v6.3.0

feat(dcrouter): add configurable baseDir and centralized path resolution; use resolved data paths for storage, cache and DNS
v6.2.4
2026-02-16 09:52:38 +00:00 · 2026-02-16 09:52:38 +00:00 · 2026-02-16 09:02:57 +00:00 · 2026-02-16 09:02:57 +00:00 · 2026-02-16 02:50:25 +00:00 · 2026-02-16 02:50:25 +00:00
14 changed files with 408 additions and 274 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,62 @@
 # Changelog

+## 2026-02-16 - 6.3.0 - feat(dcrouter)
+add configurable baseDir and centralized path resolution; use resolved data paths for storage, cache and DNS
+
+- Introduce IDcRouterOptions.baseDir to allow configuring base directory for dcrouter data (defaults to ~/.serve.zone/dcrouter).
+- Add DcRouter.resolvedPaths and resolvePaths(baseDir) in ts/paths.ts to centralize computation of dcrouterHomeDir, dataDir, defaultTsmDbPath, defaultStoragePath and dnsRecordsDir.
+- Use resolvedPaths throughout DcRouter: default filesystem storage fsPath, CacheDb storagePath, and DNS records loading now reference resolved paths.
+- Replace ensureDirectories() behavior with ensureDataDirectories(resolvedPaths) to only create data-related directories; keep legacy ensureDirectories wrapper delegating to the new function.
+- Simplify paths module by removing unused legacy path constants and adding a focused API for path resolution and directory creation.
+- Remove an unused import (paths) in contentscanner, cleaning up imports.
+
+## 2026-02-16 - 6.2.4 - fix(deps)
+bump @push.rocks/smartproxy to ^25.5.0
+
+- Updated @push.rocks/smartproxy from ^25.4.0 to ^25.5.0 in package.json
+
+## 2026-02-16 - 6.2.3 - fix(dcrouter)
+persist proxy certificate validity dates and improve certificate status initialization
+
+- Bump @push.rocks/smartacme dependency from ^9.0.0 to ^9.1.3
+- Store validFrom and validUntil alongside proxy cert entries (/proxy-certs) when saving, extracting values by parsing PEM where possible
+- Use stored cert entries (domain, publicKey, validUntil, validFrom) to populate certificateStatusMap at startup
+- Fallback to SmartAcme /certs/ metadata and finally to parsing X.509 from stored PEM to determine expiry/issuedAt when initializing status
+- Update opsserver certificate handler to parse publicKey PEM from cert-store and set expiry/issuedAt and issuer accordingly
+- Adjust variable names and logging to reflect stored cert entry usage
+
+## 2026-02-16 - 6.2.2 - fix(certs)
+Populate certificate status for cert-store-loaded certificates after SmartProxy startup and check proxy-certs in opsserver certificate handler
+
+- Track domains loaded from storageManager '/proxy-certs/' and populate certificateStatusMap with status, routeNames, expiryDate and issuedAt (when available) after SmartProxy starts
+- Opsserver certificate handler now falls back to '/proxy-certs/{domain}' if '/certs/{cleanDomain}' is missing and marks cert-store-only entries as valid with issuer 'cert-store'
+- Bump @push.rocks/smartproxy dependency from ^25.3.1 to ^25.4.0
+
+## 2026-02-16 - 6.2.1 - fix(smartacme,storage)
+Respect wildcard domain requests when retrieving certificates and treat empty/whitespace storage values as null in getJSON
+
+- Pass includeWildcard flag to smartAcme.getCertificateForDomain to avoid incorrectly including/excluding wildcard certificates based on whether the requested domain itself is a wildcard
+- Detect wildcard domains via domain.startsWith('*.') and set includeWildcard to false for wildcard requests
+- Treat empty or whitespace-only stored values as null in StorageManager.getJSON to avoid parsing empty strings as JSON and potential errors
+
+## 2026-02-16 - 6.2.0 - feat(ts_web)
+add Certificate Management documentation and ops-view-certificates reference
+
+- Adds a new 'Certificate Management' section to ts_web/readme.md describing domain-centric overview, certificate sources (ACME/provision/static), expiry monitoring, per-domain backoff, and one-click reprovisioning
+- Adds ops-view-certificates.ts entry to the ops UI file list
+- Documents new route mapping '/certificates' in the readme navigation
+
+## 2026-02-16 - 6.1.0 - feat(certs)
+integrate smartacme v9 for ACME certificate provisioning and add certificate management features, docs, dashboard views, API endpoints, and per-domain backoff scheduler
+
+- Bump dependency: @push.rocks/smartacme -> ^9.0.0
+- Add Certificate Management documentation, examples, and a new Certificates view in the OpsServer dashboard (status, source, expiry, backoff, one‑click reprovision)
+- Integrate smartacme v9 features: per-domain deduplication, global concurrency control, account rate limiting, structured errors, and clean shutdown behavior
+- Introduce per-domain exponential backoff persisted via StorageManager (CertProvisionScheduler) and remove the older serial stagger queue (smartacme v9 handles concurrency/deduping)
+- Expose new typedrequest API methods: getCertificateOverview, reprovisionCertificate (legacy), reprovisionCertificateDomain (preferred)
+- DcRouter now surfaces smartAcme, certProvisionScheduler, and certificateStatusMap; cert provisioning paths call smartAcme directly and clear backoff on success
+- Docs updated to note parallel shutdown/cleanup of HTTP agents and DNS clients
+
 ## 2026-02-15 - 6.0.0 - BREAKING CHANGE(certs)
 Introduce domain-centric certificate provisioning with per-domain exponential backoff and a staggered serial scheduler; add domain-based reprovision API and UI backoff display; change certificate overview API to be domain-first and include backoff info; bump related deps.

--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "6.0.0",
+  "version": "6.3.0",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
  "exports": {
@@ -36,7 +36,7 @@
    "@design.estate/dees-element": "^2.1.6",
    "@push.rocks/projectinfo": "^5.0.2",
    "@push.rocks/qenv": "^6.1.3",
-    "@push.rocks/smartacme": "^8.0.0",
+    "@push.rocks/smartacme": "^9.1.3",
    "@push.rocks/smartdata": "^7.0.15",
    "@push.rocks/smartdns": "^7.8.1",
    "@push.rocks/smartfile": "^13.1.2",
@@ -49,7 +49,7 @@
    "@push.rocks/smartnetwork": "^4.4.0",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.3.1",
+    "@push.rocks/smartproxy": "^25.5.0",
    "@push.rocks/smartradius": "^1.1.1",
    "@push.rocks/smartrequest": "^5.0.1",
    "@push.rocks/smartrx": "^3.0.10",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -36,8 +36,8 @@ importers:
        specifier: ^6.1.3
        version: 6.1.3
      '@push.rocks/smartacme':
-        specifier: ^8.0.0
-        version: 8.0.0(socks@2.8.7)
+        specifier: ^9.1.3
+        version: 9.1.3(socks@2.8.7)
      '@push.rocks/smartdata':
        specifier: ^7.0.15
        version: 7.0.15(socks@2.8.7)
@@ -75,8 +75,8 @@ importers:
        specifier: ^4.2.3
        version: 4.2.3
      '@push.rocks/smartproxy':
-        specifier: ^25.3.1
-        version: 25.3.1
+        specifier: ^25.5.0
+        version: 25.5.0
      '@push.rocks/smartradius':
        specifier: ^1.1.1
        version: 1.1.1
@@ -154,9 +154,6 @@ packages:
    peerDependencies:
      '@push.rocks/smartserve': '>=1.1.0'

