -699,10 +701,140 @@ export class MetricsManager {
         }
       }
 
+      // Build top 10 IPs by bandwidth (sorted by total throughput desc)
+      const allIPData = new Map<string, { count: number; bwIn: number; bwOut: number }>();
+      for (const [ip, count] of connectionsByIP) {
+        allIPData.set(ip, { count, bwIn: 0, bwOut: 0 });
+      }
+      for (const [ip, tp] of throughputByIP) {
+        const existing = allIPData.get(ip);
+        if (existing) {
+          existing.bwIn = tp.in;
+          existing.bwOut = tp.out;
+        } else {
+          allIPData.set(ip, { count: 0, bwIn: tp.in, bwOut: tp.out });
+        }
+      }
+      const topIPsByBandwidth = Array.from(allIPData.entries())
+        .sort((a, b) => (b[1].bwIn + b[1].bwOut) - (a[1].bwIn + a[1].bwOut))
+        .slice(0, 10)
+        .map(([ip, data]) => ({ ip, count: data.count, bwIn: data.bwIn, bwOut: data.bwOut }));
+
+      // Build domain activity using per-IP domain request counts from Rust engine
+      const connectionsByRoute = proxyMetrics.connections.byRoute();
+      const throughputByRoute = proxyMetrics.throughput.byRoute();
+
+      // Aggregate per-IP domain request counts into per-domain totals
+      const domainRequestTotals = new Map<string, number>();
+      const domainRequestsByIP = proxyMetrics.connections.domainRequestsByIP();
+      for (const [, domainMap] of domainRequestsByIP) {
+        for (const [domain, count] of domainMap) {
+          domainRequestTotals.set(domain, (domainRequestTotals.get(domain) || 0) + count);
+        }
+      }
+
+      // Map route name → domains from route config
+      const routeDomains = new Map<string, string[]>();
+      if (this.dcRouter.smartProxy) {
+        for (const route of this.dcRouter.smartProxy.routeManager.getRoutes()) {
+          if (!route.name || !route.match.domains) continue;
+          const domains = Array.isArray(route.match.domains)
+            ? route.match.domains
+            : [route.match.domains];
+          if (domains.length > 0) {
+            routeDomains.set(route.name, domains);
+          }
+        }
+      }
+
+      // Resolve wildcards using domains seen in request metrics
+      const allKnownDomains = new Set<string>(domainRequestTotals.keys());
+      for (const entry of protocolCache) {
+        if (entry.domain) allKnownDomains.add(entry.domain);
+      }
+
+      // Build reverse map: concrete domain → route name(s)
+      const domainToRoutes = new Map<string, string[]>();
+      for (const [routeName, domains] of routeDomains) {
+        for (const pattern of domains) {
+          if (pattern.includes('*')) {
+            const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '[^.]+') + '$');
+            for (const knownDomain of allKnownDomains) {
+              if (regex.test(knownDomain)) {
+                const existing = domainToRoutes.get(knownDomain);
+                if (existing) { existing.push(routeName); }
+                else { domainToRoutes.set(knownDomain, [routeName]); }
+              }
+            }
+          } else {
+            const existing = domainToRoutes.get(pattern);
+            if (existing) { existing.push(routeName); }
+            else { domainToRoutes.set(pattern, [routeName]); }
+          }
+        }
+      }
+
+      // For each route, compute the total request count across all its resolved domains
+      // so we can distribute throughput/connections proportionally
+      const routeTotalRequests = new Map<string, number>();
+      for (const [domain, routeNames] of domainToRoutes) {
+        const reqs = domainRequestTotals.get(domain) || 0;
+        for (const routeName of routeNames) {
+          routeTotalRequests.set(routeName, (routeTotalRequests.get(routeName) || 0) + reqs);
+        }
+      }
+
+      // Aggregate metrics per domain using request-count-proportional splitting
+      const domainAgg = new Map<string, {
+        activeConnections: number;
+        bytesInPerSec: number;
+        bytesOutPerSec: number;
+        routeCount: number;
+        requestCount: number;
+      }>();
+
+      for (const [domain, routeNames] of domainToRoutes) {
+        const domainReqs = domainRequestTotals.get(domain) || 0;
+        let totalConns = 0;
+        let totalIn = 0;
+        let totalOut = 0;
+
+        for (const routeName of routeNames) {
+          const conns = connectionsByRoute.get(routeName) || 0;
+          const tp = throughputByRoute.get(routeName) || { in: 0, out: 0 };
+          const routeTotal = routeTotalRequests.get(routeName) || 0;
+
+          const share = routeTotal > 0 ? domainReqs / routeTotal : 0;
+          totalConns += conns * share;
+          totalIn += tp.in * share;
+          totalOut += tp.out * share;
+        }
+
+        domainAgg.set(domain, {
+          activeConnections: Math.round(totalConns),
+          bytesInPerSec: totalIn,
+          bytesOutPerSec: totalOut,
+          routeCount: routeNames.length,
+          requestCount: domainReqs,
+        });
+      }
+
+      const domainActivity = Array.from(domainAgg.entries())
+        .map(([domain, data]) => ({
+          domain,
+          bytesInPerSecond: data.bytesInPerSec,
+          bytesOutPerSecond: data.bytesOutPerSec,
+          activeConnections: data.activeConnections,
+          routeCount: data.routeCount,
+          requestCount: data.requestCount,
+        }))
+        .sort((a, b) => (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+
       return {
         connectionsByIP,
         throughputRate,
         topIPs,
+        topIPsByBandwidth,
         totalDataTransferred,
         throughputHistory,
         throughputByIP,
@@ -711,6 +843,7 @@ export class MetricsManager {
         backends,
         frontendProtocols,
         backendProtocols,
+        domainActivity,
       };
     }, 1000); // 1s cache — matches typical dashboard poll interval
   }

ts/opsserver/classes.opsserver.ts

@@ -37,6 +37,7 @@ export class OpsServer {
   private domainHandler!: handlers.DomainHandler;
   private dnsRecordHandler!: handlers.DnsRecordHandler;
   private acmeConfigHandler!: handlers.AcmeConfigHandler;
+  private emailDomainHandler!: handlers.EmailDomainHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -104,6 +105,7 @@ export class OpsServer {
     this.domainHandler = new handlers.DomainHandler(this);
     this.dnsRecordHandler = new handlers.DnsRecordHandler(this);
     this.acmeConfigHandler = new handlers.AcmeConfigHandler(this);
+    this.emailDomainHandler = new handlers.EmailDomainHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }

ts/opsserver/handlers/config.handler.ts

@@ -127,7 +127,7 @@ export class ConfigHandler {
     // (replaces the legacy `dnsChallenge.cloudflareApiKey` constructor field).
     let dnsChallengeEnabled = false;
     try {
-      dnsChallengeEnabled = (await dcRouter.dnsManager?.hasAcmeCapableProvider()) ?? false;
+      dnsChallengeEnabled = (await dcRouter.dnsManager?.hasAnyManagedDomain()) ?? false;
     } catch {
       dnsChallengeEnabled = false;
     }

ts/opsserver/handlers/domain.handler.ts

@@ -157,5 +157,23 @@ export class DomainHandler {
         },
       ),
     );
+
+    // Migrate domain between dcrouter-hosted and provider-managed
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MigrateDomain>(
+        'migrateDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.migrateDomain({
+            id: dataArg.id,
+            targetSource: dataArg.targetSource,
+            targetProviderId: dataArg.targetProviderId,
+            deleteExistingProviderRecords: dataArg.deleteExistingProviderRecords,
+          });
+        },
+      ),
+    );
   }
 }

ts/opsserver/handlers/email-domain.handler.ts

@@ -0,0 +1,195 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD + DNS provisioning handler for email domains.
+ *
+ * Auth: admin JWT or API token with `email-domains:read` / `email-domains:write` scope.
+ */
+export class EmailDomainHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private get manager() {
+    return this.opsServerRef.dcRouterRef.emailDomainManager;
+  }
+
+  private registerHandlers(): void {
+    // List all email domains
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomains>(
+        'getEmailDomains',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { domains: [] };
+          return { domains: await this.manager.getAll() };
+        },
+      ),
+    );
+
+    // Get single email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomain>(
+        'getEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { domain: null };
+          return { domain: await this.manager.getById(dataArg.id) };
+        },
+      ),
+    );
+
+    // Create email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateEmailDomain>(
+        'createEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const domain = await this.manager.createEmailDomain({
+              linkedDomainId: dataArg.linkedDomainId,
+              subdomain: dataArg.subdomain,
+              dkimSelector: dataArg.dkimSelector,
+              dkimKeySize: dataArg.dkimKeySize,
+              rotateKeys: dataArg.rotateKeys,
+              rotationIntervalDays: dataArg.rotationIntervalDays,
+            });
+            return { success: true, domain };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Update email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateEmailDomain>(
+        'updateEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            await this.manager.updateEmailDomain(dataArg.id, {
+              rotateKeys: dataArg.rotateKeys,
+              rotationIntervalDays: dataArg.rotationIntervalDays,
+              rateLimits: dataArg.rateLimits,
+            });
+            return { success: true };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Delete email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteEmailDomain>(
+        'deleteEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            await this.manager.deleteEmailDomain(dataArg.id);
+            return { success: true };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Validate DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ValidateEmailDomain>(
+        'validateEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const records = await this.manager.validateDns(dataArg.id);
+            const domain = await this.manager.getById(dataArg.id);
+            return { success: true, domain: domain ?? undefined, records };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Get required DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomainDnsRecords>(
+        'getEmailDomainDnsRecords',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { records: [] };
+          return { records: await this.manager.getRequiredDnsRecords(dataArg.id) };
+        },
+      ),
+    );
+
+    // Auto-provision DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ProvisionEmailDomainDns>(
+        'provisionEmailDomainDns',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const provisioned = await this.manager.provisionDnsRecords(dataArg.id);
+            return { success: true, provisioned };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/index.ts

@@ -17,4 +17,5 @@ export * from './users.handler.js';
 export * from './dns-provider.handler.js';
 export * from './domain.handler.js';
 export * from './dns-record.handler.js';
-export * from './acme-config.handler.js';
+export * from './acme-config.handler.js';
+export * from './email-domain.handler.js';

ts/opsserver/handlers/network-target.handler.ts

@@ -135,7 +135,7 @@ export class NetworkTargetHandler {
           const result = await resolver.deleteTarget(
             dataArg.id,
             dataArg.force ?? false,
-            manager.getStoredRoutes(),
+            manager.getRoutes(),
           );
 
           if (result.success && dataArg.force) {
@@ -158,7 +158,7 @@ export class NetworkTargetHandler {
           if (!resolver || !manager) {
             return { routes: [] };
           }
-          const usage = resolver.getTargetUsageForId(dataArg.id, manager.getStoredRoutes());
+          const usage = resolver.getTargetUsageForId(dataArg.id, manager.getRoutes());
           return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
         },
       ),

ts/opsserver/handlers/route-management.handler.ts

@@ -72,7 +72,7 @@ export class RouteManagementHandler {
             return { success: false, message: 'Route management not initialized' };
           }
           const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true, dataArg.metadata);
-          return { success: true, storedRouteId: id };
+          return { success: true, routeId: id };
         },
       ),
     );
@@ -113,39 +113,7 @@ export class RouteManagementHandler {
       ),
     );
 
-    // Set override on a hardcoded route
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRouteOverride>(
-        'setRouteOverride',
-        async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'routes:write');
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!manager) {
-            return { success: false, message: 'Route management not initialized' };
-          }
-          await manager.setOverride(dataArg.routeName, dataArg.enabled, userId);
-          return { success: true };
-        },
-      ),
-    );
-
-    // Remove override from a hardcoded route
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRouteOverride>(
-        'removeRouteOverride',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'routes:write');
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!manager) {
-            return { success: false, message: 'Route management not initialized' };
-          }
-          const ok = await manager.removeOverride(dataArg.routeName);
-          return { success: ok, message: ok ? undefined : 'Override not found' };
-        },
-      ),
-    );
-
-    // Toggle programmatic route
+    // Toggle route
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleRoute>(
         'toggleRoute',

ts/opsserver/handlers/security.handler.ts

@@ -51,8 +51,8 @@ export class SecurityHandler {
             startTime: conn.startTime,
             protocol: conn.type === 'http' ? 'https' : conn.type as any,
             state: conn.status as any,
-            bytesReceived: Math.floor(conn.bytesTransferred / 2),
-            bytesSent: Math.floor(conn.bytesTransferred / 2),
+            bytesReceived: (conn as any)._throughputIn || 0,
+            bytesSent: (conn as any)._throughputOut || 0,
           }));
           
           const summary = {
@@ -96,9 +96,11 @@ export class SecurityHandler {
               connectionsByIP: Array.from(networkStats.connectionsByIP.entries()).map(([ip, count]) => ({ ip, count })),
               throughputRate: networkStats.throughputRate,
               topIPs: networkStats.topIPs,
+              topIPsByBandwidth: networkStats.topIPsByBandwidth,
               totalDataTransferred: networkStats.totalDataTransferred,
               throughputHistory: networkStats.throughputHistory || [],
               throughputByIP,
+              domainActivity: networkStats.domainActivity || [],
               requestsPerSecond: networkStats.requestsPerSecond || 0,
               requestsTotal: networkStats.requestsTotal || 0,
               backends: networkStats.backends || [],
@@ -110,9 +112,11 @@ export class SecurityHandler {
             connectionsByIP: [],
             throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
             topIPs: [],
+            topIPsByBandwidth: [],
             totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
             throughputHistory: [],
             throughputByIP: [],
+            domainActivity: [],
             requestsPerSecond: 0,
             requestsTotal: 0,
             backends: [],
@@ -251,31 +255,31 @@ export class SecurityHandler {
       const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
       const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
       
-      // Use IP-based connection data from the new metrics API
+      // One aggregate row per IP with real throughput data
       if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
         let connIndex = 0;
         const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
-        
+
         for (const [ip, count] of networkStats.connectionsByIP) {
-          // Create a connection entry for each active IP connection
-          for (let i = 0; i < Math.min(count, 5); i++) { // Limit to 5 connections per IP for UI performance
-            connections.push({
-              id: `conn-${connIndex++}`,
-              type: 'http',
-              source: {
-                ip: ip,
-                port: Math.floor(Math.random() * 50000) + 10000, // High port range
-              },
-              destination: {
-                ip: publicIp,
-                port: 443,
-                service: 'proxy',
-              },
-              startTime: Date.now() - Math.floor(Math.random() * 3600000), // Within last hour
-              bytesTransferred: Math.floor(networkStats.totalDataTransferred.bytesIn / networkStats.connectionsByIP.size),
-              status: 'active',
-            });
-          }
+          const tp = networkStats.throughputByIP?.get(ip);
+          connections.push({
+            id: `ip-${connIndex++}`,
+            type: 'http',
+            source: {
+              ip: ip,
+              port: 0,
+            },
+            destination: {
+              ip: publicIp,
+              port: 443,
+              service: 'proxy',
+            },
+            startTime: 0,
+            bytesTransferred: count, // Store connection count here
+            status: 'active',
+            // Attach real throughput for the handler mapping
+            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
+          } as any);
         }
       } else if (connectionInfo.length > 0) {
         // Fallback to route-based connection info if no IP data available

ts/opsserver/handlers/source-profile.handler.ts

@@ -136,7 +136,7 @@ export class SourceProfileHandler {
           const result = await resolver.deleteProfile(
             dataArg.id,
             dataArg.force ?? false,
-            manager.getStoredRoutes(),
+            manager.getRoutes(),
           );
 
           // If force-deleted with affected routes, re-apply
@@ -160,7 +160,7 @@ export class SourceProfileHandler {
           if (!resolver || !manager) {
             return { routes: [] };
           }
-          const usage = resolver.getProfileUsageForId(dataArg.id, manager.getStoredRoutes());
+          const usage = resolver.getProfileUsageForId(dataArg.id, manager.getRoutes());
           return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
         },
       ),

ts/opsserver/handlers/stats.handler.ts

@@ -291,6 +291,20 @@ export class StatsHandler {
                   }
                 }
 
+                // Build connectionDetails from real per-IP data
+                const connectionDetails: interfaces.data.IConnectionDetails[] = [];
+                for (const [ip, count] of stats.connectionsByIP) {
+                  const tp = stats.throughputByIP?.get(ip);
+                  connectionDetails.push({
+                    remoteAddress: ip,
+                    protocol: 'https',
+                    state: 'connected',
+                    startTime: 0,
+                    bytesIn: tp?.in || 0,
+                    bytesOut: tp?.out || 0,
+                  });
+                }
+
                 metrics.network = {
                   totalBandwidth: {
                     in: stats.throughputRate.bytesInPerSecond,
@@ -301,12 +315,18 @@ export class StatsHandler {
                     out: stats.totalDataTransferred.bytesOut,
                   },
                   activeConnections: serverStats.activeConnections,
-                  connectionDetails: [],
+                  connectionDetails,
                   topEndpoints: stats.topIPs.map(ip => ({
                     endpoint: ip.ip,
-                    requests: ip.count,
+                    connections: ip.count,
                     bandwidth: ipBandwidth.get(ip.ip) || { in: 0, out: 0 },
                   })),
+                  topEndpointsByBandwidth: stats.topIPsByBandwidth.map(ip => ({
+                    endpoint: ip.ip,
+                    connections: ip.count,
+                    bandwidth: { in: ip.bwIn, out: ip.bwOut },
+                  })),
+                  domainActivity: stats.domainActivity || [],
                   throughputHistory: stats.throughputHistory || [],
                   requestsPerSecond: stats.requestsPerSecond || 0,
                   requestsTotal: stats.requestsTotal || 0,

ts/vpn/classes.vpn-manager.ts

@@ -55,6 +55,8 @@ export class VpnManager {
   private vpnServer?: plugins.smartvpn.VpnServer;
   private clients: Map<string, VpnClientDoc> = new Map();
   private serverKeys?: VpnServerKeysDoc;
+  private resolvedForwardingMode?: 'socket' | 'bridge' | 'hybrid';
+  private forwardingModeOverride?: 'socket' | 'bridge' | 'hybrid';
 
   constructor(config: IVpnManagerConfig) {
     this.config = config;
@@ -88,6 +90,7 @@ export class VpnManager {
       if (client.useHostIp) {
         anyClientUsesHostIp = true;
       }
+      this.normalizeClientRoutingSettings(client);
       const entry: plugins.smartvpn.IClientEntry = {
         clientId: client.clientId,
         publicKey: client.noisePublicKey,
@@ -97,13 +100,12 @@ export class VpnManager {
         assignedIp: client.assignedIp,
         expiresAt: client.expiresAt,
         security: this.buildClientSecurity(client),
+        useHostIp: client.useHostIp,
+        useDhcp: client.useDhcp,
+        staticIp: client.staticIp,
+        forceVlan: client.forceVlan,
+        vlanId: client.vlanId,
       };
-      // Pass per-client bridge fields if present (for hybrid/bridge mode)
-      if (client.useHostIp !== undefined) (entry as any).useHostIp = client.useHostIp;
-      if (client.useDhcp !== undefined) (entry as any).useDhcp = client.useDhcp;
-      if (client.staticIp !== undefined) (entry as any).staticIp = client.staticIp;
-      if (client.forceVlan !== undefined) (entry as any).forceVlan = client.forceVlan;
-      if (client.vlanId !== undefined) (entry as any).vlanId = client.vlanId;
       clientEntries.push(entry);
     }
 