-  '@apiclient.xyz/cloudflare@6.4.3':
-    resolution: {integrity: sha512-ztegUdUO3Zd4mUoTSylKlCEKPBMHEcggrLelR+7CiblM4beHMwopMVlryBmiCY7bOVbUSPoK0xsVTF7VIy3p/A==}
-
  '@apiclient.xyz/cloudflare@7.1.0':
    resolution: {integrity: sha512-qb+PWcE5OjOCPO0+4rexOgtEf9Q1VOIHfrGmav/gXAtkdNL5omifSxPbUseyFKsZrxnRv4rLzvjckUCj0hkvFw==}

@@ -651,9 +648,6 @@ packages:
    resolution: {integrity: sha512-AokJm4tuBHillT+FpMtxQ60n8ObyXBatq7jD2/JA9dxbDDokKQm8KMht5ibGzLVU9IJDIKK4TPKgMHEYMn3lMg==}
    engines: {node: '>=18'}

-  '@leichtgewicht/ip-codec@2.0.5':
-    resolution: {integrity: sha512-Vo+PSpZG2/fmgmiNzYK9qWRh8h/CHrwD0mo1h1DzL4yzHNSfWYujGTYsWGreD000gcgmZ7K4Ys6Tx9TxtsKdDw==}
-
  '@lit-labs/ssr-dom-shim@1.5.1':
    resolution: {integrity: sha512-Aou5UdlSpr5whQe8AA/bZG0jMj96CoJIWbGfZ91qieWu5AWUMKw8VR/pAkQkJYvBNhmCcWnZlyyk5oze8JIqYA==}

@@ -858,8 +852,8 @@ packages:
  '@push.rocks/qenv@6.1.3':
    resolution: {integrity: sha512-+z2hsAU/7CIgpYLFqvda8cn9rUBMHqLdQLjsFfRn5jPoD7dJ5rFlpkbhfM4Ws8mHMniwWaxGKo+q/YBhtzRBLg==}

-  '@push.rocks/smartacme@8.0.0':
-    resolution: {integrity: sha512-Oq+m+LX4IG0p4qCGZLEwa6UlMo5Hfq7paRjpREwQNsaGSKl23xsjsEJLxjxkePwaXnaIkHEwU/5MtrEkg2uKEQ==}
+  '@push.rocks/smartacme@9.1.3':
+    resolution: {integrity: sha512-rxb4zGZQvcR7l8cb8SvLy+zkCgXKg8rO7b12zaE9ZBe5Q+khoInxscC0eKjmNZ7BOUFFDOxDKoQhgeqwHGOqZQ==}

  '@push.rocks/smartarchive@4.2.4':
    resolution: {integrity: sha512-uiqVAXPxmr8G5rv3uZvZFMOCt8l7cZC3nzvsy4YQqKf/VkPhKIEX+b7LkAeNlxPSYUiBQUkNRoawg9+5BaMcHg==}
@@ -901,9 +895,6 @@ packages:
  '@push.rocks/smartdelay@3.0.5':
    resolution: {integrity: sha512-mUuI7kj2f7ztjpic96FvRIlf2RsKBa5arw81AHNsndbxO6asRcxuWL8dTVxouEIK8YsBUlj0AsrCkHhMbLQdHw==}

-  '@push.rocks/smartdns@6.2.2':
-    resolution: {integrity: sha512-MhJcHujbyIuwIIFdnXb2OScGtRjNsliLUS8GoAurFsKtcCOaA0ytfP+PNzkukyBufjb1nMiJF3rjhswXdHakAQ==}
-
  '@push.rocks/smartdns@7.8.1':
    resolution: {integrity: sha512-qEizM9dFzhq4XGICDC8Im7JLjwdokHdDZ6wLufBInaEOupq+8XOa9bC6EGlBQVsCXFUyrKzsFk6eBa9BSZMKPw==}

@@ -1040,8 +1031,8 @@ packages:
  '@push.rocks/smartpromise@4.2.3':
    resolution: {integrity: sha512-Ycg/TJR+tMt+S3wSFurOpEoW6nXv12QBtKXgBcjMZ4RsdO28geN46U09osPn9N9WuwQy1PkmTV5J/V4F9U8qEw==}

-  '@push.rocks/smartproxy@25.3.1':
-    resolution: {integrity: sha512-kGJGpx3KBUz+qWU2L9B2gbZoUbQEG2BFe6ZzK0b68Y32nHoSIMjol14hzc3sRgW1p/loWy+Gj+5j0KuVytKWmA==}
+  '@push.rocks/smartproxy@25.5.0':
+    resolution: {integrity: sha512-ePjxuwplEWpvvK0Xnb3q/8BVmE4xrBJl1mSoKBcZOzizF2T6ZmwuQKIvjnDJ13Q/KHLSIqMFS61CWVJHwtOUfA==}

  '@push.rocks/smartpuppeteer@2.0.5':
    resolution: {integrity: sha512-yK/qSeWVHIGWRp3c8S5tfdGP6WCKllZC4DR8d8CQlEjszOSBmHtlTdyyqOMBZ/BA4kd+eU5f3A1r4K2tGYty1g==}
@@ -1100,6 +1091,9 @@ packages:
  '@push.rocks/smarttime@4.1.1':
    resolution: {integrity: sha512-Ha/3J/G+zfTl4ahpZgF6oUOZnUjpLhrBja0OQ2cloFxF9sKT8I1COaSqIfBGDtoK2Nly4UD4aTJ3JcJNOg/kgA==}

+  '@push.rocks/smarttime@4.2.3':
+    resolution: {integrity: sha512-8gMg8RUkrCG4p9NcEUZV7V6KpL24+jAMK02g7qyhfA6giz/JJWD0+8w8xjSR+G7qe16KVQ2y3RbvAL9TxmO36g==}
+
  '@push.rocks/smartunique@3.0.9':
    resolution: {integrity: sha512-q6DYQgT7/dqdWi9HusvtWCjdsFzLFXY9LTtaZV6IYNJt6teZOonoygxTdNt9XLn6niBSbLYrHSKvJNTRH/uK+g==}

@@ -1128,6 +1122,9 @@ packages:
  '@push.rocks/taskbuffer@4.2.0':
    resolution: {integrity: sha512-ttoBe5y/WXkAo5/wSMcC/Y4Zbyw4XG8kwAsEaqnAPCxa3M9MI1oV/yM1e9gU1IH97HVPidzbTxRU5/PcHDdUsg==}

+  '@push.rocks/taskbuffer@6.1.2':
+    resolution: {integrity: sha512-sdqKd8N/GidztQ1k3r8A86rLvD8Afyir5FjYCNJXDD9837JLoqzHaOKGltUSBsCGh2gjsZn6GydsY6HhXQgvZQ==}
+
  '@push.rocks/webrequest@3.0.37':
    resolution: {integrity: sha512-fLN7kP6GeHFxE4UH4r9C9pjcQb0QkJxHeAMwXvbOqB9hh0MFNKhtGU7GoaTn8SVRGRMPc9UqZVNwo6u5l8Wn0A==}

@@ -1757,18 +1754,12 @@ packages:
  '@tsclass/tsclass@4.4.4':
    resolution: {integrity: sha512-YZOAF+u+r4u5rCev2uUd1KBTBdfyFdtDmcv4wuN+864lMccbdfRICR3SlJwCfYS1lbeV3QNLYGD30wjRXgvCJA==}

-  '@tsclass/tsclass@5.0.0':
-    resolution: {integrity: sha512-2X66VCk0Oe1L01j6GQHC6F9Gj7lpZPPSUTDNax7e29lm4OqBTyAzTR3ePR8coSbWBwsmRV8awLRSrSI+swlqWA==}
-
  '@tsclass/tsclass@9.3.0':
    resolution: {integrity: sha512-KD3oTUN3RGu67tgjNHgWWZGsdYipr1RUDxQ9MMKSgIJ6oNZ4q5m2rg0ibrgyHWkAjTPlHVa6kHP3uVOY+8bnHw==}

  '@tybys/wasm-util@0.10.1':
    resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==}

-  '@types/bn.js@5.2.0':
-    resolution: {integrity: sha512-DLbJ1BPqxvQhIGbeu8VbUC1DiAiahHtAYvA0ZEAa4P31F7IaArc8z3C3BRQdWX4mtLQuABG4yzp76ZrS02Ui1Q==}
-
  '@types/body-parser@1.19.6':
    resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==}

@@ -1787,12 +1778,6 @@ packages:
  '@types/debug@4.1.12':
    resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}

-  '@types/dns-packet@5.6.5':
-    resolution: {integrity: sha512-qXOC7XLOEe43ehtWJCMnQXvgcIpv6rPmQ1jXT98Ad8A3TB1Ue50jsCbSSSyuazScEuZ/Q026vHbrOTVkmwA+7Q==}
-
-  '@types/elliptic@6.4.18':
-    resolution: {integrity: sha512-UseG6H5vjRiNpQvrhy4VF/JXdA3V/Fp5amvveaL+fs28BZ6xIKJBPnUPRlEaZpysD9MbpfaLi8lbl7PGUAkpWw==}
-
  '@types/express-serve-static-core@5.1.1':
    resolution: {integrity: sha512-v4zIMr/cX7/d2BpAEX3KNKL/JrT1s43s96lLvvdTmza1oEvDudCqK9aF/djc/SWgy8Yh0h30TZx5VpzqFCxk5A==}

@@ -2096,9 +2081,6 @@ packages:
  bintrees@1.0.2:
    resolution: {integrity: sha1-SfiW1uhYpKSZ34XDj7OZua/4QPg=}

-  bn.js@4.12.2:
-    resolution: {integrity: sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw==}
-
  body-parser@2.2.2:
    resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
    engines: {node: '>=18'}
@@ -2119,9 +2101,6 @@ packages:
  broadcast-channel@7.3.0:
    resolution: {integrity: sha512-UHPhLBQKfQ8OmMFMpmPfO5dRakyA1vsfiDGWTYNvChYol65tbuhivPEGgZZiuetorvExdvxaWiBy/ym1Ty08yA==}

-  brorand@1.1.0:
-    resolution: {integrity: sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=}
-
  bson@6.10.4:
    resolution: {integrity: sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng==}
    engines: {node: '>=16.20.1'}
@@ -2281,6 +2260,10 @@ packages:
  crelt@1.0.6:
    resolution: {integrity: sha512-VQ2MBenTq1fWZUH9DJNGti7kKv6EeAuYr3cLwxUWhIu1baTaXh4Ib5W2CqHVqib4/MqbYGJqiL3Zb8GJZr3l4g==}

+  croner@10.0.1:
+    resolution: {integrity: sha512-ixNtAJndqh173VQ4KodSdJEI6nuioBWI0V1ITNKhZZsO0pEMoDxz539T4FTTbSZ/xIOSuDnzxLVRqBVSvPNE2g==}
+    engines: {node: '>=18.0'}
+
  croner@9.1.0:
    resolution: {integrity: sha512-p9nwwR4qyT5W996vBZhdvBCnMhicY5ytZkR4D1Xj0wuTDEiMnjwR57Q3RXYY/s0EpX6Ay3vgIcfaR+ewGHsi+g==}
    engines: {node: '>=18.0'}
@@ -2374,10 +2357,6 @@ packages:
  devtools-protocol@0.0.1566079:
    resolution: {integrity: sha512-MJfAEA1UfVhSs7fbSQOG4czavUp1ajfg6prlAN0+cmfa2zNjaIbvq8VneP7do1WAQQIvgNJWSMeP6UyI90gIlQ==}

-  dns-packet@5.6.1:
-    resolution: {integrity: sha512-l4gcSouhcgIKRvyy99RNVOgxXiicE+2jZoNmaNmZ6JXiGajBOJAesk1OBlJuM5k2c+eudGdLxDqXuPCKIj6kpw==}
-    engines: {node: '>=6'}
-
  dom-serializer@2.0.0:
    resolution: {integrity: sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==}

@@ -2407,9 +2386,6 @@ packages:
  ee-first@1.1.1:
    resolution: {integrity: sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0=}

-  elliptic@6.6.1:
-    resolution: {integrity: sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g==}
-
  emoji-regex@8.0.0:
    resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}

@@ -2742,9 +2718,6 @@ packages:
    resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==}
    engines: {node: '>= 0.4'}

-  hash.js@1.1.7:
-    resolution: {integrity: sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==}
-
  hasown@2.0.2:
    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
    engines: {node: '>= 0.4'}
@@ -2766,9 +2739,6 @@ packages:
    resolution: {integrity: sha512-Xwwo44whKBVCYoliBQwaPvtd/2tYFkRQtXDWj1nackaV2JPXx3L0+Jvd8/qCJ2p+ML0/XVkJ2q+Mr+UVdpJK5w==}
    engines: {node: '>=12.0.0'}

-  hmac-drbg@1.0.1:
-    resolution: {integrity: sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=}
-
  html-minifier@4.0.0:
    resolution: {integrity: sha512-aoGxanpFPLg7MkIl/DDFYtb0iWz7jMFGqFhvEDZga6/4QTjneiD8I/NXL1x5aaoCp7FSIT6h/OhykDdPsbtMig==}
    engines: {node: '>=6'}
@@ -3279,12 +3249,6 @@ packages:
  mingo@7.2.0:
    resolution: {integrity: sha512-UeX942qZpofn5L97h295SkS7j/ADf7Qac8gdRCMBPxi0/1m70aeB2owLFvWbyuMj1dowonlivlVRQVDx+6h+7Q==}