@@ -112,13 +114,15 @@ export class VpnManager {
 
     // Auto-detect hybrid mode: if any persisted client uses host IP and mode is
     // 'socket' (or unset), upgrade to 'hybrid' so the daemon can handle both
-    let configuredMode = this.config.forwardingMode ?? 'socket';
+    let configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
     if (anyClientUsesHostIp && configuredMode === 'socket') {
       configuredMode = 'hybrid';
       logger.log('info', 'VPN: Auto-upgrading forwarding mode to hybrid (client with useHostIp detected)');
     }
     const forwardingMode = configuredMode === 'hybrid' ? 'hybrid' : configuredMode;
     const isBridge = forwardingMode === 'bridge';
+    this.resolvedForwardingMode = forwardingMode;
+    this.forwardingModeOverride = undefined;
 
     // Create and start VpnServer
     this.vpnServer = new plugins.smartvpn.VpnServer({
@@ -143,7 +147,7 @@ export class VpnManager {
       wgListenPort,
       clients: clientEntries,
       socketForwardProxyProtocol: !isBridge,
-      destinationPolicy: this.config.destinationPolicy ?? defaultDestinationPolicy,
+      destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
       serverEndpoint: this.config.serverEndpoint
         ? `${this.config.serverEndpoint}:${wgListenPort}`
         : undefined,
@@ -189,6 +193,7 @@ export class VpnManager {
       this.vpnServer.stop();
       this.vpnServer = undefined;
     }
+    this.resolvedForwardingMode = undefined;
     logger.log('info', 'VPN server stopped');
   }
 
@@ -213,14 +218,38 @@ export class VpnManager {
       throw new Error('VPN server not running');
     }
 
+    await this.ensureForwardingModeForHostIpClient(opts.useHostIp === true);
+
+    const doc = new VpnClientDoc();
+    doc.clientId = opts.clientId;
+    doc.enabled = true;
+    doc.targetProfileIds = opts.targetProfileIds;
+    doc.description = opts.description;
+    doc.destinationAllowList = opts.destinationAllowList;
+    doc.destinationBlockList = opts.destinationBlockList;
+    doc.useHostIp = opts.useHostIp;
+    doc.useDhcp = opts.useDhcp;
+    doc.staticIp = opts.staticIp;
+    doc.forceVlan = opts.forceVlan;
+    doc.vlanId = opts.vlanId;
+    doc.createdAt = Date.now();
+    doc.updatedAt = Date.now();
+    this.normalizeClientRoutingSettings(doc);
+
     const bundle = await this.vpnServer.createClient({
-      clientId: opts.clientId,
-      description: opts.description,
+      clientId: doc.clientId,
+      description: doc.description,
+      security: this.buildClientSecurity(doc),
+      useHostIp: doc.useHostIp,
+      useDhcp: doc.useDhcp,
+      staticIp: doc.staticIp,
+      forceVlan: doc.forceVlan,
+      vlanId: doc.vlanId,
     });
 
     // Override AllowedIPs with per-client values based on target profiles
     if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(opts.targetProfileIds || []);
+      const allowedIPs = await this.config.getClientAllowedIPs(doc.targetProfileIds || []);
       bundle.wireguardConfig = bundle.wireguardConfig.replace(
         /AllowedIPs\s*=\s*.+/,
         `AllowedIPs = ${allowedIPs.join(', ')}`,
@@ -228,40 +257,16 @@ export class VpnManager {
     }
 
     // Persist client entry (including WG private key for export/QR)
-    const doc = new VpnClientDoc();
     doc.clientId = bundle.entry.clientId;
     doc.enabled = bundle.entry.enabled ?? true;
-    doc.targetProfileIds = opts.targetProfileIds;
     doc.description = bundle.entry.description;
     doc.assignedIp = bundle.entry.assignedIp;
     doc.noisePublicKey = bundle.entry.publicKey;
     doc.wgPublicKey = bundle.entry.wgPublicKey || '';
     doc.wgPrivateKey = bundle.secrets?.wgPrivateKey
       || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
-    doc.createdAt = Date.now();
     doc.updatedAt = Date.now();
     doc.expiresAt = bundle.entry.expiresAt;
-    if (opts.destinationAllowList !== undefined) {
-      doc.destinationAllowList = opts.destinationAllowList;
-    }
-    if (opts.destinationBlockList !== undefined) {
-      doc.destinationBlockList = opts.destinationBlockList;
-    }
-    if (opts.useHostIp !== undefined) {
-      doc.useHostIp = opts.useHostIp;
-    }
-    if (opts.useDhcp !== undefined) {
-      doc.useDhcp = opts.useDhcp;
-    }
-    if (opts.staticIp !== undefined) {
-      doc.staticIp = opts.staticIp;
-    }
-    if (opts.forceVlan !== undefined) {
-      doc.forceVlan = opts.forceVlan;
-    }
-    if (opts.vlanId !== undefined) {
-      doc.vlanId = opts.vlanId;
-    }
     this.clients.set(doc.clientId, doc);
     try {
       await this.persistClient(doc);
@@ -276,12 +281,6 @@ export class VpnManager {
       throw err;
     }
 
-    // Sync per-client security to the running daemon
-    const security = this.buildClientSecurity(doc);
-    if (security.destinationPolicy) {
-      await this.vpnServer!.updateClient(doc.clientId, { security });
-    }
-
     this.config.onClientChanged?.();
     return bundle;
   }
@@ -364,13 +363,13 @@ export class VpnManager {
     if (update.staticIp !== undefined) client.staticIp = update.staticIp;
     if (update.forceVlan !== undefined) client.forceVlan = update.forceVlan;
     if (update.vlanId !== undefined) client.vlanId = update.vlanId;
+    this.normalizeClientRoutingSettings(client);
     client.updatedAt = Date.now();
     await this.persistClient(client);
 
-    // Sync per-client security to the running daemon
     if (this.vpnServer) {
-      const security = this.buildClientSecurity(client);
-      await this.vpnServer.updateClient(clientId, { security });
+      await this.ensureForwardingModeForHostIpClient(client.useHostIp === true);
+      await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
     }
 
     this.config.onClientChanged?.();
@@ -478,26 +477,28 @@ export class VpnManager {
 
   /**
    * Build per-client security settings for the smartvpn daemon.
-   * All VPN traffic is forced through SmartProxy (forceTarget to 127.0.0.1).
-   * TargetProfile direct IP:port targets bypass SmartProxy via allowList.
+   * TargetProfile direct IP:port targets extend the effective allow-list.
    */
   private buildClientSecurity(client: VpnClientDoc): plugins.smartvpn.IClientSecurity {
     const security: plugins.smartvpn.IClientSecurity = {};
+    const basePolicy = this.getBaseDestinationPolicy(client);
 
-    // Collect direct targets from assigned TargetProfiles (bypass forceTarget for these IPs)
     const profileDirectTargets = this.config.getClientDirectTargets?.(client.targetProfileIds || []) || [];
-
-    // Merge with per-client explicit allow list
-    const mergedAllowList = [
-      ...(client.destinationAllowList || []),
-      ...profileDirectTargets,
-    ];
+    const mergedAllowList = this.mergeDestinationLists(
+      basePolicy.allowList,
+      client.destinationAllowList,
+      profileDirectTargets,
+    );
+    const mergedBlockList = this.mergeDestinationLists(
+      basePolicy.blockList,
+      client.destinationBlockList,
+    );
 
     security.destinationPolicy = {
-      default: 'forceTarget' as const,
-      target: '127.0.0.1',
+      default: basePolicy.default,
+      target: basePolicy.default === 'forceTarget' ? basePolicy.target : undefined,
       allowList: mergedAllowList.length ? mergedAllowList : undefined,
-      blockList: client.destinationBlockList,
+      blockList: mergedBlockList.length ? mergedBlockList : undefined,
     };
 
     return security;
@@ -510,10 +511,7 @@ export class VpnManager {
   public async refreshAllClientSecurity(): Promise<void> {
     if (!this.vpnServer) return;
     for (const client of this.clients.values()) {
-      const security = this.buildClientSecurity(client);
-      if (security.destinationPolicy) {
-        await this.vpnServer.updateClient(client.clientId, { security });
-      }
+      await this.vpnServer.updateClient(client.clientId, this.buildClientRuntimeUpdate(client));
     }
   }
 
@@ -550,6 +548,7 @@ export class VpnManager {
   private async loadPersistedClients(): Promise<void> {
     const docs = await VpnClientDoc.findAll();
     for (const doc of docs) {
+      this.normalizeClientRoutingSettings(doc);
       this.clients.set(doc.clientId, doc);
     }
     if (this.clients.size > 0) {
@@ -557,6 +556,93 @@ export class VpnManager {
     }
   }
 
+  private getResolvedForwardingMode(): 'socket' | 'bridge' | 'hybrid' {
+    return this.resolvedForwardingMode
+      ?? this.forwardingModeOverride
+      ?? this.config.forwardingMode
+      ?? 'socket';
+  }
+
+  private getDefaultDestinationPolicy(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    useHostIp = false,
+  ): plugins.smartvpn.IDestinationPolicy {
+    if (forwardingMode === 'bridge' || (forwardingMode === 'hybrid' && useHostIp)) {
+      return { default: 'allow' };
+    }
+    return { default: 'forceTarget', target: '127.0.0.1' };
+  }
+
+  private getServerDestinationPolicy(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    fallbackPolicy = this.getDefaultDestinationPolicy(forwardingMode),
+  ): plugins.smartvpn.IDestinationPolicy {
+    return this.config.destinationPolicy ?? fallbackPolicy;
+  }
+
+  private getBaseDestinationPolicy(client: Pick<VpnClientDoc, 'useHostIp'>): plugins.smartvpn.IDestinationPolicy {
+    if (this.config.destinationPolicy) {
+      return { ...this.config.destinationPolicy };
+    }
+    return this.getDefaultDestinationPolicy(this.getResolvedForwardingMode(), client.useHostIp === true);
+  }
+
+  private mergeDestinationLists(...lists: Array<string[] | undefined>): string[] {
+    const merged = new Set<string>();
+    for (const list of lists) {
+      for (const entry of list || []) {
+        merged.add(entry);
+      }
+    }
+    return [...merged];
+  }
+
+  private normalizeClientRoutingSettings(
+    client: Pick<VpnClientDoc, 'useHostIp' | 'useDhcp' | 'staticIp' | 'forceVlan' | 'vlanId'>,
+  ): void {
+    client.useHostIp = client.useHostIp === true;
+
+    if (!client.useHostIp) {
+      client.useDhcp = false;
+      client.staticIp = undefined;
+      client.forceVlan = false;
+      client.vlanId = undefined;
+      return;
+    }
+
+    client.useDhcp = client.useDhcp === true;
+    if (client.useDhcp) {
+      client.staticIp = undefined;
+    }
+
+    client.forceVlan = client.forceVlan === true;
+    if (!client.forceVlan) {
+      client.vlanId = undefined;
+    }
+  }
+
+  private buildClientRuntimeUpdate(client: VpnClientDoc): Partial<plugins.smartvpn.IClientEntry> {
+    return {
+      description: client.description,
+      security: this.buildClientSecurity(client),
+      useHostIp: client.useHostIp,
+      useDhcp: client.useDhcp,
+      staticIp: client.staticIp,
+      forceVlan: client.forceVlan,
+      vlanId: client.vlanId,
+    };
+  }
+
+  private async ensureForwardingModeForHostIpClient(useHostIp: boolean): Promise<void> {
+    if (!useHostIp || !this.vpnServer) return;
+    if (this.getResolvedForwardingMode() !== 'socket') return;
+
+    logger.log('info', 'VPN: Restarting server in hybrid mode to support a host-IP client');
+    this.forwardingModeOverride = 'hybrid';
+    await this.stop();
+    await this.start();
+  }
+
   private async persistClient(client: VpnClientDoc): Promise<void> {
     await client.save();
   }

ts_apiclient/classes.route.ts

@@ -7,10 +7,9 @@ export class Route {
 
   // Data from IMergedRoute
   public routeConfig: IRouteConfig;
-  public source: 'hardcoded' | 'programmatic';
+  public id: string;
   public enabled: boolean;
-  public overridden: boolean;
-  public storedRouteId?: string;
+  public origin: 'config' | 'email' | 'dns' | 'api';
   public createdAt?: number;
   public updatedAt?: number;
 
@@ -22,21 +21,17 @@ export class Route {
   constructor(clientRef: DcRouterApiClient, data: interfaces.data.IMergedRoute) {
     this.clientRef = clientRef;
     this.routeConfig = data.route;
-    this.source = data.source;
+    this.id = data.id;
     this.enabled = data.enabled;
-    this.overridden = data.overridden;
-    this.storedRouteId = data.storedRouteId;
+    this.origin = data.origin;
     this.createdAt = data.createdAt;
     this.updatedAt = data.updatedAt;
   }
 
   public async update(changes: Partial<IRouteConfig>): Promise<void> {
-    if (!this.storedRouteId) {
-      throw new Error('Cannot update a hardcoded route. Use setOverride() instead.');
-    }
     const response = await this.clientRef.request<interfaces.requests.IReq_UpdateRoute>(
       'updateRoute',
-      this.clientRef.buildRequestPayload({ id: this.storedRouteId, route: changes }) as any,
+      this.clientRef.buildRequestPayload({ id: this.id, route: changes }) as any,
     );
     if (!response.success) {
       throw new Error(response.message || 'Failed to update route');
@@ -44,12 +39,9 @@ export class Route {
   }
 
   public async delete(): Promise<void> {
-    if (!this.storedRouteId) {
-      throw new Error('Cannot delete a hardcoded route. Use setOverride() instead.');
-    }
     const response = await this.clientRef.request<interfaces.requests.IReq_DeleteRoute>(
       'deleteRoute',
-      this.clientRef.buildRequestPayload({ id: this.storedRouteId }) as any,
+      this.clientRef.buildRequestPayload({ id: this.id }) as any,
     );
     if (!response.success) {
       throw new Error(response.message || 'Failed to delete route');
@@ -57,41 +49,15 @@ export class Route {
   }
 
   public async toggle(enabled: boolean): Promise<void> {
-    if (!this.storedRouteId) {
-      throw new Error('Cannot toggle a hardcoded route. Use setOverride() instead.');
-    }
     const response = await this.clientRef.request<interfaces.requests.IReq_ToggleRoute>(
       'toggleRoute',
-      this.clientRef.buildRequestPayload({ id: this.storedRouteId, enabled }) as any,
+      this.clientRef.buildRequestPayload({ id: this.id, enabled }) as any,
     );
     if (!response.success) {
       throw new Error(response.message || 'Failed to toggle route');
     }
     this.enabled = enabled;
   }
-
-  public async setOverride(enabled: boolean): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_SetRouteOverride>(
-      'setRouteOverride',
-      this.clientRef.buildRequestPayload({ routeName: this.name, enabled }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to set route override');
-    }
-    this.overridden = true;
-    this.enabled = enabled;
-  }
-
-  public async removeOverride(): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_RemoveRouteOverride>(
-      'removeRouteOverride',
-      this.clientRef.buildRequestPayload({ routeName: this.name }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to remove route override');
-    }
-    this.overridden = false;
-  }
 }
 
 export class RouteBuilder {
@@ -144,9 +110,8 @@ export class RouteBuilder {
     }
 
     // Return a Route instance by re-fetching the list
-    // The created route is programmatic, so we find it by storedRouteId
     const { routes } = await new RouteManager(this.clientRef).list();
-    const created = routes.find((r) => r.storedRouteId === response.storedRouteId);
+    const created = routes.find((r) => r.id === response.routeId);
     if (created) {
       return created;
     }
@@ -154,10 +119,9 @@ export class RouteBuilder {
     // Fallback: construct from known data
     return new Route(this.clientRef, {
       route: this.routeConfig as IRouteConfig,
-      source: 'programmatic',
+      id: response.routeId || '',
       enabled: this.isEnabled,
-      overridden: false,
-      storedRouteId: response.storedRouteId,
+      origin: 'api',
     });
   }
 }
@@ -190,10 +154,9 @@ export class RouteManager {
     }
     return new Route(this.clientRef, {
       route: routeConfig,
-      source: 'programmatic',
+      id: response.routeId || '',
       enabled: enabled ?? true,
-      overridden: false,
-      storedRouteId: response.storedRouteId,
+      origin: 'api',
     });
   }
 

ts_interfaces/data/dns-provider.ts

@@ -150,7 +150,7 @@ export const dnsProviderTypeDescriptors: ReadonlyArray<IDnsProviderTypeDescripto
     type: 'cloudflare',
     displayName: 'Cloudflare',
     description:
-      'Manages records via the Cloudflare API. Provider stays authoritative; dcrouter pushes record changes.',
+      'External DNS provider. The provider stays authoritative; dcrouter pushes record changes via its API.',
     credentialFields: [
       {
         key: 'apiToken',

ts_interfaces/data/email-domain.ts

@@ -0,0 +1,75 @@
+/**
+ * DNS record validation status for a single email-related record (MX, SPF, DKIM, DMARC).
+ */
+export type TDnsRecordStatus = 'valid' | 'missing' | 'invalid' | 'unchecked';
+
+/**
+ * An email domain managed by dcrouter.
+ *
+ * Each email domain is linked to an existing dcrouter DNS domain (dcrouter-hosted
+ * or provider-managed). The DNS management path is inherited from the linked domain
+ * — no separate DNS mode is needed.
+ */
+export interface IEmailDomain {
+  id: string;
+  /** Fully qualified email domain name (e.g. 'example.com' or 'mail.example.com'). */
+  domain: string;
+  /** ID of the linked dcrouter DNS domain — determines how DNS records are managed. */
+  linkedDomainId: string;
+  /** Optional subdomain prefix (e.g. 'mail' for mail.example.com). Empty/undefined = bare domain. */
+  subdomain?: string;
+  /** DKIM configuration and key state. */
+  dkim: IEmailDomainDkim;
+  /** Optional per-domain rate limits. */
+  rateLimits?: IEmailDomainRateLimits;
+  /** DNS record validation status — populated by validateDns(). */
+  dnsStatus: IEmailDomainDnsStatus;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface IEmailDomainDkim {
+  /** DKIM selector (default: 'default'). */
+  selector: string;
+  /** RSA key size in bits (default: 2048). */
+  keySize: number;
+  /** Base64-encoded public key — populated after key generation. */
+  publicKey?: string;
+  /** Whether automatic key rotation is enabled. */
+  rotateKeys: boolean;
+  /** Days between key rotations (default: 90). */
+  rotationIntervalDays: number;
+  /** ISO date of last key rotation. */
+  lastRotatedAt?: string;
+}
+
+export interface IEmailDomainRateLimits {
+  outbound?: {
+    messagesPerMinute?: number;
+    messagesPerHour?: number;
+    messagesPerDay?: number;
+  };
+  inbound?: {
+    messagesPerMinute?: number;
+    connectionsPerIp?: number;
+    recipientsPerMessage?: number;
+  };
+}
+
+export interface IEmailDomainDnsStatus {
+  mx: TDnsRecordStatus;
+  spf: TDnsRecordStatus;
+  dkim: TDnsRecordStatus;
+  dmarc: TDnsRecordStatus;
+  lastCheckedAt?: string;
+}
+
+/**
+ * A single required DNS record for an email domain — used for display / copy-paste.
+ */
+export interface IEmailDnsRecord {
+  type: 'MX' | 'TXT';
+  name: string;
+  value: string;
+  status: TDnsRecordStatus;
+}

ts_interfaces/data/index.ts

@@ -7,4 +7,5 @@ export * from './vpn.js';
 export * from './dns-provider.js';
 export * from './domain.js';
 export * from './dns-record.js';
-export * from './acme-config.js';
+export * from './acme-config.js';
+export * from './email-domain.js';

ts_interfaces/data/route-management.ts

@@ -83,24 +83,23 @@ export interface IRouteMetadata {
 }
 
 /**
- * A merged route combining hardcoded and programmatic sources.
+ * A route entry returned by the route management API.
  */
 export interface IMergedRoute {
   route: IDcRouterRouteConfig;
-  source: 'hardcoded' | 'programmatic';
+  id: string;
   enabled: boolean;
-  overridden: boolean;
-  storedRouteId?: string;
+  origin: 'config' | 'email' | 'dns' | 'api';
   createdAt?: number;
   updatedAt?: number;
   metadata?: IRouteMetadata;
 }
 
 /**
- * A warning generated during route merge/startup.
+ * A warning generated during route startup/apply.
  */
 export interface IRouteWarning {
-  type: 'disabled-hardcoded' | 'disabled-programmatic' | 'orphaned-override';
+  type: 'disabled-route';
   routeName: string;
   message: string;
 }
@@ -123,28 +122,19 @@ export interface IApiTokenInfo {
 // ============================================================================
 
 /**
- * A programmatic route stored in /config-api/routes/{id}.json
+ * A route persisted in the database.
  */
-export interface IStoredRoute {
+export interface IRoute {
   id: string;
   route: IDcRouterRouteConfig;
   enabled: boolean;
   createdAt: number;
   updatedAt: number;
   createdBy: string;
+  origin: 'config' | 'email' | 'dns' | 'api';
   metadata?: IRouteMetadata;
 }
 
-/**
- * An override for a hardcoded route, stored in /config-api/overrides/{routeName}.json
- */
-export interface IRouteOverride {
-  routeName: string;
-  enabled: boolean;
-  updatedAt: number;
-  updatedBy: string;
-}
-
 /**
  * A stored API token, stored in /config-api/tokens/{id}.json
  */

ts_interfaces/data/stats.ts

@@ -143,6 +143,15 @@ export interface IHealthStatus {
   version?: string;
 }
 
+export interface IDomainActivity {
+  domain: string;
+  bytesInPerSecond: number;
+  bytesOutPerSecond: number;
+  activeConnections: number;
+  routeCount: number;
+  requestCount: number;
+}
+
 export interface INetworkMetrics {
   totalBandwidth: {
     in: number;
@@ -156,12 +165,21 @@ export interface INetworkMetrics {
   connectionDetails: IConnectionDetails[];
   topEndpoints: Array<{
     endpoint: string;
-    requests: number;
+    connections: number;
     bandwidth: {
       in: number;
       out: number;
     };
   }>;
+  topEndpointsByBandwidth: Array<{
+    endpoint: string;
+    connections: number;
+    bandwidth: {
+      in: number;
+      out: number;
+    };
+  }>;
+  domainActivity: IDomainActivity[];
   throughputHistory?: Array<{ timestamp: number; in: number; out: number }>;
   requestsPerSecond?: number;
   requestsTotal?: number;

ts_interfaces/data/target-profile.ts

@@ -21,7 +21,7 @@ export interface ITargetProfile {
   domains?: string[];
   /** Specific IP:port targets this profile grants access to */
   targets?: ITargetProfileTarget[];
-  /** Route references by stored route ID or route name */
+  /** Route references by stored route ID. Legacy route names are normalized when unique. */
   routeRefs?: string[];
   createdAt: number;
   updatedAt: number;

ts_interfaces/requests/domains.ts

@@ -148,3 +148,31 @@ export interface IReq_SyncDomain extends plugins.typedrequestInterfaces.implemen
     message?: string;
   };
 }
+
+/**
+ * Migrate a domain between dcrouter-hosted and provider-managed (or between providers).
+ * Records are transferred to the target and the domain source/providerId are updated.
+ */
+export interface IReq_MigrateDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_MigrateDomain
+> {
+  method: 'migrateDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    /** Target source type. */
+    targetSource: import('../data/domain.js').TDomainSource;
+    /** Required when targetSource is 'provider'. */
+    targetProviderId?: string;
+    /** When migrating to a provider: delete all existing records at the provider first. */
+    deleteExistingProviderRecords?: boolean;
+  };
+  response: {
+    success: boolean;
+    /** Number of records migrated. */
+    recordsMigrated?: number;
+    message?: string;
+  };
+}

ts_interfaces/requests/email-domains.ts

@@ -0,0 +1,178 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type { IEmailDomain, IEmailDnsRecord } from '../data/email-domain.js';
+
+// ============================================================================
+// Email Domain Endpoints
+// ============================================================================
+
+/**
+ * List all email domains.
+ */
+export interface IReq_GetEmailDomains extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetEmailDomains
+> {
+  method: 'getEmailDomains';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    domains: IEmailDomain[];
+  };
+}
+
+/**
+ * Get a single email domain by id.
+ */
+export interface IReq_GetEmailDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetEmailDomain
+> {
+  method: 'getEmailDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    domain: IEmailDomain | null;
+  };
+}
+
+/**
+ * Create an email domain. Links to an existing dcrouter DNS domain.
+ * Generates DKIM keys and computes the required DNS records.
+ */
+export interface IReq_CreateEmailDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateEmailDomain
+> {
+  method: 'createEmailDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    /** ID of the existing dcrouter DNS domain to link to. */
+    linkedDomainId: string;
+    /** Optional subdomain prefix (e.g. 'mail' for mail.example.com). Leave empty for bare domain. */
+    subdomain?: string;
+    /** DKIM selector (default: 'default'). */
+    dkimSelector?: string;
+    /** RSA key size (default: 2048). */
+    dkimKeySize?: number;
+    /** Enable automatic key rotation (default: false). */
+    rotateKeys?: boolean;
+    /** Days between rotations (default: 90). */
+    rotationIntervalDays?: number;
+  };
+  response: {
+    success: boolean;
+    domain?: IEmailDomain;
+    message?: string;
+  };
+}
+
+/**
+ * Update an email domain's configuration.
+ */
+export interface IReq_UpdateEmailDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateEmailDomain
+> {
+  method: 'updateEmailDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    rotateKeys?: boolean;
+    rotationIntervalDays?: number;
+    rateLimits?: IEmailDomain['rateLimits'];
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Delete an email domain.
+ */
+export interface IReq_DeleteEmailDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteEmailDomain
+> {
+  method: 'deleteEmailDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Trigger DNS validation for an email domain.
+ * Performs live lookups for MX, SPF, DKIM, and DMARC records.
+ */
+export interface IReq_ValidateEmailDomain extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ValidateEmailDomain
+> {
+  method: 'validateEmailDomain';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    domain?: IEmailDomain;
+    records?: IEmailDnsRecord[];
+    message?: string;
+  };
+}
+
+/**
+ * Get the required DNS records for an email domain (for display / copy-paste).
+ */
+export interface IReq_GetEmailDomainDnsRecords extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetEmailDomainDnsRecords
+> {
+  method: 'getEmailDomainDnsRecords';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    records: IEmailDnsRecord[];
+  };
+}
+
+/**
+ * Auto-provision DNS records for an email domain.
+ * Creates any missing MX, SPF, DKIM, and DMARC records via the linked
+ * domain's DNS path (dcrouter zone or provider API).
+ */
+export interface IReq_ProvisionEmailDomainDns extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ProvisionEmailDomainDns
+> {
+  method: 'provisionEmailDomainDns';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    /** Number of records created. */
+    provisioned?: number;
+    message?: string;
+  };
+}

ts_interfaces/requests/index.ts

@@ -17,4 +17,5 @@ export * from './users.js';
 export * from './dns-providers.js';
 export * from './domains.js';
 export * from './dns-records.js';
-export * from './acme-config.js';
+export * from './acme-config.js';
+export * from './email-domains.js';

ts_interfaces/requests/route-management.ts

@@ -9,7 +9,7 @@ import type { IDcRouterRouteConfig } from '../data/remoteingress.js';
 // ============================================================================
 
 /**
- * Get all merged routes (hardcoded + programmatic) with warnings.
+ * Get all routes with warnings.
  */
 export interface IReq_GetMergedRoutes extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -27,7 +27,7 @@ export interface IReq_GetMergedRoutes extends plugins.typedrequestInterfaces.imp
 }
 
 /**
- * Create a new programmatic route.
+ * Create a new route.
  */
 export interface IReq_CreateRoute extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -43,13 +43,13 @@ export interface IReq_CreateRoute extends plugins.typedrequestInterfaces.impleme
   };
   response: {
     success: boolean;
-    storedRouteId?: string;
+    routeId?: string;
     message?: string;
   };
 }
 
 /**
- * Update a programmatic route.
+ * Update a route.
  */
 export interface IReq_UpdateRoute extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -71,7 +71,7 @@ export interface IReq_UpdateRoute extends plugins.typedrequestInterfaces.impleme
 }
 
 /**
- * Delete a programmatic route.
+ * Delete a route.
  */
 export interface IReq_DeleteRoute extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -90,46 +90,7 @@ export interface IReq_DeleteRoute extends plugins.typedrequestInterfaces.impleme
 }
 
 /**
- * Set an override on a hardcoded route (disable/enable by name).
- */
-export interface IReq_SetRouteOverride extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_SetRouteOverride
-> {
-  method: 'setRouteOverride';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    apiToken?: string;
-    routeName: string;
-    enabled: boolean;
-  };
-  response: {
-    success: boolean;
-    message?: string;
-  };
-}
-
-/**
- * Remove an override from a hardcoded route (restore default behavior).
- */
-export interface IReq_RemoveRouteOverride extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_RemoveRouteOverride
-> {
-  method: 'removeRouteOverride';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    apiToken?: string;
-    routeName: string;
-  };
-  response: {
-    success: boolean;
-    message?: string;
-  };
-}
-
-/**
- * Toggle a programmatic route on/off by id.
+ * Toggle a route on/off by id.
  */
 export interface IReq_ToggleRoute extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,

ts_interfaces/requests/stats.ts

@@ -180,5 +180,9 @@ export interface IReq_GetNetworkStats extends plugins.typedrequestInterfaces.imp
     requestsPerSecond: number;
     requestsTotal: number;
     backends?: statsInterfaces.IBackendInfo[];
+    topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
+    domainActivity: statsInterfaces.IDomainActivity[];
+    frontendProtocols?: statsInterfaces.IProtocolDistribution | null;
+    backendProtocols?: statsInterfaces.IProtocolDistribution | null;
   };
 }

ts_migrations/index.ts

@@ -21,6 +21,30 @@ export interface IMigrationRunner {
   run(): Promise<IMigrationRunResult>;
 }
 
+async function migrateTargetProfileTargetHosts(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const collection = ctx.mongo!.collection('TargetProfileDoc');
+  const cursor = collection.find({ 'targets.host': { $exists: true } });
+  let migrated = 0;
+
+  for await (const doc of cursor) {
+    const targets = ((doc as any).targets || []).map((target: any) => {
+      if (target && typeof target === 'object' && 'host' in target && !('ip' in target)) {
+        const { host, ...rest } = target;
+        return { ...rest, ip: host };
+      }
+      return target;
+    });
+
+    await collection.updateOne({ _id: (doc as any)._id }, { $set: { targets } });
+    migrated++;
+  }
+
+  ctx.log.log('info', `rename-target-profile-host-to-ip: migrated ${migrated} profile(s)`);
+}
+
 /**
  * Create a configured SmartMigration runner with all dcrouter migration steps registered.
  *
@@ -48,23 +72,7 @@ export async function createMigrationRunner(
     .step('rename-target-profile-host-to-ip')
     .from('13.0.11').to('13.1.0')
     .description('Rename ITargetProfileTarget.host → ip on all target profiles')
-    .up(async (ctx) => {
-      const collection = ctx.mongo!.collection('targetprofiledoc');
-      const cursor = collection.find({ 'targets.host': { $exists: true } });
-      let migrated = 0;
-      for await (const doc of cursor) {
-        const targets = ((doc as any).targets || []).map((t: any) => {
-          if (t && typeof t === 'object' && 'host' in t && !('ip' in t)) {
-            const { host, ...rest } = t;
-            return { ...rest, ip: host };
-          }
-          return t;
-        });
-        await collection.updateOne({ _id: (doc as any)._id }, { $set: { targets } });
-        migrated++;
-      }
-      ctx.log.log('info', `rename-target-profile-host-to-ip: migrated ${migrated} profile(s)`);
-    })
+    .up(async (ctx) => migrateTargetProfileTargetHosts(ctx))
     .step('rename-domain-source-manual-to-dcrouter')
     .from('13.1.0').to('13.8.1')
     .description('Rename DomainDoc.source value from "manual" to "dcrouter"')
@@ -92,6 +100,40 @@ export async function createMigrationRunner(
         'info',
         `rename-record-source-manual-to-local: migrated ${result.modifiedCount} record(s)`,
       );
+    })
+    .step('unify-routes-rename-collection')
+    .from('13.8.2').to('13.16.0')
+    .description('Rename StoredRouteDoc → RouteDoc, add origin field, drop RouteOverrideDoc')
+    .up(async (ctx) => {
+      const db = ctx.mongo!;
+
+      // 1. Rename StoredRouteDoc → RouteDoc (smartdata uses exact class names)
+      const collections = await db.listCollections({ name: 'StoredRouteDoc' }).toArray();
+      if (collections.length > 0) {
+        await db.renameCollection('StoredRouteDoc', 'RouteDoc');
+        ctx.log.log('info', 'Renamed StoredRouteDoc → RouteDoc');
+      }
+
+      // 2. Set origin='api' on all migrated docs (they were API-created)
+      const routeCol = db.collection('RouteDoc');
+      const result = await routeCol.updateMany(
+        { origin: { $exists: false } },
+        { $set: { origin: 'api' } },
+      );
+      ctx.log.log('info', `Set origin='api' on ${result.modifiedCount} migrated route(s)`);
+
+      // 3. Drop RouteOverrideDoc collection
+      const overrideCollections = await db.listCollections({ name: 'RouteOverrideDoc' }).toArray();
+      if (overrideCollections.length > 0) {
+        await db.collection('RouteOverrideDoc').drop();
+        ctx.log.log('info', 'Dropped RouteOverrideDoc collection');
+      }
+    })
+    .step('repair-target-profile-ip-migration')
+    .from('13.16.0').to('13.17.4')
+    .description('Repair TargetProfileDoc.targets host→ip migration for already-upgraded installs')
+    .up(async (ctx) => {
+      await migrateTargetProfileTargetHosts(ctx);
     });
 
   return migration;

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.9.0',
+  version: '13.17.6',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -52,7 +52,9 @@ export interface INetworkState {
   throughputRate: { bytesInPerSecond: number; bytesOutPerSecond: number };
   totalBytes: { in: number; out: number };
   topIPs: Array<{ ip: string; count: number }>;
+  topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
   throughputByIP: Array<{ ip: string; in: number; out: number }>;
+  domainActivity: interfaces.data.IDomainActivity[];
   throughputHistory: Array<{ timestamp: number; in: number; out: number }>;
   requestsPerSecond: number;
   requestsTotal: number;
@@ -160,7 +162,9 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
     throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
     totalBytes: { in: 0, out: 0 },
     topIPs: [],
+    topIPsByBandwidth: [],
     throughputByIP: [],
+    domainActivity: [],
     throughputHistory: [],
     requestsPerSecond: 0,
     requestsTotal: 0,
@@ -518,14 +522,13 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
     });
 
     // Get network stats for throughput and IP data
-    const networkStatsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest(
-      '/typedrequest',
-      'getNetworkStats'
-    );
-    
+    const networkStatsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetNetworkStats
+    >('/typedrequest', 'getNetworkStats');
+
     const networkStatsResponse = await networkStatsRequest.fire({
       identity: context.identity,
-    }) as any;
+    });
 