-  minimalistic-assert@1.0.1:
-    resolution: {integrity: sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==}
-
-  minimalistic-crypto-utils@1.0.1:
-    resolution: {integrity: sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=}
-
  minimatch@10.1.2:
    resolution: {integrity: sha512-fu656aJ0n2kcXwsnwnv9g24tkU5uSmOlTjd6WyyaKm2Z+h1qmY6bAjrcaIxF/BslFqbZ8UBtbJi7KgQOZD2PTw==}
    engines: {node: 20 || >=22}
@@ -4491,18 +4455,6 @@ snapshots:
      '@push.rocks/smartstring': 4.1.0
      '@push.rocks/smarturl': 3.1.0

-  '@apiclient.xyz/cloudflare@6.4.3':
-    dependencies:
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartlog': 3.1.11
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 5.0.1
-      '@push.rocks/smartstring': 4.1.0
-      '@tsclass/tsclass': 9.3.0
-      cloudflare: 5.2.0
-    transitivePeerDependencies:
-      - encoding
-
  '@apiclient.xyz/cloudflare@7.1.0':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -5500,8 +5452,6 @@ snapshots:

  '@isaacs/cliui@9.0.0': {}

-  '@leichtgewicht/ip-codec@2.0.5': {}
-
  '@lit-labs/ssr-dom-shim@1.5.1': {}

  '@lit/reactive-element@2.1.2':
@@ -5832,24 +5782,21 @@ snapshots:
      '@push.rocks/smartlog': 3.1.11
      '@push.rocks/smartpath': 6.0.0

-  '@push.rocks/smartacme@8.0.0(socks@2.8.7)':
+  '@push.rocks/smartacme@9.1.3(socks@2.8.7)':
    dependencies:
-      '@api.global/typedserver': 3.0.80(@push.rocks/smartserve@2.0.1)
-      '@apiclient.xyz/cloudflare': 6.4.3
+      '@apiclient.xyz/cloudflare': 7.1.0
+      '@peculiar/x509': 1.14.3
      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smartdata': 5.16.7(socks@2.8.7)
+      '@push.rocks/smartdata': 7.0.15(socks@2.8.7)
      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartdns': 6.2.2
-      '@push.rocks/smartfile': 11.2.7
+      '@push.rocks/smartdns': 7.8.1
      '@push.rocks/smartlog': 3.1.11
      '@push.rocks/smartnetwork': 4.4.0
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 2.1.0
      '@push.rocks/smartstring': 4.1.0
-      '@push.rocks/smarttime': 4.1.1
+      '@push.rocks/smarttime': 4.2.3
      '@push.rocks/smartunique': 3.0.9
+      '@push.rocks/taskbuffer': 6.1.2
      '@tsclass/tsclass': 9.3.0
-      acme-client: 5.4.0
    transitivePeerDependencies:
      - '@aws-sdk/credential-providers'
      - '@mongodb-js/zstd'
@@ -6036,22 +5983,6 @@ snapshots:
    dependencies:
      '@push.rocks/smartpromise': 4.2.3

-  '@push.rocks/smartdns@6.2.2':
-    dependencies:
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartenv': 5.0.13
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 2.1.0
-      '@tsclass/tsclass': 5.0.0
-      '@types/dns-packet': 5.6.5
-      '@types/elliptic': 6.4.18
-      acme-client: 5.4.0
-      dns-packet: 5.6.1
-      elliptic: 6.6.1
-      minimatch: 10.1.2
-    transitivePeerDependencies:
-      - supports-color
-
  '@push.rocks/smartdns@7.8.1':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -6438,7 +6369,7 @@ snapshots:

  '@push.rocks/smartpromise@4.2.3': {}

-  '@push.rocks/smartproxy@25.3.1':
+  '@push.rocks/smartproxy@25.5.0':
    dependencies:
      '@push.rocks/smartcrypto': 2.0.4
      '@push.rocks/smartlog': 3.1.11
@@ -6621,6 +6552,17 @@ snapshots:
      is-nan: 1.3.2
      pretty-ms: 9.3.0

+  '@push.rocks/smarttime@4.2.3':
+    dependencies:
+      '@push.rocks/lik': 6.2.2
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartpromise': 4.2.3
+      croner: 10.0.1
+      date-fns: 4.1.0
+      dayjs: 1.11.19
+      is-nan: 1.3.2
+      pretty-ms: 9.3.0
+
  '@push.rocks/smartunique@3.0.9':
    dependencies:
      '@types/uuid': 9.0.8
@@ -6688,6 +6630,22 @@ snapshots:
      - supports-color
      - vue

+  '@push.rocks/taskbuffer@6.1.2':
+    dependencies:
+      '@design.estate/dees-element': 2.1.6
+      '@push.rocks/lik': 6.2.2
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartlog': 3.1.11
+      '@push.rocks/smartpromise': 4.2.3
+      '@push.rocks/smartrx': 3.0.10
+      '@push.rocks/smarttime': 4.2.3
+      '@push.rocks/smartunique': 3.0.9
+    transitivePeerDependencies:
+      - '@nuxt/kit'
+      - react
+      - supports-color
+      - vue
+
  '@push.rocks/webrequest@3.0.37':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -7423,10 +7381,6 @@ snapshots:
    dependencies:
      type-fest: 4.41.0

-  '@tsclass/tsclass@5.0.0':
-    dependencies:
-      type-fest: 4.41.0
-
  '@tsclass/tsclass@9.3.0':
    dependencies:
      type-fest: 4.41.0
@@ -7436,10 +7390,6 @@ snapshots:
      tslib: 2.8.1
    optional: true

-  '@types/bn.js@5.2.0':
-    dependencies:
-      '@types/node': 25.2.3
-
  '@types/body-parser@1.19.6':
    dependencies:
      '@types/connect': 3.4.38
@@ -7464,14 +7414,6 @@ snapshots:
    dependencies:
      '@types/ms': 2.1.0

-  '@types/dns-packet@5.6.5':
-    dependencies:
-      '@types/node': 25.2.3
-
-  '@types/elliptic@6.4.18':
-    dependencies:
-      '@types/bn.js': 5.2.0
-
  '@types/express-serve-static-core@5.1.1':
    dependencies:
      '@types/node': 25.2.3
@@ -7788,8 +7730,6 @@ snapshots:

  bintrees@1.0.2: {}

-  bn.js@4.12.2: {}
-
  body-parser@2.2.2:
    dependencies:
      bytes: 3.1.2
@@ -7826,8 +7766,6 @@ snapshots:
      p-queue: 6.6.2
      unload: 2.4.1