     // Use the connections data for the connection list
     // and network stats for throughput and IP analytics
@@ -552,7 +555,9 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
         ? { in: networkStatsResponse.totalDataTransferred.bytesIn, out: networkStatsResponse.totalDataTransferred.bytesOut }
         : { in: 0, out: 0 },
       topIPs: networkStatsResponse.topIPs || [],
+      topIPsByBandwidth: networkStatsResponse.topIPsByBandwidth || [],
       throughputByIP: networkStatsResponse.throughputByIP || [],
+      domainActivity: networkStatsResponse.domainActivity || [],
       throughputHistory: networkStatsResponse.throughputHistory || [],
       requestsPerSecond: networkStatsResponse.requestsPerSecond || 0,
       requestsTotal: networkStatsResponse.requestsTotal || 0,
@@ -1887,6 +1892,32 @@ export const syncDomainAction = domainsStatePart.createAction<{ id: string }>(
   },
 );
 
+export const migrateDomainAction = domainsStatePart.createAction<{
+  id: string;
+  targetSource: interfaces.data.TDomainSource;
+  targetProviderId?: string;
+  deleteExistingProviderRecords?: boolean;
+}>(
+  async (statePartArg, dataArg, actionContext): Promise<IDomainsState> => {
+    const context = getActionContext();
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_MigrateDomain
+      >('/typedrequest', 'migrateDomain');
+      const response = await request.fire({ identity: context.identity!, ...dataArg });
+      if (!response.success) {
+        return { ...statePartArg.getState()!, error: response.message || 'Migration failed' };
+      }
+      return await actionContext!.dispatch(fetchDomainsAndProvidersAction, null);
+    } catch (error: unknown) {
+      return {
+        ...statePartArg.getState()!,
+        error: error instanceof Error ? error.message : 'Migration failed',
+      };
+    }
+  },
+);
+
 export const createDnsRecordAction = domainsStatePart.createAction<{
   domainId: string;
   name: string;
@@ -2188,58 +2219,6 @@ export const toggleRouteAction = routeManagementStatePart.createAction<{
   }
 });
 
-export const setRouteOverrideAction = routeManagementStatePart.createAction<{
-  routeName: string;
-  enabled: boolean;
-}>(async (statePartArg, dataArg, actionContext): Promise<IRouteManagementState> => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState()!;
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_SetRouteOverride
-    >('/typedrequest', 'setRouteOverride');
-
-    await request.fire({
-      identity: context.identity!,
-      routeName: dataArg.routeName,
-      enabled: dataArg.enabled,
-    });
-
-    return await actionContext!.dispatch(fetchMergedRoutesAction, null);
-  } catch (error: unknown) {
-    return {
-      ...currentState,
-      error: error instanceof Error ? error.message : 'Failed to set override',
-    };
-  }
-});
-
-export const removeRouteOverrideAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, routeName, actionContext): Promise<IRouteManagementState> => {
-    const context = getActionContext();
-    const currentState = statePartArg.getState()!;
-
-    try {
-      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-        interfaces.requests.IReq_RemoveRouteOverride
-      >('/typedrequest', 'removeRouteOverride');
-
-      await request.fire({
-        identity: context.identity!,
-        routeName,
-      });
-
-      return await actionContext!.dispatch(fetchMergedRoutesAction, null);
-    } catch (error: unknown) {
-      return {
-        ...currentState,
-        error: error instanceof Error ? error.message : 'Failed to remove override',
-      };
-    }
-  }
-);
-
 // ============================================================================
 // API Token Actions
 // ============================================================================
@@ -2377,6 +2356,130 @@ export const toggleApiTokenAction = routeManagementStatePart.createAction<{
   }
 });
 
+// ============================================================================
+// Email Domains State
+// ============================================================================
+
+export interface IEmailDomainsState {
+  domains: interfaces.data.IEmailDomain[];
+  isLoading: boolean;
+  lastUpdated: number;
+}
+
+export const emailDomainsStatePart = await appState.getStatePart<IEmailDomainsState>(
+  'emailDomains',
+  {
+    domains: [],
+    isLoading: false,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
+export const fetchEmailDomainsAction = emailDomainsStatePart.createAction(
+  async (statePartArg): Promise<IEmailDomainsState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetEmailDomains
+      >('/typedrequest', 'getEmailDomains');
+      const response = await request.fire({ identity: context.identity });
+      return {
+        ...currentState,
+        domains: response.domains,
+        isLoading: false,
+        lastUpdated: Date.now(),
+      };
+    } catch {
+      return { ...currentState, isLoading: false };
+    }
+  },
+);
+
+export const createEmailDomainAction = emailDomainsStatePart.createAction<{
+  linkedDomainId: string;
+  subdomain?: string;
+  dkimSelector?: string;
+  dkimKeySize?: number;
+  rotateKeys?: boolean;
+  rotationIntervalDays?: number;
+}>(async (statePartArg, args, actionContext) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateEmailDomain
+    >('/typedrequest', 'createEmailDomain');
+    await request.fire({ identity: context.identity!, ...args });
+    return await actionContext!.dispatch(fetchEmailDomainsAction, null);
+  } catch {
+    return currentState;
+  }
+});
+
+export const deleteEmailDomainAction = emailDomainsStatePart.createAction<string>(
+  async (statePartArg, id, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteEmailDomain
+      >('/typedrequest', 'deleteEmailDomain');
+      await request.fire({ identity: context.identity!, id });
+      return await actionContext!.dispatch(fetchEmailDomainsAction, null);
+    } catch {
+      return currentState;
+    }
+  },
+);
+
+export const validateEmailDomainAction = emailDomainsStatePart.createAction<string>(
+  async (statePartArg, id, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ValidateEmailDomain
+      >('/typedrequest', 'validateEmailDomain');
+      await request.fire({ identity: context.identity!, id });
+      return await actionContext!.dispatch(fetchEmailDomainsAction, null);
+    } catch {
+      return currentState;
+    }
+  },
+);
+
+export const provisionEmailDomainDnsAction = emailDomainsStatePart.createAction<string>(
+  async (statePartArg, id, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ProvisionEmailDomainDns
+      >('/typedrequest', 'provisionEmailDomainDns');
+      await request.fire({ identity: context.identity!, id });
+      return await actionContext!.dispatch(fetchEmailDomainsAction, null);
+    } catch {
+      return currentState;
+    }
+  },
+);
+
+// ============================================================================
+// Email Domain Standalone Functions
+// ============================================================================
+
+export async function fetchEmailDomainDnsRecords(id: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetEmailDomainDnsRecords
+  >('/typedrequest', 'getEmailDomainDnsRecords');
+  return request.fire({ identity: context.identity!, id });
+}
+
 // ============================================================================
 // TypedSocket Client for Real-time Log Streaming
 // ============================================================================
@@ -2499,67 +2602,52 @@ async function dispatchCombinedRefreshActionInner() {
     if (combinedResponse.metrics.network && currentView === 'network') {
       const network = combinedResponse.metrics.network;
       const connectionsByIP: { [ip: string]: number } = {};
-      
-      // Convert connection details to IP counts
+
+      // Build connectionsByIP from connectionDetails (now populated with real per-IP data)
       network.connectionDetails.forEach(conn => {
         connectionsByIP[conn.remoteAddress] = (connectionsByIP[conn.remoteAddress] || 0) + 1;
       });
 
-      // Fetch detailed connections for the network view
-      try {
-        const connectionsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-          interfaces.requests.IReq_GetActiveConnections
-        >('/typedrequest', 'getActiveConnections');
-        
-        const connectionsResponse = await connectionsRequest.fire({
-          identity: context.identity,
-        });
+      // Build connections from connectionDetails (real per-IP aggregates)
+      const connections: interfaces.data.IConnectionInfo[] = network.connectionDetails.map((conn, i) => ({
+        id: `ip-${conn.remoteAddress}`,
+        remoteAddress: conn.remoteAddress,
+        localAddress: 'server',
+        startTime: conn.startTime,
+        protocol: conn.protocol as any,
+        state: conn.state as any,
+        bytesReceived: conn.bytesIn,
+        bytesSent: conn.bytesOut,
+      }));
 
-        networkStatePart.setState({
-          ...networkStatePart.getState()!,
-          connections: connectionsResponse.connections,
-          connectionsByIP,
-          throughputRate: {
-            bytesInPerSecond: network.totalBandwidth.in,
-            bytesOutPerSecond: network.totalBandwidth.out
-          },
-          totalBytes: network.totalBytes || { in: 0, out: 0 },
-          topIPs: network.topEndpoints.map(e => ({ ip: e.endpoint, count: e.requests })),
-          throughputByIP: network.topEndpoints.map(e => ({ ip: e.endpoint, in: e.bandwidth?.in || 0, out: e.bandwidth?.out || 0 })),
-          throughputHistory: network.throughputHistory || [],
-          requestsPerSecond: network.requestsPerSecond || 0,
-          requestsTotal: network.requestsTotal || 0,
-          backends: network.backends || [],
-          frontendProtocols: network.frontendProtocols || null,
-          backendProtocols: network.backendProtocols || null,
-          lastUpdated: Date.now(),
-          isLoading: false,
-          error: null,
-        });
-      } catch (error: unknown) {
-        console.error('Failed to fetch connections:', error);
-        networkStatePart.setState({
-          ...networkStatePart.getState()!,
-          connections: [],
-          connectionsByIP,
-          throughputRate: {
-            bytesInPerSecond: network.totalBandwidth.in,
-            bytesOutPerSecond: network.totalBandwidth.out
-          },
-          totalBytes: network.totalBytes || { in: 0, out: 0 },
-          topIPs: network.topEndpoints.map(e => ({ ip: e.endpoint, count: e.requests })),
-          throughputByIP: network.topEndpoints.map(e => ({ ip: e.endpoint, in: e.bandwidth?.in || 0, out: e.bandwidth?.out || 0 })),
-          throughputHistory: network.throughputHistory || [],
-          requestsPerSecond: network.requestsPerSecond || 0,
-          requestsTotal: network.requestsTotal || 0,
-          backends: network.backends || [],
-          frontendProtocols: network.frontendProtocols || null,
-          backendProtocols: network.backendProtocols || null,
-          lastUpdated: Date.now(),
-          isLoading: false,
-          error: null,
-        });
-      }
+      networkStatePart.setState({
+        ...networkStatePart.getState()!,
+        connections,
+        connectionsByIP,
+        throughputRate: {
+          bytesInPerSecond: network.totalBandwidth.in,
+          bytesOutPerSecond: network.totalBandwidth.out,
+        },
+        totalBytes: network.totalBytes || { in: 0, out: 0 },
+        topIPs: network.topEndpoints.map(e => ({ ip: e.endpoint, count: e.connections })),
+        topIPsByBandwidth: (network.topEndpointsByBandwidth || []).map(e => ({
+          ip: e.endpoint,
+          count: e.connections,
+          bwIn: e.bandwidth?.in || 0,
+          bwOut: e.bandwidth?.out || 0,
+        })),
+        throughputByIP: network.topEndpoints.map(e => ({ ip: e.endpoint, in: e.bandwidth?.in || 0, out: e.bandwidth?.out || 0 })),
+        domainActivity: network.domainActivity || [],
+        throughputHistory: network.throughputHistory || [],
+        requestsPerSecond: network.requestsPerSecond || 0,
+        requestsTotal: network.requestsTotal || 0,
+        backends: network.backends || [],
+        frontendProtocols: network.frontendProtocols || null,
+        backendProtocols: network.backendProtocols || null,
+        lastUpdated: Date.now(),
+        isLoading: false,
+        error: null,
+      });
     }
 
     // Refresh certificate data if on Domains > Certificates subview

ts_web/elements/access/ops-view-apitokens.ts

@@ -222,7 +222,7 @@ export class OpsViewApiTokens extends DeesElement {
             .suggestions=${allScopes}
             .required=${true}
           ></dees-input-tags>
-          <dees-input-text .key=${'expiresInDays'} .label=${'Expires in (days, blank = never)'}></dees-input-text>
+          <dees-input-text .key=${'expiresInDays'} .label=${'Expires in'} .description=${'Number of days; leave blank for no expiration'}></dees-input-text>
         </dees-form>
       `,
       menuOptions: [

ts_web/elements/domains/dns-provider-form.ts

@@ -80,22 +80,6 @@ export class DnsProviderForm extends DeesElement {
         margin-bottom: 12px;
       }
 
-      .helpText {
-        font-size: 12px;
-        opacity: 0.7;
-        margin-top: -6px;
-        margin-bottom: 8px;
-      }
-
-      .typeDescription {
-        font-size: 12px;
-        opacity: 0.8;
-        margin: 4px 0 16px;
-        padding: 8px 12px;
-        background: ${cssManager.bdTheme('#f3f4f6', '#1f2937')};
-        border-radius: 6px;
-      }
-
       .credentialsHint {
         font-size: 12px;
         opacity: 0.7;
@@ -130,6 +114,7 @@ export class DnsProviderForm extends DeesElement {
                 <dees-input-text
                   .key=${'__type_display'}
                   .label=${'Type'}
+                  .infoText=${descriptor?.description || ''}
                   .value=${descriptor?.displayName ?? this.selectedType}
                   .disabled=${true}
                 ></dees-input-text>
@@ -140,6 +125,7 @@ export class DnsProviderForm extends DeesElement {
                 <dees-input-dropdown
                   .key=${'__type'}
                   .label=${'Provider type'}
+                  .infoText=${descriptor?.description || ''}
                   .options=${descriptors.map((d) => ({ option: d.displayName, key: d.type }))}
                   .selectedOption=${descriptor
                     ? { option: descriptor.displayName, key: descriptor.type }
@@ -158,7 +144,6 @@ export class DnsProviderForm extends DeesElement {
             `}
         ${descriptor
           ? html`
-              <div class="typeDescription">${descriptor.description}</div>
               ${this.credentialsHint
                 ? html`<div class="credentialsHint">${this.credentialsHint}</div>`
                 : ''}
@@ -168,9 +153,9 @@ export class DnsProviderForm extends DeesElement {
                     <dees-input-text
                       .key=${f.key}
                       .label=${f.label}
+                      .description=${f.helpText || ''}
                       .required=${f.required && !this.lockType}
                     ></dees-input-text>
-                    ${f.helpText ? html`<div class="helpText">${f.helpText}</div>` : ''}
                   </div>
                 `,
               )}

ts_web/elements/domains/ops-view-certificates.ts

@@ -54,62 +54,6 @@ export class OpsViewCertificates extends DeesElement {
         gap: 24px;
       }
 
-      .acmeCard {
-        padding: 16px 20px;
-        background: ${cssManager.bdTheme('#f9fafb', '#111827')};
-        border: 1px solid ${cssManager.bdTheme('#e5e7eb', '#374151')};
-        border-radius: 8px;
-      }
-
-      .acmeCard.acmeCardEmpty {
-        background: ${cssManager.bdTheme('#fffbeb', '#1c1917')};
-        border-color: ${cssManager.bdTheme('#fde68a', '#78350f')};
-      }
-
-      .acmeCardHeader {
-        display: flex;
-        justify-content: space-between;
-        align-items: center;
-        margin-bottom: 12px;
-      }
-
-      .acmeCardTitle {
-        font-size: 14px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#111827', '#f3f4f6')};
-      }
-
-      .acmeGrid {
-        display: grid;
-        grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
-        gap: 12px 24px;
-      }
-
-      .acmeField {
-        display: flex;
-        flex-direction: column;
-        gap: 2px;
-      }
-
-      .acmeLabel {
-        font-size: 11px;
-        text-transform: uppercase;
-        letter-spacing: 0.03em;
-        color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};
-      }
-
-      .acmeValue {
-        font-size: 13px;
-        color: ${cssManager.bdTheme('#111827', '#f3f4f6')};
-      }
-
-      .acmeEmptyHint {
-        margin: 0;
-        font-size: 13px;
-        line-height: 1.5;
-        color: ${cssManager.bdTheme('#78350f', '#fde68a')};
-      }
-
       .statusBadge {
         display: inline-flex;
         align-items: center;
@@ -226,73 +170,38 @@ export class OpsViewCertificates extends DeesElement {
       <dees-heading level="3">Certificates</dees-heading>
 
       <div class="certificatesContainer">
-        ${this.renderAcmeSettingsCard()}
         ${this.renderStatsTiles(summary)}
+        ${this.renderAcmeSettingsTile()}
         ${this.renderCertificateTable()}
       </div>
     `;
   }
 
-  private renderAcmeSettingsCard(): TemplateResult {
+  private renderAcmeSettingsTile(): TemplateResult {
     const config = this.acmeState.config;
 
     if (!config) {
       return html`
-        <div class="acmeCard acmeCardEmpty">
-          <div class="acmeCardHeader">
-            <span class="acmeCardTitle">ACME Settings</span>
-            <dees-button
-              eventName="edit-acme"
-              @click=${() => this.showEditAcmeDialog()}
-              .type=${'highlighted'}
-            >Configure</dees-button>
-          </div>
-          <p class="acmeEmptyHint">
-            No ACME configuration yet. Click <strong>Configure</strong> to set up automated TLS
-            certificate issuance via Let's Encrypt. You'll also need at least one DNS provider
-            under <strong>Domains &gt; Providers</strong>.
-          </p>
-        </div>
+        <dees-settings
+          .heading=${'ACME Settings'}
+          .description=${'No ACME configuration yet. Click Configure to set up automated TLS certificate issuance via Let\'s Encrypt. You\'ll also need at least one DNS provider under Domains > Providers.'}
+          .actions=${[{ name: 'Configure', action: () => this.showEditAcmeDialog() }]}
+        ></dees-settings>
       `;
     }
 
     return html`
-      <div class="acmeCard">
-        <div class="acmeCardHeader">
-          <span class="acmeCardTitle">ACME Settings</span>
-          <dees-button eventName="edit-acme" @click=${() => this.showEditAcmeDialog()}>Edit</dees-button>
-        </div>
-        <div class="acmeGrid">
-          <div class="acmeField">
-            <span class="acmeLabel">Account email</span>
-            <span class="acmeValue">${config.accountEmail || '(not set)'}</span>
-          </div>
-          <div class="acmeField">
-            <span class="acmeLabel">Status</span>
-            <span class="acmeValue">
-              <span class="statusBadge ${config.enabled ? 'valid' : 'unknown'}">
-                ${config.enabled ? 'enabled' : 'disabled'}
-              </span>
-            </span>
-          </div>
-          <div class="acmeField">
-            <span class="acmeLabel">Mode</span>
-            <span class="acmeValue">
-              <span class="statusBadge ${config.useProduction ? 'valid' : 'provisioning'}">
-                ${config.useProduction ? 'production' : 'staging'}
-              </span>
-            </span>
-          </div>
-          <div class="acmeField">
-            <span class="acmeLabel">Auto-renew</span>
-            <span class="acmeValue">${config.autoRenew ? 'on' : 'off'}</span>
-          </div>
-          <div class="acmeField">
-            <span class="acmeLabel">Renewal threshold</span>
-            <span class="acmeValue">${config.renewThresholdDays} days</span>
-          </div>
-        </div>
-      </div>
+      <dees-settings
+        .heading=${'ACME Settings'}
+        .settingsFields=${[
+          { key: 'email', label: 'Account email', value: config.accountEmail || '(not set)' },
+          { key: 'status', label: 'Status', value: config.enabled ? 'enabled' : 'disabled' },
+          { key: 'mode', label: 'Mode', value: config.useProduction ? 'production' : 'staging' },
+          { key: 'autoRenew', label: 'Auto-renew', value: config.autoRenew ? 'on' : 'off' },
+          { key: 'threshold', label: 'Renewal threshold', value: `${config.renewThresholdDays} days` },
+        ]}
+        .actions=${[{ name: 'Edit', action: () => this.showEditAcmeDialog() }]}
+      ></dees-settings>
     `;
   }
 