-  brorand@1.1.0: {}
-
  bson@6.10.4: {}

  bson@7.2.0: {}
@@ -7978,6 +7916,8 @@ snapshots:

  crelt@1.0.6: {}

+  croner@10.0.1: {}
+
  croner@9.1.0: {}

  cross-spawn@7.0.6:
@@ -8050,10 +7990,6 @@ snapshots:

  devtools-protocol@0.0.1566079: {}

-  dns-packet@5.6.1:
-    dependencies:
-      '@leichtgewicht/ip-codec': 2.0.5
-
  dom-serializer@2.0.0:
    dependencies:
      domelementtype: 2.3.0
@@ -8090,16 +8026,6 @@ snapshots:

  ee-first@1.1.1: {}

-  elliptic@6.6.1:
-    dependencies:
-      bn.js: 4.12.2
-      brorand: 1.1.0
-      hash.js: 1.1.7
-      hmac-drbg: 1.0.1
-      inherits: 2.0.4
-      minimalistic-assert: 1.0.1
-      minimalistic-crypto-utils: 1.0.1
-
  emoji-regex@8.0.0: {}

  emoji-regex@9.2.2: {}
@@ -8529,11 +8455,6 @@ snapshots:
    dependencies:
      has-symbols: 1.1.0

-  hash.js@1.1.7:
-    dependencies:
-      inherits: 2.0.4
-      minimalistic-assert: 1.0.1
-
  hasown@2.0.2:
    dependencies:
      function-bind: 1.1.2
@@ -8566,12 +8487,6 @@ snapshots:

  highlight.js@11.11.1: {}

-  hmac-drbg@1.0.1:
-    dependencies:
-      hash.js: 1.1.7
-      minimalistic-assert: 1.0.1
-      minimalistic-crypto-utils: 1.0.1
-
  html-minifier@4.0.0:
    dependencies:
      camel-case: 3.0.0
@@ -9280,10 +9195,6 @@ snapshots:

  mingo@7.2.0: {}

-  minimalistic-assert@1.0.1: {}
-
-  minimalistic-crypto-utils@1.0.1: {}
-
  minimatch@10.1.2:
    dependencies:
      '@isaacs/brace-expansion': 5.0.1
--- a/readme.md
+++ b/readme.md
@@ -21,6 +21,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - [Email System](#email-system)
 - [DNS Server](#dns-server)
 - [RADIUS Server](#radius-server)
+- [Certificate Management](#certificate-management)
 - [Storage & Caching](#storage--caching)
 - [Security Features](#security-features)
 - [OpsServer Dashboard](#opsserver-dashboard)
@@ -46,7 +47,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Hierarchical rate limiting** — global, per-domain, per-sender

 ### 🔒 Enterprise Security
- **Automatic TLS certificates** via ACME with Cloudflare DNS-01 challenges
+- **Automatic TLS certificates** via ACME (smartacme v9) with Cloudflare DNS-01 challenges
+- **Smart certificate scheduling** — per-domain deduplication, controlled parallelism, and account rate limiting handled automatically
+- **Per-domain exponential backoff** — failed provisioning attempts are tracked and backed off to avoid hammering ACME servers
 - **IP reputation checking** with caching and configurable thresholds
 - **Content scanning** for spam, viruses, and malicious attachments
 - **Security event logging** with structured audit trails
@@ -73,7 +76,8 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ### 🖥️ OpsServer Dashboard
 - **Web-based management interface** with real-time monitoring
 - **JWT authentication** with session persistence
- **Live views** for connections, email queues, DNS queries, RADIUS sessions, and security events
+- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, and security events
+- **Domain-centric certificate overview** with backoff status and one-click reprovisioning
 - **Read-only configuration display** — DcRouter is configured through code

 ## Installation
@@ -250,7 +254,7 @@ graph TB
        ES[smartmta Email Server<br/><i>TypeScript + Rust</i>]
        DS[SmartDNS Server<br/><i>Rust-powered</i>]
        RS[SmartRadius Server]
-        CM[Certificate Manager]
+        CM[Certificate Manager<br/><i>smartacme v9</i>]
        OS[OpsServer Dashboard]
        MM[Metrics Manager]
        SM[Storage Manager]
@@ -297,6 +301,7 @@ graph TB
 | **SmartProxy** | `@push.rocks/smartproxy` | High-performance HTTP/HTTPS and TCP/SNI proxy with route-based config (Rust engine) |
 | **UnifiedEmailServer** | `@push.rocks/smartmta` | Full SMTP server with pattern-based routing, DKIM, queue management (TypeScript + Rust) |
 | **DNS Server** | `@push.rocks/smartdns` | Authoritative DNS with dynamic records and DKIM TXT auto-generation (Rust engine) |
+| **SmartAcme** | `@push.rocks/smartacme` | ACME certificate management with per-domain dedup, concurrency control, and rate limiting |
 | **RADIUS Server** | `@push.rocks/smartradius` | Network authentication with MAB, VLAN assignment, and accounting |
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
@@ -308,8 +313,8 @@ graph TB
 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:

 1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, and SmartRadius based on which configs are provided.
-2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery.
-3. **On `stop()`**: All services are gracefully shut down in reverse order.
+2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
+3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.

 ### Rust-Powered Architecture

@@ -584,15 +589,6 @@ match: { sizeRange: { min: 1000, max: 5000000 }, hasAttachments: true }
 match: { subject: /invoice|receipt/i }
 ```

-### Socket-Handler Mode 🔌
-
-When `useSocketHandler: true` is set, SmartProxy passes sockets directly to the email server — no internal port binding, lower latency, and fewer open ports:
-
-```
-Traditional:  External Port → SmartProxy → Internal Port → Email Server
-Socket Mode:  External Port → SmartProxy → (direct socket) → Email Server
-```
-
 ### Email Security Stack

 - **DKIM** — Automatic key generation, signing, and rotation for all domains
@@ -705,6 +701,73 @@ RADIUS is fully manageable at runtime via the OpsServer API:
 - Session monitoring and forced disconnects
 - Accounting summaries and statistics

+## Certificate Management
+
+DcRouter uses [`@push.rocks/smartacme`](https://code.foss.global/push.rocks/smartacme) v9 for ACME certificate provisioning. smartacme v9 brings significant improvements over previous versions:
+
+### How It Works
+
+When a `dnsChallenge` is configured (e.g. with a Cloudflare API key), DcRouter creates a SmartAcme instance that handles DNS-01 challenges for automatic certificate provisioning. SmartProxy calls the `certProvisionFunction` whenever a route needs a TLS certificate, and SmartAcme takes care of the rest.
+
+```typescript
+const router = new DcRouter({
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'secure-app',
+        match: { domains: ['app.example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '192.168.1.10', port: 8080 }],
+          tls: { mode: 'terminate', certificate: 'auto' }  // ← triggers ACME provisioning
+        }
+      }
+    ],
+    acme: { email: 'admin@example.com', enabled: true, useProduction: true }
+  },
+  tls: { contactEmail: 'admin@example.com' },
+  dnsChallenge: { cloudflareApiKey: process.env.CLOUDFLARE_API_KEY }
+});
+```
+
+### smartacme v9 Features
+
+| Feature | Description |
+|---------|-------------|
+| **Per-domain deduplication** | Concurrent requests for the same domain share a single ACME operation |
+| **Global concurrency cap** | Default 5 parallel ACME operations to prevent overload |
+| **Account rate limiting** | Sliding window (250 orders / 3 hours) to stay within ACME provider limits |
+| **Structured errors** | `AcmeError` with `isRetryable`, `isRateLimited`, `retryAfter` fields |
+| **Clean shutdown** | `stop()` properly destroys HTTP agents and DNS clients |
+
+### Per-Domain Backoff
+
+DcRouter's `CertProvisionScheduler` adds **per-domain exponential backoff** on top of smartacme's built-in protections. If a DNS-01 challenge fails for a domain:
+
+1. The failure is recorded (persisted to storage)
+2. The domain enters backoff: `min(failures² × 1 hour, 24 hours)`
+3. Subsequent requests for that domain are rejected until the backoff expires
+4. On success, the backoff is cleared
+
+This prevents hammering ACME servers for domains with persistent issues (e.g. missing DNS delegation).
+
+### Fallback to HTTP-01
+
+If DNS-01 fails, the `certProvisionFunction` returns `'http01'` to tell SmartProxy to fall back to HTTP-01 challenge validation. This provides a safety net for domains where DNS-01 isn't viable.
+
+### Certificate Storage
+
+Certificates are persisted via the `StorageBackedCertManager` which uses DcRouter's `StorageManager`. This means certs survive restarts and don't need to be re-provisioned unless they expire.
+
+### Dashboard
+
+The OpsServer includes a **Certificates** view showing:
+- All domains with their certificate status (valid, expiring, expired, failed)
+- Certificate source (ACME, provision function, static)
+- Expiry dates and issuer information
+- Backoff status for failed domains
+- One-click reprovisioning per domain
+
 ## Storage & Caching

 ### StorageManager
@@ -725,7 +788,7 @@ storage: {
 // Simply omit the storage config
 ```

-Used for: DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs.
+Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state.

 ### Cache Database

@@ -811,6 +874,7 @@ The OpsServer provides a web-based management interface served on port 3000. It'
 | 📊 **Overview** | Real-time server stats, CPU/memory, connection counts, email throughput |
 | 🌐 **Network** | Active connections, top IPs, throughput rates, SmartProxy metrics |
 | 📧 **Email** | Queue monitoring (queued/sent/failed), bounce records, security incidents |
+| 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
 | 🛡️ **Security** | IP reputation, rate limit status, blocked connections |
@@ -838,6 +902,11 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getBounceRecords'                     // Bounce records
 'removeFromSuppressionList'            // Unsuppress an address

+// Certificates
+'getCertificateOverview'               // Domain-centric certificate status
+'reprovisionCertificate'               // Reprovision by route name (legacy)
+'reprovisionCertificateDomain'         // Reprovision by domain (preferred)
+
 // Configuration (read-only)
 'getConfiguration'                     // Current system config

@@ -884,6 +953,7 @@ const router = new DcRouter(options: IDcRouterOptions);
 |----------|------|-------------|
 | `options` | `IDcRouterOptions` | Current configuration |
 | `smartProxy` | `SmartProxy` | SmartProxy instance |
+| `smartAcme` | `SmartAcme` | SmartAcme v9 certificate manager instance |
 | `emailServer` | `UnifiedEmailServer` | Email server instance (from smartmta) |
 | `dnsServer` | `DnsServer` | DNS server instance |
 | `radiusServer` | `RadiusServer` | RADIUS server instance |
@@ -891,6 +961,8 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
 | `cacheDb` | `CacheDb` | Cache database instance |
+| `certProvisionScheduler` | `CertProvisionScheduler` | Per-domain backoff scheduler for cert provisioning |
+| `certificateStatusMap` | `Map<string, ...>` | Domain-keyed certificate status from SmartProxy events |

 ### Re-exported Types

--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '6.0.0',
+  version: '6.3.0',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts/classes.cert-provision-scheduler.ts
+++ b/ts/classes.cert-provision-scheduler.ts
@@ -11,31 +11,22 @@ interface IBackoffEntry {
 /**
 * Manages certificate provisioning scheduling with:
 * - Per-domain exponential backoff persisted in StorageManager
- * - Serial stagger queue with configurable delay between provisions
+ *
+ * Note: Serial stagger queue was removed — smartacme v9 handles
+ * concurrency, per-domain dedup, and rate limiting internally.
 */
 export class CertProvisionScheduler {
  private storageManager: StorageManager;
-  private staggerDelayMs: number;
  private maxBackoffHours: number;

-  // In-memory serial queue
-  private queue: Array<{
-    domain: string;
-    fn: () => Promise<any>;
-    resolve: (value: any) => void;
-    reject: (err: any) => void;
-  }> = [];
-  private processing = false;
-
  // In-memory backoff cache (mirrors storage for fast lookups)
  private backoffCache = new Map<string, IBackoffEntry>();

  constructor(
    storageManager: StorageManager,
-    options?: { staggerDelayMs?: number; maxBackoffHours?: number }
+    options?: { maxBackoffHours?: number }
  ) {
    this.storageManager = storageManager;
-    this.staggerDelayMs = options?.staggerDelayMs ?? 3000;
    this.maxBackoffHours = options?.maxBackoffHours ?? 24;
  }

@@ -136,41 +127,4 @@ export class CertProvisionScheduler {
      lastError: entry.lastError,
    };
  }
-
-  /**
-   * Enqueue a provision operation for serial execution with stagger delay.
-   * Returns the result of the provision function.
-   */
-  enqueueProvision<T>(domain: string, fn: () => Promise<T>): Promise<T> {
-    return new Promise<T>((resolve, reject) => {
-      this.queue.push({ domain, fn, resolve, reject });
-      this.processQueue();
-    });
-  }
-
-  /**
-   * Process the stagger queue serially
-   */
-  private async processQueue(): Promise<void> {
-    if (this.processing) return;
-    this.processing = true;
-
-    while (this.queue.length > 0) {
-      const item = this.queue.shift()!;
-      try {
-        logger.log('info', `Processing cert provision for ${item.domain}`);
-        const result = await item.fn();
-        item.resolve(result);
-      } catch (err) {
-        item.reject(err);
-      }
-
-      // Stagger delay between provisions
-      if (this.queue.length > 0) {
-        await new Promise<void>((r) => setTimeout(r, this.staggerDelayMs));
-      }
-    }
-
-    this.processing = false;
-  }
 }
--- a/ts/classes.dcrouter.ts
+++ b/ts/classes.dcrouter.ts
@@ -23,9 +23,12 @@ import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';

 export interface IDcRouterOptions {
-  /** 
+  /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
+  baseDir?: string;
+
+  /**
   * Direct SmartProxy configuration - gives full control over HTTP/HTTPS and TCP/SNI traffic
-   * This is the preferred way to configure HTTP/HTTPS and general TCP/SNI traffic 
+   * This is the preferred way to configure HTTP/HTTPS and general TCP/SNI traffic
   */
  smartProxyConfig?: plugins.smartproxy.ISmartProxyOptions;
  
@@ -170,6 +173,7 @@ export interface PortProxyRuleContext {

 export class DcRouter {
  public options: IDcRouterOptions;
+  public resolvedPaths: ReturnType<typeof paths.resolvePaths>;