@@ -317,7 +226,8 @@ export class OpsViewCertificates extends DeesElement {
           ></dees-input-checkbox>
           <dees-input-checkbox
             .key=${'useProduction'}
-            .label=${"Use Let's Encrypt production (uncheck for staging)"}
+            .label=${"Use Let's Encrypt production"}
+            .description=${'Uncheck to use the staging environment'}
             .value=${current?.useProduction ?? true}
           ></dees-input-checkbox>
           <dees-input-checkbox
@@ -327,7 +237,8 @@ export class OpsViewCertificates extends DeesElement {
           ></dees-input-checkbox>
           <dees-input-text
             .key=${'renewThresholdDays'}
-            .label=${'Renewal threshold (days)'}
+            .label=${'Renewal threshold'}
+            .description=${'Number of days before expiry to trigger renewal'}
             .value=${String(current?.renewThresholdDays ?? 30)}
           ></dees-input-text>
         </dees-form>
@@ -456,11 +367,12 @@ export class OpsViewCertificates extends DeesElement {
                 content: html`
                   <dees-form>
                     <dees-input-fileupload
-                      key="certJsonFile"
-                      label="Certificate JSON (.tsclass.cert.json)"
-                      accept=".json"
+                      .key=${'certJsonFile'}
+                      .label=${'Certificate JSON'}
+                      .description=${'Upload a .tsclass.cert.json file'}
+                      .accept=${'.json'}
                       .multiple=${false}
-                      required
+                      .required=${true}
                     ></dees-input-fileupload>
                   </dees-form>
                 `,

ts_web/elements/domains/ops-view-dns.ts

@@ -101,8 +101,8 @@ export class OpsViewDns extends DeesElement {
       <dees-heading level="3">DNS Records</dees-heading>
       <div class="dnsContainer">
         <div class="domainPicker">
-          <span>Domain:</span>
           <dees-input-dropdown
+            .label=${'Domain'}
             .options=${domains.map((d) => ({ option: d.name, key: d.id }))}
             .selectedOption=${selectedId
               ? { option: domains.find((d) => d.id === selectedId)?.name || '', key: selectedId }
@@ -196,7 +196,7 @@ export class OpsViewDns extends DeesElement {
       heading: 'Add DNS Record',
       content: html`
         <dees-form>
-          <dees-input-text .key=${'name'} .label=${'Name (FQDN)'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'name'} .label=${'Name'} .description=${'Fully qualified domain name'} .required=${true}></dees-input-text>
           <dees-input-dropdown
             .key=${'type'}
             .label=${'Type'}
@@ -205,10 +205,11 @@ export class OpsViewDns extends DeesElement {
           ></dees-input-dropdown>
           <dees-input-text
             .key=${'value'}
-            .label=${'Value (for MX use "10 mail.example.com")'}
+            .label=${'Value'}
+            .description=${'For MX records use priority format, e.g. "10 mail.example.com"'}
             .required=${true}
           ></dees-input-text>
-          <dees-input-text .key=${'ttl'} .label=${'TTL (seconds)'} .value=${'300'}></dees-input-text>
+          <dees-input-text .key=${'ttl'} .label=${'TTL'} .description=${'Time to live in seconds'} .value=${'300'}></dees-input-text>
         </dees-form>
       `,
       menuOptions: [
@@ -242,9 +243,9 @@ export class OpsViewDns extends DeesElement {
       heading: `Edit ${rec.type} ${rec.name}`,
       content: html`
         <dees-form>
-          <dees-input-text .key=${'name'} .label=${'Name (FQDN)'} .value=${rec.name}></dees-input-text>
+          <dees-input-text .key=${'name'} .label=${'Name'} .description=${'Fully qualified domain name'} .value=${rec.name}></dees-input-text>
           <dees-input-text .key=${'value'} .label=${'Value'} .value=${rec.value}></dees-input-text>
-          <dees-input-text .key=${'ttl'} .label=${'TTL (seconds)'} .value=${String(rec.ttl)}></dees-input-text>
+          <dees-input-text .key=${'ttl'} .label=${'TTL'} .description=${'Time to live in seconds'} .value=${String(rec.ttl)}></dees-input-text>
         </dees-form>
       `,
       menuOptions: [

ts_web/elements/domains/ops-view-domains.ts

@@ -149,6 +149,15 @@ export class OpsViewDomains extends DeesElement {
                 });
               },
             },
+            {
+              name: 'Migrate',
+              iconName: 'lucide:arrow-right-left',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const domain = actionData.item as interfaces.data.IDomain;
+                await this.showMigrateDialog(domain);
+              },
+            },
             {
               name: 'Delete',
               iconName: 'lucide:trash2',
@@ -181,8 +190,8 @@ export class OpsViewDomains extends DeesElement {
       heading: 'Add DcRouter Domain',
       content: html`
         <dees-form>
-          <dees-input-text .key=${'name'} .label=${'FQDN (e.g. example.com)'} .required=${true}></dees-input-text>
-          <dees-input-text .key=${'description'} .label=${'Description (optional)'}></dees-input-text>
+          <dees-input-text .key=${'name'} .label=${'FQDN'} .description=${'e.g. example.com'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'description'} .label=${'Description'}></dees-input-text>
         </dees-form>
         <p style="margin-top: 12px; font-size: 12px; opacity: 0.7;">
           dcrouter will become the authoritative DNS server for this domain. You'll need to
@@ -235,7 +244,8 @@ export class OpsViewDomains extends DeesElement {
           ></dees-input-dropdown>
           <dees-input-text
             .key=${'domainNames'}
-            .label=${'Comma-separated FQDNs to import (e.g. example.com, foo.com)'}
+            .label=${'Domain Names'}
+            .description=${'Comma-separated FQDNs, e.g. example.com, foo.com'}
             .required=${true}
           ></dees-input-text>
         </dees-form>
@@ -307,6 +317,94 @@ export class OpsViewDomains extends DeesElement {
     });
   }
 
+  private async showMigrateDialog(domain: interfaces.data.IDomain) {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+    const providers = this.domainsState.providers;
+
+    // Build target options based on current source
+    const targetOptions: { option: string; key: string }[] = [];
+    for (const p of providers) {
+      // Skip current source
+      if (p.builtIn && domain.source === 'dcrouter') continue;
+      if (!p.builtIn && domain.source === 'provider' && domain.providerId === p.id) continue;
+
+      const label = p.builtIn ? 'DcRouter (self)' : `${p.name} (${p.type})`;
+      const key = p.builtIn ? 'dcrouter' : `provider:${p.id}`;
+      targetOptions.push({ option: label, key });
+    }
+
+    if (targetOptions.length === 0) {
+      DeesToast.show({
+        message: 'No migration targets available. Add a DNS provider first.',
+        type: 'warning',
+        duration: 3000,
+      });
+      return;
+    }
+
+    const currentLabel = domain.source === 'dcrouter'
+      ? 'DcRouter (self)'
+      : providers.find((p) => p.id === domain.providerId)?.name || 'Provider';
+
+    DeesModal.createAndShow({
+      heading: `Migrate: ${domain.name}`,
+      content: html`
+        <dees-form>
+          <dees-input-text
+            .key=${'currentSource'}
+            .label=${'Current source'}
+            .value=${currentLabel}
+            .disabled=${true}
+          ></dees-input-text>
+          <dees-input-dropdown
+            .key=${'target'}
+            .label=${'Migrate to'}
+            .description=${'Select the target DNS management'}
+            .options=${targetOptions}
+            .required=${true}
+          ></dees-input-dropdown>
+          <dees-input-checkbox
+            .key=${'deleteExisting'}
+            .label=${'Delete existing records at provider first'}
+            .description=${'Removes all records at the provider before pushing migrated records'}
+            .value=${true}
+          ></dees-input-checkbox>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', action: async (m: any) => m.destroy() },
+        {
+          name: 'Migrate',
+          action: async (m: any) => {
+            const form = m.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const data = await form.collectFormData();
+            const targetKey = typeof data.target === 'object' ? data.target.key : data.target;
+            if (!targetKey) return;
+
+            let targetSource: interfaces.data.TDomainSource;
+            let targetProviderId: string | undefined;
+            if (targetKey === 'dcrouter') {
+              targetSource = 'dcrouter';
+            } else {
+              targetSource = 'provider';
+              targetProviderId = targetKey.replace('provider:', '');
+            }
+
+            await appstate.domainsStatePart.dispatchAction(appstate.migrateDomainAction, {
+              id: domain.id,
+              targetSource,
+              targetProviderId,
+              deleteExistingProviderRecords: targetSource === 'provider' ? Boolean(data.deleteExisting) : false,
+            });
+            DeesToast.show({ message: `Domain ${domain.name} migrated successfully`, type: 'success', duration: 3000 });
+            m.destroy();
+          },
+        },
+      ],
+    });
+  }
+
   private async deleteDomain(domain: interfaces.data.IDomain) {
     const { DeesModal } = await import('@design.estate/dees-catalog');
     DeesModal.createAndShow({

ts_web/elements/email/index.ts

@@ -1,2 +1,3 @@
 export * from './ops-view-emails.js';
 export * from './ops-view-email-security.js';
+export * from './ops-view-email-domains.js';

ts_web/elements/email/ops-view-email-domains.ts

@@ -0,0 +1,396 @@
+import {
+  DeesElement,
+  html,
+  customElement,
+  type TemplateResult,
+  css,
+  state,
+  cssManager,
+} from '@design.estate/dees-element';
+import * as appstate from '../../appstate.js';
+import * as interfaces from '../../../dist_ts_interfaces/index.js';
+import { viewHostCss } from '../shared/css.js';
+import { type IStatsTile } from '@design.estate/dees-catalog';
+
+declare global {
+  interface HTMLElementTagNameMap {
+    'ops-view-email-domains': OpsViewEmailDomains;
+  }
+}
+
+@customElement('ops-view-email-domains')
+export class OpsViewEmailDomains extends DeesElement {
+  @state()
+  accessor emailDomainsState: appstate.IEmailDomainsState =
+    appstate.emailDomainsStatePart.getState()!;
+
+  @state()
+  accessor domainsState: appstate.IDomainsState = appstate.domainsStatePart.getState()!;
+
+  constructor() {
+    super();
+    const sub = appstate.emailDomainsStatePart.select().subscribe((s) => {
+      this.emailDomainsState = s;
+    });
+    this.rxSubscriptions.push(sub);
+    const domSub = appstate.domainsStatePart.select().subscribe((s) => {
+      this.domainsState = s;
+    });
+    this.rxSubscriptions.push(domSub);
+  }
+
+  async connectedCallback() {
+    await super.connectedCallback();
+    await appstate.emailDomainsStatePart.dispatchAction(appstate.fetchEmailDomainsAction, null);
+    await appstate.domainsStatePart.dispatchAction(appstate.fetchDomainsAndProvidersAction, null);
+  }
+
+  public static styles = [
+    cssManager.defaultStyles,
+    viewHostCss,
+    css`
+      .emailDomainsContainer {
+        display: flex;
+        flex-direction: column;
+        gap: 24px;
+      }
+
+      .statusBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 3px 10px;
+        border-radius: 12px;
+        font-size: 12px;
+        font-weight: 600;
+        letter-spacing: 0.02em;
+        text-transform: uppercase;
+      }
+
+      .statusBadge.valid {
+        background: ${cssManager.bdTheme('#dcfce7', '#14532d')};
+        color: ${cssManager.bdTheme('#166534', '#4ade80')};
+      }
+
+      .statusBadge.missing {
+        background: ${cssManager.bdTheme('#fef2f2', '#450a0a')};
+        color: ${cssManager.bdTheme('#991b1b', '#f87171')};
+      }
+
+      .statusBadge.invalid {
+        background: ${cssManager.bdTheme('#fff7ed', '#431407')};
+        color: ${cssManager.bdTheme('#9a3412', '#fb923c')};
+      }
+
+      .statusBadge.unchecked {
+        background: ${cssManager.bdTheme('#f3f4f6', '#1f2937')};
+        color: ${cssManager.bdTheme('#4b5563', '#9ca3af')};
+      }
+
+      .sourceBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 3px 8px;
+        border-radius: 4px;
+        font-size: 11px;
+        font-weight: 500;
+        background: ${cssManager.bdTheme('#f3f4f6', '#1f2937')};
+        color: ${cssManager.bdTheme('#374151', '#d1d5db')};
+      }
+    `,
+  ];
+
+  public render(): TemplateResult {
+    const domains = this.emailDomainsState.domains;
+    const validCount = domains.filter(
+      (d) =>
+        d.dnsStatus.mx === 'valid' &&
+        d.dnsStatus.spf === 'valid' &&
+        d.dnsStatus.dkim === 'valid' &&
+        d.dnsStatus.dmarc === 'valid',
+    ).length;
+    const issueCount = domains.length - validCount;
+
+    const tiles: IStatsTile[] = [
+      {
+        id: 'total',
+        title: 'Total Domains',
+        value: domains.length,
+        type: 'number',
+        icon: 'lucide:globe',
+        color: '#3b82f6',
+      },
+      {
+        id: 'valid',
+        title: 'Valid DNS',
+        value: validCount,
+        type: 'number',
+        icon: 'lucide:Check',
+        color: '#22c55e',
+      },
+      {
+        id: 'issues',
+        title: 'Issues',
+        value: issueCount,
+        type: 'number',
+        icon: 'lucide:TriangleAlert',
+        color: issueCount > 0 ? '#ef4444' : '#22c55e',
+      },
+      {
+        id: 'dkim',
+        title: 'DKIM Active',
+        value: domains.filter((d) => d.dkim.publicKey).length,
+        type: 'number',
+        icon: 'lucide:KeyRound',
+        color: '#8b5cf6',
+      },
+    ];
+
+    return html`
+      <dees-heading level="3">Email Domains</dees-heading>
+
+      <div class="emailDomainsContainer">
+        <dees-statsgrid
+          .tiles=${tiles}
+          .minTileWidth=${200}
+          .gridActions=${[
+            {
+              name: 'Refresh',
+              iconName: 'lucide:RefreshCw',
+              action: async () => {
+                await appstate.emailDomainsStatePart.dispatchAction(
+                  appstate.fetchEmailDomainsAction,
+                  null,
+                );
+              },
+            },
+          ]}
+        ></dees-statsgrid>
+
+        <dees-table
+          .heading1=${'Email Domains'}
+          .heading2=${'DKIM, SPF, DMARC and MX management'}
+          .data=${domains}
+          .showColumnFilters=${true}
+          .displayFunction=${(d: interfaces.data.IEmailDomain) => ({
+            Domain: d.domain,
+            Source: this.renderSourceBadge(d.linkedDomainId),
+            MX: this.renderDnsStatus(d.dnsStatus.mx),
+            SPF: this.renderDnsStatus(d.dnsStatus.spf),
+            DKIM: this.renderDnsStatus(d.dnsStatus.dkim),
+            DMARC: this.renderDnsStatus(d.dnsStatus.dmarc),
+          })}
+          .dataActions=${[
+            {
+              name: 'Add Email Domain',
+              iconName: 'lucide:plus',
+              type: ['header'] as any,
+              actionFunc: async () => {
+                await this.showCreateDialog();
+              },
+            },
+            {
+              name: 'Validate DNS',
+              iconName: 'lucide:search-check',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const d = actionData.item as interfaces.data.IEmailDomain;
+                await appstate.emailDomainsStatePart.dispatchAction(
+                  appstate.validateEmailDomainAction,
+                  d.id,
+                );
+                const { DeesToast } = await import('@design.estate/dees-catalog');
+                DeesToast.show({ message: `DNS validated for ${d.domain}`, type: 'success', duration: 2500 });
+              },
+            },
+            {
+              name: 'Provision DNS',
+              iconName: 'lucide:wand-sparkles',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const d = actionData.item as interfaces.data.IEmailDomain;
+                await appstate.emailDomainsStatePart.dispatchAction(
+                  appstate.provisionEmailDomainDnsAction,
+                  d.id,
+                );
+                const { DeesToast } = await import('@design.estate/dees-catalog');
+                DeesToast.show({ message: `DNS records provisioned for ${d.domain}`, type: 'success', duration: 2500 });
+              },
+            },
+            {
+              name: 'View DNS Records',
+              iconName: 'lucide:list',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const d = actionData.item as interfaces.data.IEmailDomain;
+                await this.showDnsRecordsDialog(d);
+              },
+            },
+            {
+              name: 'Delete',
+              iconName: 'lucide:trash2',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const d = actionData.item as interfaces.data.IEmailDomain;
+                await appstate.emailDomainsStatePart.dispatchAction(
+                  appstate.deleteEmailDomainAction,
+                  d.id,
+                );
+              },
+            },
+          ]}
+          dataName="email domain"
+        ></dees-table>
+      </div>
+    `;
+  }
+
+  private renderDnsStatus(status: interfaces.data.TDnsRecordStatus): TemplateResult {
+    return html`<span class="statusBadge ${status}">${status}</span>`;
+  }
+
+  private renderSourceBadge(linkedDomainId: string): TemplateResult {
+    const domain = this.domainsState.domains.find((d) => d.id === linkedDomainId);
+    if (!domain) return html`<span class="sourceBadge">unknown</span>`;
+    const label =
+      domain.source === 'dcrouter'
+        ? 'dcrouter'
+        : this.domainsState.providers.find((p) => p.id === domain.providerId)?.name || 'provider';
+    return html`<span class="sourceBadge">${label}</span>`;
+  }
+
+  private async showCreateDialog() {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    const domainOptions = this.domainsState.domains.map((d) => ({
+      option: `${d.name} (${d.source})`,
+      key: d.id,
+    }));
+
+    DeesModal.createAndShow({
+      heading: 'Add Email Domain',
+      content: html`
+        <dees-form>
+          <dees-input-dropdown
+            .key=${'linkedDomainId'}
+            .label=${'Domain'}
+            .description=${'Select an existing DNS domain'}
+            .options=${domainOptions}
+            .required=${true}
+          ></dees-input-dropdown>
+          <dees-input-text
+            .key=${'subdomain'}
+            .label=${'Subdomain'}
+            .description=${'Leave empty for bare domain, e.g. "mail" for mail.example.com'}
+          ></dees-input-text>
+          <dees-input-text
+            .key=${'dkimSelector'}
+            .label=${'DKIM Selector'}
+            .description=${'Identifier used in DNS record name'}
+            .value=${'default'}
+          ></dees-input-text>
+          <dees-input-dropdown
+            .key=${'dkimKeySize'}
+            .label=${'DKIM Key Size'}
+            .options=${[
+              { option: '2048 (recommended)', key: '2048' },
+              { option: '1024', key: '1024' },
+              { option: '4096', key: '4096' },
+            ]}
+            .selectedOption=${{ option: '2048 (recommended)', key: '2048' }}
+          ></dees-input-dropdown>
+          <dees-input-checkbox
+            .key=${'rotateKeys'}
+            .label=${'Auto-rotate DKIM keys'}
+            .value=${false}
+          ></dees-input-checkbox>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', action: async (m: any) => m.destroy() },
+        {
+          name: 'Create',
+          action: async (m: any) => {
+            const form = m.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const data = await form.collectFormData();
+            const linkedDomainId =
+              typeof data.linkedDomainId === 'object'
+                ? data.linkedDomainId.key
+                : data.linkedDomainId;
+            const keySize =
+              typeof data.dkimKeySize === 'object'
+                ? parseInt(data.dkimKeySize.key, 10)
+                : parseInt(data.dkimKeySize || '2048', 10);
+
+            const subdomain = data.subdomain?.trim() || undefined;
+            await appstate.emailDomainsStatePart.dispatchAction(
+              appstate.createEmailDomainAction,
+              {
+                linkedDomainId,
+                subdomain,
+                dkimSelector: data.dkimSelector || 'default',
+                dkimKeySize: keySize,
+                rotateKeys: Boolean(data.rotateKeys),
+              },
+            );
+            m.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private async showDnsRecordsDialog(emailDomain: interfaces.data.IEmailDomain) {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+
+    // Fetch required DNS records
+    let records: interfaces.data.IEmailDnsRecord[] = [];
+    try {
+      const response = await appstate.fetchEmailDomainDnsRecords(emailDomain.id);
+      records = response.records;
+    } catch {
+      records = [];
+    }
+
+    DeesModal.createAndShow({
+      heading: `DNS Records: ${emailDomain.domain}`,
+      content: html`
+        <dees-table
+          .data=${records}
+          .displayFunction=${(r: interfaces.data.IEmailDnsRecord) => ({
+            Type: r.type,
+            Name: r.name,
+            Value: r.value,
+            Status: html`<span class="statusBadge ${r.status}">${r.status}</span>`,
+          })}
+          .dataActions=${[
+            {
+              name: 'Copy Value',
+              iconName: 'lucide:copy',
+              type: ['inRow'] as any,
+              actionFunc: async (actionData: any) => {
+                const rec = actionData.item as interfaces.data.IEmailDnsRecord;
+                await navigator.clipboard.writeText(rec.value);
+                DeesToast.show({ message: 'Copied to clipboard', type: 'success', duration: 1500 });
+              },
+            },
+          ]}
+          dataName="DNS record"
+        ></dees-table>
+      `,
+      menuOptions: [
+        {
+          name: 'Auto-Provision All',
+          action: async (m: any) => {
+            await appstate.emailDomainsStatePart.dispatchAction(
+              appstate.provisionEmailDomainDnsAction,
+              emailDomain.id,
+            );
+            DeesToast.show({ message: 'DNS records provisioned', type: 'success', duration: 2500 });
+            m.destroy();
+          },
+        },
+        { name: 'Close', action: async (m: any) => m.destroy() },
+      ],
+    });
+  }
+}