  // Core services
  public smartProxy?: plugins.smartproxy.SmartProxy;
@@ -195,7 +199,7 @@ export class DcRouter {
    error?: string;
  }>();

-  // Certificate provisioning scheduler with backoff + stagger
+  // Certificate provisioning scheduler with per-domain backoff
  public certProvisionScheduler?: CertProvisionScheduler;

  // TypedRouter for API endpoints
@@ -210,10 +214,13 @@ export class DcRouter {
      ...optionsArg
    };

+    // Resolve all data paths from baseDir
+    this.resolvedPaths = paths.resolvePaths(this.options.baseDir);
+
    // Default storage to filesystem if not configured
    if (!this.options.storage) {
      this.options.storage = {
-        fsPath: plugins.path.join(paths.dcrouterHomeDir, 'storage'),
+        fsPath: this.resolvedPaths.defaultStoragePath,
      };
    }

@@ -372,7 +379,7 @@ export class DcRouter {

    // Initialize CacheDb singleton
    this.cacheDb = CacheDb.getInstance({
-      storagePath: cacheConfig.storagePath || paths.defaultTsmDbPath,
+      storagePath: cacheConfig.storagePath || this.resolvedPaths.defaultTsmDbPath,
      dbName: cacheConfig.dbName || 'dcrouter',
      debug: false,
    });
@@ -444,7 +451,10 @@ export class DcRouter {
    // If we have routes or need a basic SmartProxy instance, create it
    if (routes.length > 0 || this.options.smartProxyConfig) {
      console.log('Setting up SmartProxy with combined configuration');
-      
+
+      // Track cert entries loaded from cert store so we can populate certificateStatusMap after start
+      const loadedCertEntries: Array<{domain: string; publicKey: string; validUntil?: number; validFrom?: number}> = [];
+
      // Create SmartProxy configuration
      const smartProxyConfig: plugins.smartproxy.ISmartProxyOptions = {
        ...this.options.smartProxyConfig,
@@ -456,13 +466,23 @@ export class DcRouter {
            const certs: Array<{ domain: string; publicKey: string; privateKey: string; ca?: string }> = [];
            for (const key of keys) {
              const data = await this.storageManager.getJSON(key);
-              if (data) certs.push(data);
+              if (data) {
+                certs.push(data);
+                loadedCertEntries.push({ domain: data.domain, publicKey: data.publicKey, validUntil: data.validUntil, validFrom: data.validFrom });
+              }
            }
            return certs;
          },
          save: async (domain: string, publicKey: string, privateKey: string, ca?: string) => {
+            let validUntil: number | undefined;
+            let validFrom: number | undefined;
+            try {
+              const x509 = new plugins.crypto.X509Certificate(publicKey);
+              validUntil = new Date(x509.validTo).getTime();
+              validFrom = new Date(x509.validFrom).getTime();
+            } catch { /* PEM parsing failed */ }
            await this.storageManager.setJSON(`/proxy-certs/${domain}`, {
-              domain, publicKey, privateKey, ca,
+              domain, publicKey, privateKey, ca, validUntil, validFrom,
            });
          },
          remove: async (domain: string) => {
@@ -496,23 +516,25 @@ export class DcRouter {
          }

          try {
-            const result = await scheduler.enqueueProvision(domain, async () => {
-              eventComms.log(`Attempting DNS-01 via SmartAcme for ${domain}`);
-              eventComms.setSource('smartacme-dns-01');
-              const cert = await this.smartAcme.getCertificateForDomain(domain);
-              if (cert.validUntil) {
-                eventComms.setExpiryDate(new Date(cert.validUntil));
-              }
-              return {
-                id: cert.id,
-                domainName: cert.domainName,
-                created: cert.created,
-                validUntil: cert.validUntil,
-                privateKey: cert.privateKey,
-                publicKey: cert.publicKey,
-                csr: cert.csr,
-              };
+            // smartacme v9 handles concurrency, per-domain dedup, and rate limiting internally
+            eventComms.log(`Attempting DNS-01 via SmartAcme for ${domain}`);
+            eventComms.setSource('smartacme-dns-01');
+            const isWildcardDomain = domain.startsWith('*.');
+            const cert = await this.smartAcme.getCertificateForDomain(domain, {
+              includeWildcard: !isWildcardDomain,
            });
+            if (cert.validUntil) {
+              eventComms.setExpiryDate(new Date(cert.validUntil));
+            }
+            const result = {
+              id: cert.id,
+              domainName: cert.domainName,
+              created: cert.created,
+              validUntil: cert.validUntil,
+              privateKey: cert.privateKey,
+              publicKey: cert.publicKey,
+              csr: cert.csr,
+            };

            // Success — clear any backoff
            await scheduler.clearBackoff(domain);
@@ -577,7 +599,60 @@ export class DcRouter {
      console.log('[DcRouter] Starting SmartProxy...');
      await this.smartProxy.start();
      console.log('[DcRouter] SmartProxy started successfully');
-      
+
+      // Populate certificateStatusMap for certs loaded from store at startup
+      for (const entry of loadedCertEntries) {
+        if (!this.certificateStatusMap.has(entry.domain)) {
+          const routeNames = this.findRouteNamesForDomain(entry.domain);
+          let expiryDate: string | undefined;
+          let issuedAt: string | undefined;
+
+          // Use validUntil/validFrom from stored proxy-certs data if available
+          if (entry.validUntil) {
+            expiryDate = new Date(entry.validUntil).toISOString();
+          }
+          if (entry.validFrom) {
+            issuedAt = new Date(entry.validFrom).toISOString();
+          }
+
+          // Try SmartAcme /certs/ metadata as secondary source
+          if (!expiryDate) {
+            try {
+              const cleanDomain = entry.domain.replace(/^\*\.?/, '');
+              const certMeta = await this.storageManager.getJSON(`/certs/${cleanDomain}`);
+              if (certMeta?.validUntil) {
+                expiryDate = new Date(certMeta.validUntil).toISOString();
+              }
+              if (certMeta?.created && !issuedAt) {
+                issuedAt = new Date(certMeta.created).toISOString();
+              }
+            } catch { /* no metadata available */ }
+          }
+
+          // Fallback: parse X509 from PEM to get expiry
+          if (!expiryDate && entry.publicKey) {
+            try {
+              const x509 = new plugins.crypto.X509Certificate(entry.publicKey);
+              expiryDate = new Date(x509.validTo).toISOString();
+              if (!issuedAt) {
+                issuedAt = new Date(x509.validFrom).toISOString();
+              }
+            } catch { /* PEM parsing failed */ }
+          }
+
+          this.certificateStatusMap.set(entry.domain, {
+            status: 'valid',
+            routeNames,
+            expiryDate,
+            issuedAt,
+            source: 'cert-store',
+          });
+        }
+      }
+      if (loadedCertEntries.length > 0) {
+        console.log(`[DcRouter] Populated certificate status for ${loadedCertEntries.length} store-loaded domain(s)`);
+      }
+
      console.log(`SmartProxy started with ${routes.length} routes`);
    }
  }
@@ -1238,7 +1313,7 @@ export class DcRouter {
    
    try {
      // Ensure paths are imported
-      const dnsDir = paths.dnsRecordsDir;
+      const dnsDir = this.resolvedPaths.dnsRecordsDir;
      