ts_web/elements/email/ops-view-email-security.ts

@@ -37,25 +37,10 @@ export class OpsViewEmailSecurity extends DeesElement {
     cssManager.defaultStyles,
     viewHostCss,
     css`
-      h2 {
-        margin: 32px 0 16px 0;
-        font-size: 24px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-      }
-      dees-statsgrid {
-        margin-bottom: 32px;
-      }
-      .securityCard {
-        background: ${cssManager.bdTheme('#fff', '#222')};
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        border-radius: 8px;
-        padding: 24px;
-        position: relative;
-        overflow: hidden;
-      }
-      .actionButton {
-        margin-top: 16px;
+      .securityContainer {
+        display: flex;
+        flex-direction: column;
+        gap: 24px;
       }
     `,
   ];
@@ -113,48 +98,44 @@ export class OpsViewEmailSecurity extends DeesElement {
     return html`
       <dees-heading level="3">Email Security</dees-heading>
 
-      <dees-statsgrid
-        .tiles=${tiles}
-        .minTileWidth=${200}
-      ></dees-statsgrid>
+      <div class="securityContainer">
+        <dees-statsgrid
+          .tiles=${tiles}
+          .minTileWidth=${200}
+        ></dees-statsgrid>
 
-      <h2>Email Security Configuration</h2>
-      <div class="securityCard">
-        <dees-form>
-          <dees-input-checkbox
-            .key=${'enableSPF'}
-            .label=${'Enable SPF checking'}
-            .value=${true}
-          ></dees-input-checkbox>
-          <dees-input-checkbox
-            .key=${'enableDKIM'}
-            .label=${'Enable DKIM validation'}
-            .value=${true}
-          ></dees-input-checkbox>
-          <dees-input-checkbox
-            .key=${'enableDMARC'}
-            .label=${'Enable DMARC policy enforcement'}
-            .value=${true}
-          ></dees-input-checkbox>
-          <dees-input-checkbox
-            .key=${'enableSpamFilter'}
-            .label=${'Enable spam filtering'}
-            .value=${true}
-          ></dees-input-checkbox>
-        </dees-form>
-        <dees-button
-          class="actionButton"
-          type="highlighted"
-          @click=${() => this.saveEmailSecuritySettings()}
-        >
-          Save Settings
-        </dees-button>
+        <dees-settings
+          .heading=${'Security Configuration'}
+          .settingsFields=${[
+            { key: 'spf', label: 'SPF checking', value: 'enabled' },
+            { key: 'dkim', label: 'DKIM validation', value: 'enabled' },
+            { key: 'dmarc', label: 'DMARC policy', value: 'enabled' },
+            { key: 'spam', label: 'Spam filtering', value: 'enabled' },
+          ]}
+          .actions=${[{ name: 'Edit', action: () => this.showEditSecurityDialog() }]}
+        ></dees-settings>
       </div>
     `;
   }
 
-  private async saveEmailSecuritySettings() {
-    // Config is read-only from the UI for now
-    alert('Email security settings are read-only. Update the dcrouter configuration file to change these settings.');
+  private async showEditSecurityDialog() {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    DeesModal.createAndShow({
+      heading: 'Edit Security Configuration',
+      content: html`
+        <dees-form>
+          <dees-input-checkbox .key=${'enableSPF'} .label=${'SPF checking'} .value=${true}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'enableDKIM'} .label=${'DKIM validation'} .value=${true}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'enableDMARC'} .label=${'DMARC policy enforcement'} .value=${true}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'enableSpamFilter'} .label=${'Spam filtering'} .value=${true}></dees-input-checkbox>
+        </dees-form>
+        <p style="margin-top: 12px; font-size: 12px; opacity: 0.7;">
+          These settings are read-only for now. Update the dcrouter configuration to change them.
+        </p>
+      `,
+      menuOptions: [
+        { name: 'Close', action: async (modalArg: any) => modalArg.destroy() },
+      ],
+    });
   }
 }

ts_web/elements/network/ops-view-network-activity.ts

@@ -10,22 +10,6 @@ declare global {
   }
 }
 
-interface INetworkRequest {
-  id: string;
-  timestamp: number;
-  method: string;
-  url: string;
-  hostname: string;
-  port: number;
-  protocol: 'http' | 'https' | 'tcp' | 'udp';
-  statusCode?: number;
-  duration: number;
-  bytesIn: number;
-  bytesOut: number;
-  remoteIp: string;
-  route?: string;
-}
-
 @customElement('ops-view-network-activity')
 export class OpsViewNetworkActivity extends DeesElement {
   /** How far back the traffic chart shows */
@@ -42,9 +26,6 @@ export class OpsViewNetworkActivity extends DeesElement {
   accessor networkState = appstate.networkStatePart.getState()!;
 
 
-  @state()
-  accessor networkRequests: INetworkRequest[] = [];
-
   @state()
   accessor trafficDataIn: Array<{ x: string | number; y: number }> = [];
 
@@ -314,106 +295,21 @@ export class OpsViewNetworkActivity extends DeesElement {
         <!-- Protocol Distribution Charts -->
         ${this.renderProtocolCharts()}
 
-        <!-- Top IPs Section -->
+        <!-- Top IPs by Connection Count -->
         ${this.renderTopIPs()}
 
+        <!-- Top IPs by Bandwidth -->
+        ${this.renderTopIPsByBandwidth()}
+
+        <!-- Domain Activity -->
+        ${this.renderDomainActivity()}
+
         <!-- Backend Protocols Section -->
         ${this.renderBackendProtocols()}
-
-        <!-- Requests Table -->
-        <dees-table
-          .data=${this.networkRequests}
-          .displayFunction=${(req: INetworkRequest) => ({
-            Time: new Date(req.timestamp).toLocaleTimeString(),
-            Protocol: html`<span class="protocolBadge ${req.protocol}">${req.protocol.toUpperCase()}</span>`,
-            Method: req.method,
-            'Host:Port': `${req.hostname}:${req.port}`,
-            Path: this.truncateUrl(req.url),
-            Status: this.renderStatus(req.statusCode),
-            Duration: `${req.duration}ms`,
-            'In/Out': `${this.formatBytes(req.bytesIn)} / ${this.formatBytes(req.bytesOut)}`,
-            'Remote IP': req.remoteIp,
-          })}
-          .dataActions=${[
-            {
-              name: 'View Details',
-              iconName: 'fa:magnifyingGlass',
-              type: ['inRow', 'doubleClick', 'contextmenu'],
-              actionFunc: async (actionData) => {
-                await this.showRequestDetails(actionData.item);
-              }
-            }
-          ]}
-          heading1="Recent Network Activity"
-          heading2="Recent network requests"
-          searchable
-          .showColumnFilters=${true}
-          .pagination=${true}
-          .paginationSize=${50}
-          dataName="request"
-        ></dees-table>
       </div>
     `;
   }
 
-  private async showRequestDetails(request: INetworkRequest) {
-    const { DeesModal } = await import('@design.estate/dees-catalog');
-
-    await DeesModal.createAndShow({
-      heading: 'Request Details',
-      content: html`
-        <div style="padding: 20px;">
-          <dees-dataview-codebox
-            .heading=${'Request Information'}
-            progLang="json"
-            .codeToDisplay=${JSON.stringify({
-              id: request.id,
-              timestamp: new Date(request.timestamp).toISOString(),
-              protocol: request.protocol,
-              method: request.method,
-              url: request.url,
-              hostname: request.hostname,
-              port: request.port,
-              statusCode: request.statusCode,
-              duration: `${request.duration}ms`,
-              bytesIn: request.bytesIn,
-              bytesOut: request.bytesOut,
-              remoteIp: request.remoteIp,
-              route: request.route,
-            }, null, 2)}
-          ></dees-dataview-codebox>
-        </div>
-      `,
-      menuOptions: [
-        {
-          name: 'Copy Request ID',
-          iconName: 'lucide:Copy',
-          action: async () => {
-            await navigator.clipboard.writeText(request.id);
-          }
-        }
-      ]
-    });
-  }
-
-
-  private renderStatus(statusCode?: number): TemplateResult {
-    if (!statusCode) {
-      return html`<span class="statusBadge warning">N/A</span>`;
-    }
-
-    const statusClass = statusCode >= 200 && statusCode < 300 ? 'success' :
-                       statusCode >= 400 ? 'error' : 'warning';
-
-    return html`<span class="statusBadge ${statusClass}">${statusCode}</span>`;
-  }
-
-  private truncateUrl(url: string, maxLength = 50): string {
-    if (url.length <= maxLength) return url;
-    return url.substring(0, maxLength - 3) + '...';
-  }
-
-
   private formatNumber(num: number): string {
     if (num >= 1000000) {
       return (num / 1000000).toFixed(1) + 'M';
@@ -595,6 +491,8 @@ export class OpsViewNetworkActivity extends DeesElement {
     return html`
       <dees-table
         .data=${this.networkState.topIPs}
+        .rowKey=${'ip'}
+        .highlightUpdates=${'flash'}
         .displayFunction=${(ipData: { ip: string; count: number }) => {
           const bw = bandwidthByIP.get(ipData.ip);
           return {
@@ -615,6 +513,67 @@ export class OpsViewNetworkActivity extends DeesElement {
     `;
   }
 
+  private renderTopIPsByBandwidth(): TemplateResult {
+    if (!this.networkState.topIPsByBandwidth || this.networkState.topIPsByBandwidth.length === 0) {
+      return html``;
+    }
+
+    return html`
+      <dees-table
+        .data=${this.networkState.topIPsByBandwidth}
+        .rowKey=${'ip'}
+        .highlightUpdates=${'flash'}
+        .displayFunction=${(ipData: { ip: string; count: number; bwIn: number; bwOut: number }) => {
+          return {
+            'IP Address': ipData.ip,
+            'Bandwidth In': this.formatBitsPerSecond(ipData.bwIn),
+            'Bandwidth Out': this.formatBitsPerSecond(ipData.bwOut),
+            'Total Bandwidth': this.formatBitsPerSecond(ipData.bwIn + ipData.bwOut),
+            'Connections': ipData.count,
+          };
+        }}
+        heading1="Top IPs by Bandwidth"
+        heading2="IPs with highest throughput"
+        searchable
+        .showColumnFilters=${true}
+        .pagination=${false}
+        dataName="ip"
+      ></dees-table>
+    `;
+  }
+
+  private renderDomainActivity(): TemplateResult {
+    if (!this.networkState.domainActivity || this.networkState.domainActivity.length === 0) {
+      return html``;
+    }
+
+    return html`
+      <dees-table
+        .data=${this.networkState.domainActivity}
+        .rowKey=${'domain'}
+        .highlightUpdates=${'flash'}
+        .displayFunction=${(item: interfaces.data.IDomainActivity) => {
+          const totalBytesPerMin = (item.bytesInPerSecond + item.bytesOutPerSecond) * 60;
+          return {
+            'Domain': item.domain,
+            'Throughput In': this.formatBitsPerSecond(item.bytesInPerSecond),
+            'Throughput Out': this.formatBitsPerSecond(item.bytesOutPerSecond),
+            'Transferred / min': this.formatBytes(totalBytesPerMin),
+            'Connections': item.activeConnections,
+            'Requests': item.requestCount?.toLocaleString() ?? '0',
+            'Routes': item.routeCount,
+          };
+        }}
+        heading1="Domain Activity"
+        heading2="Per-domain network activity from request-level metrics"
+        searchable
+        .showColumnFilters=${true}
+        .pagination=${false}
+        dataName="domain"
+      ></dees-table>
+    `;
+  }
+
   private renderBackendProtocols(): TemplateResult {
     const backends = this.networkState.backends;
     if (!backends || backends.length === 0) {
@@ -624,6 +583,8 @@ export class OpsViewNetworkActivity extends DeesElement {
     return html`
       <dees-table
         .data=${backends}
+        .rowKey=${'backend'}
+        .highlightUpdates=${'flash'}
         .displayFunction=${(item: interfaces.data.IBackendInfo) => {
           const totalErrors = item.connectErrors + item.handshakeErrors + item.requestErrors;
           const protocolClass = item.protocol.toLowerCase().replace(/[^a-z0-9]/g, '');
@@ -724,38 +685,6 @@ export class OpsViewNetworkActivity extends DeesElement {
       this.requestsPerSecHistory.shift();
     }
 
-    // Only update if connections changed significantly
-    const newConnectionCount = this.networkState.connections.length;
-    const oldConnectionCount = this.networkRequests.length;
-
-    // Check if we need to update the network requests array
-    const shouldUpdate = newConnectionCount !== oldConnectionCount ||
-                        newConnectionCount === 0 ||
-                        (newConnectionCount > 0 && this.networkRequests.length === 0);
-
-    if (shouldUpdate) {
-      // Convert connection data to network requests format
-      if (newConnectionCount > 0) {
-        this.networkRequests = this.networkState.connections.map((conn, index) => ({
-          id: conn.id,
-          timestamp: conn.startTime,
-          method: 'GET', // Default method for proxy connections
-          url: '/',
-          hostname: conn.remoteAddress,
-          port: conn.protocol === 'https' ? 443 : 80,
-          protocol: conn.protocol === 'https' || conn.protocol === 'http' ? conn.protocol : 'tcp',
-          statusCode: conn.state === 'connected' ? 200 : undefined,
-          duration: Date.now() - conn.startTime,
-          bytesIn: conn.bytesReceived,
-          bytesOut: conn.bytesSent,
-          remoteIp: conn.remoteAddress,
-          route: 'proxy',
-        }));
-      } else {
-        this.networkRequests = [];
-      }
-    }
-
     // Load server-side throughput history into chart (once)
     if (!this.historyLoaded && this.networkState.throughputHistory && this.networkState.throughputHistory.length > 0) {
       this.loadThroughputHistory();

ts_web/elements/network/ops-view-remoteingress.ts

@@ -220,6 +220,8 @@ export class OpsViewRemoteIngress extends DeesElement {
           .heading1=${'Edge Nodes'}
           .heading2=${'Manage remote ingress edge registrations'}
           .data=${this.riState.edges}
+          .rowKey=${'id'}
+          .highlightUpdates=${'flash'}
           .showColumnFilters=${true}
           .displayFunction=${(edge: interfaces.data.IRemoteIngress) => ({
             name: edge.name,
@@ -241,9 +243,9 @@ export class OpsViewRemoteIngress extends DeesElement {
                   content: html`
                     <dees-form>
                       <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
-                      <dees-input-text .key=${'listenPorts'} .label=${'Additional Manual Ports (comma-separated, optional)'}></dees-input-text>
+                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers, optional'}></dees-input-text>
                       <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${true}></dees-input-checkbox>
-                      <dees-input-text .key=${'tags'} .label=${'Tags (comma-separated, optional)'}></dees-input-text>
+                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated, optional'}></dees-input-text>
                     </dees-form>
                   `,
                   menuOptions: [
@@ -318,9 +320,9 @@ export class OpsViewRemoteIngress extends DeesElement {
                   content: html`
                     <dees-form>
                       <dees-input-text .key=${'name'} .label=${'Name'} .value=${edge.name}></dees-input-text>
-                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports (comma-separated)'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
+                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
                       <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${edge.autoDerivePorts !== false}></dees-input-checkbox>
-                      <dees-input-text .key=${'tags'} .label=${'Tags (comma-separated)'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
+                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
                     </dees-form>
                   `,
                   menuOptions: [

ts_web/elements/network/ops-view-routes.ts

@@ -49,6 +49,8 @@ function setupTlsVisibility(formEl: any) {
 
 @customElement('ops-view-routes')
 export class OpsViewRoutes extends DeesElement {
+  @state() accessor routeFilter: 'User Routes' | 'System Routes' = 'User Routes';
+
   @state() accessor routeState: appstate.IRouteManagementState = {
     mergedRoutes: [],
     warnings: [],
@@ -140,9 +142,9 @@ export class OpsViewRoutes extends DeesElement {
   public render(): TemplateResult {
     const { mergedRoutes, warnings } = this.routeState;
 
-    const hardcodedCount = mergedRoutes.filter((mr) => mr.source === 'hardcoded').length;
-    const programmaticCount = mergedRoutes.filter((mr) => mr.source === 'programmatic').length;
     const disabledCount = mergedRoutes.filter((mr) => !mr.enabled).length;
+    const configCount = mergedRoutes.filter((mr) => mr.origin !== 'api').length;
+    const apiCount = mergedRoutes.filter((mr) => mr.origin === 'api').length;
 
     const statsTiles: IStatsTile[] = [
       {
@@ -155,21 +157,21 @@ export class OpsViewRoutes extends DeesElement {
         color: '#3b82f6',
       },
       {
-        id: 'hardcoded',
-        title: 'Hardcoded',
+        id: 'configRoutes',
+        title: 'System Routes',
         type: 'number',
-        value: hardcodedCount,
-        icon: 'lucide:lock',
-        description: 'Routes from constructor config',
+        value: configCount,
+        icon: 'lucide:settings',
+        description: 'From config, email, and DNS',
         color: '#8b5cf6',
       },
       {
-        id: 'programmatic',
-        title: 'Programmatic',
+        id: 'apiRoutes',
+        title: 'User Routes',
         type: 'number',
-        value: programmaticCount,
+        value: apiCount,
         icon: 'lucide:code',
-        description: 'Routes added via API',
+        description: 'Created via API',
         color: '#0ea5e9',
       },
       {
@@ -183,18 +185,23 @@ export class OpsViewRoutes extends DeesElement {
       },
     ];
 
-    // Map merged routes to sz-route-list-view format
-    const szRoutes = mergedRoutes.map((mr) => {
+    // Filter routes based on selected tab
+    const isUserRoutes = this.routeFilter === 'User Routes';
+    const filteredRoutes = mergedRoutes.filter((mr) =>
+      isUserRoutes ? mr.origin === 'api' : mr.origin !== 'api'
+    );
+
+    // Map filtered routes to sz-route-list-view format
+    const szRoutes = filteredRoutes.map((mr) => {
       const tags = [...(mr.route.tags || [])];
-      tags.push(mr.source);
+      tags.push(mr.origin);
       if (!mr.enabled) tags.push('disabled');
-      if (mr.overridden) tags.push('overridden');
 
       return {
         ...mr.route,
         enabled: mr.enabled,
         tags,
-        id: mr.storedRouteId || mr.route.name || undefined,
+        id: mr.id || mr.route.name || undefined,
         metadata: mr.metadata,
       };
     });
@@ -219,6 +226,13 @@ export class OpsViewRoutes extends DeesElement {
           ]}
         ></dees-statsgrid>
 
+        <dees-input-multitoggle
+          class="routeFilterToggle"
+          .type=${'single'}
+          .options=${['User Routes', 'System Routes']}
+          .selectedOption=${this.routeFilter}
+        ></dees-input-multitoggle>
+
         ${warnings.length > 0
           ? html`
               <div class="warnings-bar">
@@ -238,7 +252,7 @@ export class OpsViewRoutes extends DeesElement {
           ? html`
               <sz-route-list-view
                 .routes=${szRoutes}
-                .showActionsFilter=${(route: any) => route.tags?.includes('programmatic') ?? false}
+                .showActionsFilter=${isUserRoutes ? () => true : () => false}
                 @route-click=${(e: CustomEvent) => this.handleRouteClick(e)}
                 @route-edit=${(e: CustomEvent) => this.handleRouteEdit(e)}
                 @route-delete=${(e: CustomEvent) => this.handleRouteDelete(e)}
@@ -246,8 +260,8 @@ export class OpsViewRoutes extends DeesElement {
             `
           : html`
               <div class="empty-state">
-                <p>No routes configured</p>
-                <p>Add a programmatic route or check your constructor configuration.</p>
+                <p>No ${isUserRoutes ? 'user' : 'system'} routes</p>
+                <p>${isUserRoutes ? 'Add a route to get started.' : 'System routes are generated from config, email, and DNS settings.'}</p>
               </div>
             `}
       </div>
@@ -266,112 +280,56 @@ export class OpsViewRoutes extends DeesElement {
 
     const { DeesModal } = await import('@design.estate/dees-catalog');
 
-    if (merged.source === 'hardcoded') {
-      const menuOptions = merged.enabled
-        ? [
-            {
-              name: 'Disable Route',
-              iconName: 'lucide:pause',
-              action: async (modalArg: any) => {
-                await appstate.routeManagementStatePart.dispatchAction(
-                  appstate.setRouteOverrideAction,
-                  { routeName: merged.route.name!, enabled: false },
-                );
-                await modalArg.destroy();
-              },
-            },
-            {
-              name: 'Close',
-              iconName: 'lucide:x',
-              action: async (modalArg: any) => await modalArg.destroy(),
-            },
-          ]
-        : [
-            {
-              name: 'Enable Route',
-              iconName: 'lucide:play',
-              action: async (modalArg: any) => {
-                await appstate.routeManagementStatePart.dispatchAction(
-                  appstate.setRouteOverrideAction,
-                  { routeName: merged.route.name!, enabled: true },
-                );
-                await modalArg.destroy();
-              },
-            },
-            {
-              name: 'Remove Override',
-              iconName: 'lucide:undo',
-              action: async (modalArg: any) => {
-                await appstate.routeManagementStatePart.dispatchAction(
-                  appstate.removeRouteOverrideAction,
-                  merged.route.name!,
-                );
-                await modalArg.destroy();
-              },
-            },
-            {
-              name: 'Close',
-              iconName: 'lucide:x',
-              action: async (modalArg: any) => await modalArg.destroy(),
-            },
-          ];
-
-      await DeesModal.createAndShow({
-        heading: `Route: ${merged.route.name}`,
-        content: html`
-          <div style="color: #ccc; padding: 8px 0;">
-            <p>Source: <strong style="color: #88f;">hardcoded</strong></p>
-            <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled (overridden)'}</strong></p>
-            <p style="color: #888; font-size: 13px;">Hardcoded routes cannot be edited or deleted, but they can be disabled via an override.</p>
-          </div>
-        `,
-        menuOptions,
-      });
-    } else {
-      // Programmatic route
-      const meta = merged.metadata;
-      await DeesModal.createAndShow({
-        heading: `Route: ${merged.route.name}`,
-        content: html`
-          <div style="color: #ccc; padding: 8px 0;">
-            <p>Source: <strong style="color: #0af;">programmatic</strong></p>
-            <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled'}</strong></p>
-            <p>ID: <code style="color: #888;">${merged.storedRouteId}</code></p>
-            ${meta?.sourceProfileName ? html`<p>Source Profile: <strong style="color: #a78bfa;">${meta.sourceProfileName}</strong></p>` : ''}
-            ${meta?.networkTargetName ? html`<p>Network Target: <strong style="color: #a78bfa;">${meta.networkTargetName}</strong></p>` : ''}
-          </div>
-        `,
-        menuOptions: [
-          {
-            name: merged.enabled ? 'Disable' : 'Enable',
-            iconName: merged.enabled ? 'lucide:pause' : 'lucide:play',
-            action: async (modalArg: any) => {
-              await appstate.routeManagementStatePart.dispatchAction(
-                appstate.toggleRouteAction,
-                { id: merged.storedRouteId!, enabled: !merged.enabled },
-              );
-              await modalArg.destroy();
-            },
+    const meta = merged.metadata;
+    await DeesModal.createAndShow({
+      heading: `Route: ${merged.route.name}`,
+      content: html`
+        <div style="color: #ccc; padding: 8px 0;">
+          <p>Origin: <strong style="color: #0af;">${merged.origin}</strong></p>
+          <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled'}</strong></p>
+          <p>ID: <code style="color: #888;">${merged.id}</code></p>
+          ${meta?.sourceProfileName ? html`<p>Source Profile: <strong style="color: #a78bfa;">${meta.sourceProfileName}</strong></p>` : ''}
+          ${meta?.networkTargetName ? html`<p>Network Target: <strong style="color: #a78bfa;">${meta.networkTargetName}</strong></p>` : ''}
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: merged.enabled ? 'Disable' : 'Enable',
+          iconName: merged.enabled ? 'lucide:pause' : 'lucide:play',
+          action: async (modalArg: any) => {
+            await appstate.routeManagementStatePart.dispatchAction(
+              appstate.toggleRouteAction,
+              { id: merged.id, enabled: !merged.enabled },
+            );
+            await modalArg.destroy();
           },
-          {
-            name: 'Delete',
-            iconName: 'lucide:trash-2',
-            action: async (modalArg: any) => {
-              await appstate.routeManagementStatePart.dispatchAction(
-                appstate.deleteRouteAction,
-                merged.storedRouteId!,
-              );
-              await modalArg.destroy();
-            },
+        },
+        {
+          name: 'Edit',
+          iconName: 'lucide:pencil',
+          action: async (modalArg: any) => {
+            await modalArg.destroy();
+            this.showEditRouteDialog(merged);
           },
-          {
-            name: 'Close',
-            iconName: 'lucide:x',
-            action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Delete',
+          iconName: 'lucide:trash-2',
+          action: async (modalArg: any) => {
+            await appstate.routeManagementStatePart.dispatchAction(
+              appstate.deleteRouteAction,
+              merged.id,
+            );
+            await modalArg.destroy();
           },
-        ],
-      });
-    }
+        },
+        {
+          name: 'Close',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+      ],
+    });
   }
 
   private async handleRouteEdit(e: CustomEvent) {
@@ -381,7 +339,7 @@ export class OpsViewRoutes extends DeesElement {
     const merged = this.routeState.mergedRoutes.find(
       (mr) => mr.route.name === clickedRoute.name,
     );
-    if (!merged || !merged.storedRouteId) return;
+    if (!merged) return;
 
     this.showEditRouteDialog(merged);
   }
@@ -393,7 +351,7 @@ export class OpsViewRoutes extends DeesElement {
     const merged = this.routeState.mergedRoutes.find(
       (mr) => mr.route.name === clickedRoute.name,
     );
-    if (!merged || !merged.storedRouteId) return;
+    if (!merged) return;
 
     const { DeesModal } = await import('@design.estate/dees-catalog');
     await DeesModal.createAndShow({
@@ -415,7 +373,7 @@ export class OpsViewRoutes extends DeesElement {
           action: async (modalArg: any) => {
             await appstate.routeManagementStatePart.dispatchAction(
               appstate.deleteRouteAction,
-              merged.storedRouteId!,
+              merged.id,
             );
             await modalArg.destroy();
           },
@@ -473,19 +431,19 @@ export class OpsViewRoutes extends DeesElement {
       content: html`
         <dees-form>
           <dees-input-text .key=${'name'} .label=${'Route Name'} .value=${route.name || ''} .required=${true}></dees-input-text>
-          <dees-input-text .key=${'ports'} .label=${'Ports (comma-separated)'} .value=${currentPorts} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .value=${currentPorts} .required=${true}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'} .value=${currentDomains}></dees-input-list>
-          <dees-input-text .key=${'priority'} .label=${'Priority (higher = matched first)'} .value=${route.priority != null ? String(route.priority) : ''}></dees-input-text>
+          <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'} .value=${route.priority != null ? String(route.priority) : ''}></dees-input-text>
           <dees-input-dropdown .key=${'sourceProfileRef'} .label=${'Source Profile'} .options=${profileOptions} .selectedOption=${profileOptions.find((o) => o.key === (merged.metadata?.sourceProfileRef || '')) || null}></dees-input-dropdown>
           <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions} .selectedOption=${targetOptions.find((o) => o.key === (merged.metadata?.networkTargetRef || '')) || null}></dees-input-dropdown>
-          <dees-input-text .key=${'targetHost'} .label=${'Target Host (if no target selected)'} .value=${currentTargetHost}></dees-input-text>
-          <dees-input-text .key=${'targetPort'} .label=${'Target Port (if no target selected)'} .value=${currentTargetPort}></dees-input-text>
+          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${currentTargetHost}></dees-input-text>
+          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'} .value=${currentTargetPort}></dees-input-text>
           <dees-input-dropdown .key=${'tlsMode'} .label=${'TLS Mode'} .options=${tlsModeOptions} .selectedOption=${tlsModeOptions.find((o) => o.key === currentTlsMode) || tlsModeOptions[0]}></dees-input-dropdown>
           <div class="tlsCertificateGroup" style="display: ${needsCert ? 'flex' : 'none'}; flex-direction: column; gap: 16px;">
             <dees-input-dropdown .key=${'tlsCertificate'} .label=${'Certificate'} .options=${tlsCertOptions} .selectedOption=${tlsCertOptions.find((o) => o.key === currentTlsCert) || tlsCertOptions[0]}></dees-input-dropdown>
             <div class="tlsCustomCertGroup" style="display: ${needsCert && isCustom ? 'flex' : 'none'}; flex-direction: column; gap: 16px;">
-              <dees-input-text .key=${'tlsCertKey'} .label=${'Private Key (PEM)'} .value=${currentCustomKey}></dees-input-text>
-              <dees-input-text .key=${'tlsCertCert'} .label=${'Certificate (PEM)'} .value=${currentCustomCert}></dees-input-text>
+              <dees-input-text .key=${'tlsCertKey'} .label=${'Private Key'} .description=${'PEM-encoded private key'} .value=${currentCustomKey}></dees-input-text>
+              <dees-input-text .key=${'tlsCertCert'} .label=${'Certificate'} .description=${'PEM-encoded certificate'} .value=${currentCustomCert}></dees-input-text>
             </div>
           </div>
         </dees-form>
@@ -563,7 +521,7 @@ export class OpsViewRoutes extends DeesElement {
             await appstate.routeManagementStatePart.dispatchAction(
               appstate.updateRouteAction,
               {
-                id: merged.storedRouteId!,
+                id: merged.id,
                 route: updatedRoute,
                 metadata: Object.keys(metadata).length > 0 ? metadata : undefined,
               },
@@ -603,23 +561,23 @@ export class OpsViewRoutes extends DeesElement {
     ];
 
     const createModal = await DeesModal.createAndShow({
-      heading: 'Add Programmatic Route',
+      heading: 'Add Route',
       content: html`
         <dees-form>
           <dees-input-text .key=${'name'} .label=${'Route Name'} .required=${true}></dees-input-text>
-          <dees-input-text .key=${'ports'} .label=${'Ports (comma-separated)'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .required=${true}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'}></dees-input-list>
-          <dees-input-text .key=${'priority'} .label=${'Priority (higher = matched first)'}></dees-input-text>
+          <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'}></dees-input-text>
           <dees-input-dropdown .key=${'sourceProfileRef'} .label=${'Source Profile'} .options=${profileOptions}></dees-input-dropdown>
           <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions}></dees-input-dropdown>
-          <dees-input-text .key=${'targetHost'} .label=${'Target Host (if no target selected)'} .value=${'localhost'}></dees-input-text>
-          <dees-input-text .key=${'targetPort'} .label=${'Target Port (if no target selected)'}></dees-input-text>
+          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${'localhost'}></dees-input-text>
+          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'}></dees-input-text>
           <dees-input-dropdown .key=${'tlsMode'} .label=${'TLS Mode'} .options=${tlsModeOptions} .selectedOption=${tlsModeOptions[0]}></dees-input-dropdown>
           <div class="tlsCertificateGroup" style="display: none; flex-direction: column; gap: 16px;">
             <dees-input-dropdown .key=${'tlsCertificate'} .label=${'Certificate'} .options=${tlsCertOptions} .selectedOption=${tlsCertOptions[0]}></dees-input-dropdown>
             <div class="tlsCustomCertGroup" style="display: none; flex-direction: column; gap: 16px;">
-              <dees-input-text .key=${'tlsCertKey'} .label=${'Private Key (PEM)'}></dees-input-text>
-              <dees-input-text .key=${'tlsCertCert'} .label=${'Certificate (PEM)'}></dees-input-text>
+              <dees-input-text .key=${'tlsCertKey'} .label=${'Private Key'} .description=${'PEM-encoded private key'}></dees-input-text>
+              <dees-input-text .key=${'tlsCertCert'} .label=${'Certificate'} .description=${'PEM-encoded certificate'}></dees-input-text>
             </div>
           </div>
         </dees-form>
@@ -719,5 +677,13 @@ export class OpsViewRoutes extends DeesElement {
 
   async firstUpdated() {
     await appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
+
+    const toggle = this.shadowRoot!.querySelector('.routeFilterToggle') as any;
+    if (toggle) {
+      const sub = toggle.changeSubject.subscribe(() => {
+        this.routeFilter = toggle.selectedOption;
+      });
+      this.rxSubscriptions.push(sub);
+    }
   }
 }

ts_web/elements/network/ops-view-targetprofiles.ts

@@ -95,7 +95,7 @@ export class OpsViewTargetProfiles extends DeesElement {
               ? html`${profile.targets.map(t => html`<span class="tagBadge">${t.ip}:${t.port}</span>`)}`
               : '-',
             'Route Refs': profile.routeRefs?.length
-              ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${r}</span>`)}`
+              ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)}`
               : '-',
             Created: new Date(profile.createdAt).toLocaleDateString(),
           })}
@@ -149,12 +149,57 @@ export class OpsViewTargetProfiles extends DeesElement {
     `;
   }
 
-  private getRouteCandidates() {
+  private getRouteChoices() {
     const routeState = appstate.routeManagementStatePart.getState();
     const routes = routeState?.mergedRoutes || [];
     return routes
-      .filter((mr) => mr.route.name)
-      .map((mr) => ({ viewKey: mr.route.name! }));
+      .filter((mr) => mr.route.name && mr.id)
+      .map((mr) => ({
+        routeId: mr.id!,
+        routeName: mr.route.name!,
+        label: `${mr.route.name} (${mr.id})`,
+      }));
+  }
+
+  private getRouteCandidates() {
+    return this.getRouteChoices().map((route) => ({ viewKey: route.label }));
+  }
+
+  private resolveRouteRefsToLabels(routeRefs?: string[]): string[] | undefined {
+    if (!routeRefs?.length) return undefined;
+
+    const routeChoices = this.getRouteChoices();
+    const routeById = new Map(routeChoices.map((route) => [route.routeId, route.label]));
+    const routeByName = new Map<string, string[]>();
+
+    for (const route of routeChoices) {
+      const labels = routeByName.get(route.routeName) || [];
+      labels.push(route.label);
+      routeByName.set(route.routeName, labels);
+    }
+
+    return routeRefs.map((routeRef) => {
+      const routeLabel = routeById.get(routeRef);
+      if (routeLabel) return routeLabel;
+
+      const labelsForName = routeByName.get(routeRef) || [];
+      if (labelsForName.length === 1) return labelsForName[0];
+
+      return routeRef;
+    });
+  }
+
+  private resolveRouteLabelsToRefs(routeRefs: string[]): string[] {
+    if (!routeRefs.length) return [];
+
+    const labelToId = new Map(
+      this.getRouteChoices().map((route) => [route.label, route.routeId]),
+    );
+    return routeRefs.map((routeRef) => labelToId.get(routeRef) || routeRef);
+  }
+
+  private formatRouteRef(routeRef: string): string {
+    return this.resolveRouteRefsToLabels([routeRef])?.[0] || routeRef;
   }
 
   private async ensureRoutesLoaded() {
@@ -176,7 +221,7 @@ export class OpsViewTargetProfiles extends DeesElement {
           <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
           <dees-input-text .key=${'description'} .label=${'Description'}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true}></dees-input-list>
-          <dees-input-list .key=${'targets'} .label=${'Targets (ip:port)'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true}></dees-input-list>
+          <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true}></dees-input-list>
           <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true}></dees-input-list>
         </dees-form>
       `,
@@ -203,7 +248,9 @@ export class OpsViewTargetProfiles extends DeesElement {
                 };
               })
               .filter((t): t is { ip: string; port: number } => t !== null && !isNaN(t.port));
-            const routeRefs: string[] = Array.isArray(data.routeRefs) ? data.routeRefs : [];
+            const routeRefs = this.resolveRouteLabelsToRefs(
+              Array.isArray(data.routeRefs) ? data.routeRefs : [],
+            );
 
             await appstate.targetProfilesStatePart.dispatchAction(appstate.createTargetProfileAction, {
               name: String(data.name),
@@ -222,7 +269,7 @@ export class OpsViewTargetProfiles extends DeesElement {
   private async showEditProfileDialog(profile: interfaces.data.ITargetProfile) {
     const currentDomains = profile.domains || [];
     const currentTargets = profile.targets?.map(t => `${t.ip}:${t.port}`) || [];
-    const currentRouteRefs = profile.routeRefs || [];
+    const currentRouteRefs = this.resolveRouteRefsToLabels(profile.routeRefs) || [];
 
     const { DeesModal } = await import('@design.estate/dees-catalog');
     await this.ensureRoutesLoaded();
@@ -235,7 +282,7 @@ export class OpsViewTargetProfiles extends DeesElement {
           <dees-input-text .key=${'name'} .label=${'Name'} .value=${profile.name}></dees-input-text>
           <dees-input-text .key=${'description'} .label=${'Description'} .value=${profile.description || ''}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true} .value=${currentDomains}></dees-input-list>
-          <dees-input-list .key=${'targets'} .label=${'Targets (ip:port)'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true} .value=${currentTargets}></dees-input-list>
+          <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true} .value=${currentTargets}></dees-input-list>
           <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true} .value=${currentRouteRefs}></dees-input-list>
         </dees-form>
       `,
@@ -261,7 +308,9 @@ export class OpsViewTargetProfiles extends DeesElement {
                 };
               })
               .filter((t): t is { ip: string; port: number } => t !== null && !isNaN(t.port));
-            const routeRefs: string[] = Array.isArray(data.routeRefs) ? data.routeRefs : [];
+            const routeRefs = this.resolveRouteLabelsToRefs(
+              Array.isArray(data.routeRefs) ? data.routeRefs : [],
+            );
 
             await appstate.targetProfilesStatePart.dispatchAction(appstate.updateTargetProfileAction, {
               id: profile.id,
@@ -336,7 +385,7 @@ export class OpsViewTargetProfiles extends DeesElement {
             <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};">Route Refs</div>
             <div style="font-size: 14px; margin-top: 4px;">
               ${profile.routeRefs?.length
-                ? profile.routeRefs.map(r => html`<span class="tagBadge">${r}</span>`)
+                ? profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)
                 : '-'}
             </div>
           </div>

ts_web/elements/network/ops-view-vpn.ts

@@ -28,7 +28,7 @@ function setupFormVisibility(formEl: any) {
     const staticIpGroup = contentEl.querySelector('.staticIpGroup') as HTMLElement;
     const vlanIdGroup = contentEl.querySelector('.vlanIdGroup') as HTMLElement;
     const aclGroup = contentEl.querySelector('.aclGroup') as HTMLElement;
-    if (hostIpGroup) hostIpGroup.style.display = show; // always show (forceTarget is always on)
+    if (hostIpGroup) hostIpGroup.style.display = show;
     if (hostIpDetails) hostIpDetails.style.display = data.useHostIp ? show : 'none';
     if (staticIpGroup) staticIpGroup.style.display = data.useDhcp ? 'none' : show;
     if (vlanIdGroup) vlanIdGroup.style.display = data.forceVlan ? show : 'none';
@@ -305,6 +305,8 @@ export class OpsViewVpn extends DeesElement {
         .heading1=${'VPN Clients'}
         .heading2=${'Manage WireGuard and SmartVPN client registrations'}
         .data=${clients}
+        .rowKey=${'clientId'}
+        .highlightUpdates=${'flash'}
         .showColumnFilters=${true}
         .displayFunction=${(client: interfaces.data.IVpnClient) => {
           const conn = this.getConnectedInfo(client);
@@ -369,8 +371,8 @@ export class OpsViewVpn extends DeesElement {
                     </div>
                     <dees-input-checkbox .key=${'allowAdditionalAcls'} .label=${'Allow additional ACLs'} .value=${false}></dees-input-checkbox>
                     <div class="aclGroup" style="display: none; flex-direction: column; gap: 16px;">
-                      <dees-input-text .key=${'destinationAllowList'} .label=${'Destination Allow List (comma-separated IPs/CIDRs)'}></dees-input-text>
-                      <dees-input-text .key=${'destinationBlockList'} .label=${'Destination Block List (comma-separated IPs/CIDRs)'}></dees-input-text>
+                      <dees-input-text .key=${'destinationAllowList'} .label=${'Destination Allow List'} .description=${'Comma-separated IPs or CIDRs'}></dees-input-text>
+                      <dees-input-text .key=${'destinationBlockList'} .label=${'Destination Block List'} .description=${'Comma-separated IPs or CIDRs'}></dees-input-text>
                     </div>
                   </dees-form>
                 `,
@@ -388,7 +390,7 @@ export class OpsViewVpn extends DeesElement {
                       if (!form) return;
                       const data = await form.collectFormData();
                       if (!data.clientId) return;
-                      const targetProfileIds = this.resolveProfileNamesToIds(
+                      const targetProfileIds = this.resolveProfileLabelsToIds(
                         Array.isArray(data.targetProfileNames) ? data.targetProfileNames : [],
                       );
 
@@ -412,10 +414,10 @@ export class OpsViewVpn extends DeesElement {
                         description: data.description || undefined,
                         targetProfileIds,
 
-                        useHostIp: useHostIp || undefined,
-                        useDhcp: useDhcp || undefined,
+                        useHostIp,
+                        useDhcp,
                         staticIp,
-                        forceVlan: forceVlan || undefined,
+                        forceVlan,
                         vlanId,
                         destinationAllowList,
                         destinationBlockList,
@@ -483,7 +485,7 @@ export class OpsViewVpn extends DeesElement {
                       <div class="infoItem"><span class="infoLabel">Transport</span><span class="infoValue">${conn.transport}</span></div>
                     ` : ''}
                     <div class="infoItem"><span class="infoLabel">Description</span><span class="infoValue">${client.description || '-'}</span></div>
-                    <div class="infoItem"><span class="infoLabel">Target Profiles</span><span class="infoValue">${this.resolveProfileIdsToNames(client.targetProfileIds)?.join(', ') || '-'}</span></div>
+                    <div class="infoItem"><span class="infoLabel">Target Profiles</span><span class="infoValue">${this.resolveProfileIdsToLabels(client.targetProfileIds)?.join(', ') || '-'}</span></div>
                     <div class="infoItem"><span class="infoLabel">Routing</span><span class="infoValue">${client.useHostIp ? 'Host IP' : 'SmartProxy'}</span></div>
                     ${client.useHostIp ? html`
                       <div class="infoItem"><span class="infoLabel">Host IP</span><span class="infoValue">${client.useDhcp ? 'DHCP' : client.staticIp ? `Static: ${client.staticIp}` : 'Not configured'}</span></div>
@@ -647,7 +649,7 @@ export class OpsViewVpn extends DeesElement {
               const client = actionData.item as interfaces.data.IVpnClient;
               const { DeesModal } = await import('@design.estate/dees-catalog');
               const currentDescription = client.description ?? '';
-              const currentTargetProfileNames = this.resolveProfileIdsToNames(client.targetProfileIds) || [];
+              const currentTargetProfileNames = this.resolveProfileIdsToLabels(client.targetProfileIds) || [];
               const profileCandidates = this.getTargetProfileCandidates();
               const currentUseHostIp = client.useHostIp ?? false;
               const currentUseDhcp = client.useDhcp ?? false;
@@ -679,8 +681,8 @@ export class OpsViewVpn extends DeesElement {
                     </div>
                     <dees-input-checkbox .key=${'allowAdditionalAcls'} .label=${'Allow additional ACLs'} .value=${currentAllowAcls}></dees-input-checkbox>
                     <div class="aclGroup" style="display: ${currentAllowAcls ? 'flex' : 'none'}; flex-direction: column; gap: 16px;">
-                      <dees-input-text .key=${'destinationAllowList'} .label=${'Destination Allow List (comma-separated IPs/CIDRs)'} .value=${currentAllowList}></dees-input-text>
-                      <dees-input-text .key=${'destinationBlockList'} .label=${'Destination Block List (comma-separated IPs/CIDRs)'} .value=${currentBlockList}></dees-input-text>
+                      <dees-input-text .key=${'destinationAllowList'} .label=${'Destination Allow List'} .description=${'Comma-separated IPs or CIDRs'} .value=${currentAllowList}></dees-input-text>
+                      <dees-input-text .key=${'destinationBlockList'} .label=${'Destination Block List'} .description=${'Comma-separated IPs or CIDRs'} .value=${currentBlockList}></dees-input-text>
                     </div>
                   </dees-form>
                 `,
@@ -693,7 +695,7 @@ export class OpsViewVpn extends DeesElement {
                       const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
                       if (!form) return;
                       const data = await form.collectFormData();
-                      const targetProfileIds = this.resolveProfileNamesToIds(
+                      const targetProfileIds = this.resolveProfileLabelsToIds(
                         Array.isArray(data.targetProfileNames) ? data.targetProfileNames : [],
                       );
 
@@ -717,10 +719,10 @@ export class OpsViewVpn extends DeesElement {
                         description: data.description || undefined,
                         targetProfileIds,
 
-                        useHostIp: useHostIp || undefined,
-                        useDhcp: useDhcp || undefined,
+                        useHostIp,
+                        useDhcp,
                         staticIp,
-                        forceVlan: forceVlan || undefined,
+                        forceVlan,
                         vlanId,
                         destinationAllowList,
                         destinationBlockList,
@@ -809,41 +811,52 @@ export class OpsViewVpn extends DeesElement {
   }
 
   /**
-   * Build autocomplete candidates from loaded target profiles.
-   * viewKey = profile name (displayed), payload = { id } (carried for resolution).
+   * Build stable profile labels for list inputs.
    */
-  private getTargetProfileCandidates() {
+  private getTargetProfileChoices() {
     const profileState = appstate.targetProfilesStatePart.getState();
     const profiles = profileState?.profiles || [];
-    return profiles.map((p) => ({ viewKey: p.name, payload: { id: p.id } }));
+    const nameCounts = new Map<string, number>();
+
+    for (const profile of profiles) {
+      nameCounts.set(profile.name, (nameCounts.get(profile.name) || 0) + 1);
+    }
+
+    return profiles.map((profile) => ({
+      id: profile.id,
+      label: (nameCounts.get(profile.name) || 0) > 1
+        ? `${profile.name} (${profile.id})`
+        : profile.name,
+    }));
+  }
+
+  private getTargetProfileCandidates() {
+    return this.getTargetProfileChoices().map((profile) => ({ viewKey: profile.label }));
   }
 
   /**
-   * Convert profile IDs to profile names (for populating edit form values).
+   * Convert profile IDs to form labels (for populating edit form values).
    */
-  private resolveProfileIdsToNames(ids?: string[]): string[] | undefined {
+  private resolveProfileIdsToLabels(ids?: string[]): string[] | undefined {
     if (!ids?.length) return undefined;
-    const profileState = appstate.targetProfilesStatePart.getState();
-    const profiles = profileState?.profiles || [];
+    const choices = this.getTargetProfileChoices();
+    const labelsById = new Map(choices.map((profile) => [profile.id, profile.label]));
     return ids.map((id) => {
-      const profile = profiles.find((p) => p.id === id);
-      return profile?.name || id;
+      return labelsById.get(id) || id;
     });
   }
 
   /**
-   * Convert profile names back to IDs (for saving form data).
-   * Uses the dees-input-list candidates' payload when available.
+   * Convert profile form labels back to IDs.
    */
-  private resolveProfileNamesToIds(names: string[]): string[] | undefined {
-    if (!names.length) return undefined;
-    const profileState = appstate.targetProfilesStatePart.getState();
-    const profiles = profileState?.profiles || [];
-    return names
-      .map((name) => {
-        const profile = profiles.find((p) => p.name === name);
-        return profile?.id;
-      })
+  private resolveProfileLabelsToIds(labels: string[]): string[] {
+    if (!labels.length) return [];
+
+    const labelsToIds = new Map(
+      this.getTargetProfileChoices().map((profile) => [profile.label, profile.id]),
+    );
+    return labels
+      .map((label) => labelsToIds.get(label))
       .filter((id): id is string => !!id);
   }
 }

ts_web/elements/ops-dashboard.ts

@@ -32,6 +32,7 @@ import { OpsViewVpn } from './network/ops-view-vpn.js';
 // Email group
 import { OpsViewEmails } from './email/ops-view-emails.js';
 import { OpsViewEmailSecurity } from './email/ops-view-email-security.js';
+import { OpsViewEmailDomains } from './email/ops-view-email-domains.js';
 
 // Access group
 import { OpsViewApiTokens } from './access/ops-view-apitokens.js';
@@ -108,6 +109,7 @@ export class OpsDashboard extends DeesElement {
       subViews: [
         { slug: 'log', name: 'Email Log', iconName: 'lucide:scrollText', element: OpsViewEmails },
         { slug: 'security', name: 'Email Security', iconName: 'lucide:shieldCheck', element: OpsViewEmailSecurity },
+        { slug: 'domains', name: 'Email Domains', iconName: 'lucide:globe', element: OpsViewEmailDomains },
       ],
     },
     {

ts_web/router.ts

@@ -10,7 +10,7 @@ const flatViews = ['logs'] as const;
 const subviewMap: Record<string, readonly string[]> = {
   overview: ['stats', 'configuration'] as const,
   network: ['activity', 'routes', 'sourceprofiles', 'networktargets', 'targetprofiles', 'remoteingress', 'vpn'] as const,
-  email: ['log', 'security'] as const,
+  email: ['log', 'security', 'domains'] as const,
   access: ['apitokens', 'users'] as const,
   security: ['overview', 'blocked', 'authentication'] as const,
   domains: ['providers', 'domains', 'dns', 'certificates'] as const,