      // Check if directory exists
      if (!plugins.fs.existsSync(dnsDir)) {
@@ -1302,7 +1377,7 @@ export class DcRouter {
    }
    
    // Ensure necessary directories exist
-    paths.ensureDirectories();
+    paths.ensureDataDirectories(this.resolvedPaths);
    
    // Generate DKIM keys for each email domain
    for (const domainConfig of this.options.emailConfig.domains) {
--- a/ts/opsserver/handlers/certificate.handler.ts
+++ b/ts/opsserver/handlers/certificate.handler.ts
@@ -156,13 +156,29 @@ export class CertificateHandler {
      // Check persisted cert data from StorageManager
      if (status === 'unknown') {
        const cleanDomain = domain.replace(/^\*\.?/, '');
-        const certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
+        let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
+        if (!certData) {
+          // Also check certStore path (proxy-certs)
+          certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
+        }
        if (certData?.validUntil) {
          expiryDate = new Date(certData.validUntil).toISOString();
          if (certData.created) {
            issuedAt = new Date(certData.created).toISOString();
          }
          issuer = 'smartacme-dns-01';
+        } else if (certData?.publicKey) {
+          // certStore has the cert — parse PEM for expiry
+          try {
+            const x509 = new plugins.crypto.X509Certificate(certData.publicKey);
+            expiryDate = new Date(x509.validTo).toISOString();
+            issuedAt = new Date(x509.validFrom).toISOString();
+          } catch { /* PEM parsing failed */ }
+          status = 'valid';
+          issuer = 'cert-store';
+        } else if (certData) {
+          status = 'valid';
+          issuer = 'cert-store';
        }
      }

--- a/ts/paths.ts
+++ b/ts/paths.ts
@@ -1,7 +1,6 @@
 import * as plugins from './plugins.js';

-// Base directories
-export const baseDir = process.cwd();
+// Code/asset paths (not affected by baseDir)
 export const packageDir = plugins.path.join(
  plugins.smartpath.get.dirnameFromImportMetaUrl(import.meta.url),
  '../'
@@ -20,35 +19,37 @@ export const dataDir = process.env.DATA_DIR
 // Default TsmDB path for CacheDb
 export const defaultTsmDbPath = plugins.path.join(dcrouterHomeDir, 'tsmdb');

-// MTA directories 
-export const keysDir = plugins.path.join(dataDir, 'keys');
+// DNS records directory (only surviving MTA directory reference)
 export const dnsRecordsDir = plugins.path.join(dataDir, 'dns');
-export const sentEmailsDir = plugins.path.join(dataDir, 'emails', 'sent');
-export const receivedEmailsDir = plugins.path.join(dataDir, 'emails', 'received');
-export const failedEmailsDir = plugins.path.join(dataDir, 'emails', 'failed'); // For failed emails
-export const logsDir = plugins.path.join(dataDir, 'logs'); // For logs

-// Email template directories
-export const emailTemplatesDir = plugins.path.join(dataDir, 'templates', 'email');
-export const MtaAttachmentsDir = plugins.path.join(dataDir, 'attachments'); // For email attachments
+/**
+ * Resolve all data paths from a given baseDir.
+ * When no baseDir is provided, falls back to ~/.serve.zone/dcrouter.
+ * Specific overrides (e.g. DATA_DIR env) take precedence.
+ */
+export function resolvePaths(baseDir?: string) {
+  const root = baseDir ?? plugins.path.join(plugins.os.homedir(), '.serve.zone', 'dcrouter');
+  const resolvedDataDir = process.env.DATA_DIR ?? plugins.path.join(root, 'data');
+  return {
+    dcrouterHomeDir: root,
+    dataDir: resolvedDataDir,
+    defaultTsmDbPath: plugins.path.join(root, 'tsmdb'),
+    defaultStoragePath: plugins.path.join(root, 'storage'),
+    dnsRecordsDir: plugins.path.join(resolvedDataDir, 'dns'),
+  };
+}

-// Configuration path
-export const configPath = process.env.CONFIG_PATH 
-  ? process.env.CONFIG_PATH 
-  : plugins.path.join(baseDir, 'config.json');
+/**
+ * Ensure only the data directories that are actually used exist.
+ */
+export function ensureDataDirectories(resolvedPaths: ReturnType<typeof resolvePaths>) {
+  plugins.fsUtils.ensureDirSync(resolvedPaths.dataDir);
+  plugins.fsUtils.ensureDirSync(resolvedPaths.dnsRecordsDir);
+}

-// Create directories if they don't exist
+/**
+ * Legacy wrapper — delegates to ensureDataDirectories with module-level defaults.
+ */
 export function ensureDirectories() {
-  // Ensure data directories
-  plugins.fsUtils.ensureDirSync(dataDir);
-  plugins.fsUtils.ensureDirSync(keysDir);
-  plugins.fsUtils.ensureDirSync(dnsRecordsDir);
-  plugins.fsUtils.ensureDirSync(sentEmailsDir);
-  plugins.fsUtils.ensureDirSync(receivedEmailsDir);
-  plugins.fsUtils.ensureDirSync(failedEmailsDir);
-  plugins.fsUtils.ensureDirSync(logsDir);
-  
-  // Ensure email template directories
-  plugins.fsUtils.ensureDirSync(emailTemplatesDir);
-  plugins.fsUtils.ensureDirSync(MtaAttachmentsDir);
-}
+  ensureDataDirectories(resolvePaths());
+}
--- a/ts/security/classes.contentscanner.ts
+++ b/ts/security/classes.contentscanner.ts
@@ -1,5 +1,4 @@
 import * as plugins from '../plugins.js';
-import * as paths from '../paths.js';
 import { logger } from '../logger.js';
 import { Email, type Core } from '@push.rocks/smartmta';
 type IAttachment = Core.IAttachment;
--- a/ts/storage/classes.storagemanager.ts
+++ b/ts/storage/classes.storagemanager.ts
@@ -378,7 +378,7 @@ export class StorageManager {
   */
  async getJSON<T = any>(key: string): Promise<T | null> {
    const value = await this.get(key);
-    if (value === null) {
+    if (value === null || value.trim() === '') {
      return null;
    }
    
--- a/ts_interfaces/readme.md
+++ b/ts_interfaces/readme.md
@@ -128,6 +128,37 @@ TypedRequest interfaces for the OpsServer API, organized by domain:
 | `IReq_GetBounceRecords` | `getBounceRecords` | Bounce records |
 | `IReq_RemoveFromSuppressionList` | `removeFromSuppressionList` | Unsuppress an address |

+#### 🔐 Certificates
+| Interface | Method | Description |
+|-----------|--------|-------------|
+| `IReq_GetCertificateOverview` | `getCertificateOverview` | Domain-centric certificate status |
+| `IReq_ReprovisionCertificate` | `reprovisionCertificate` | Reprovision by route name (legacy) |
+| `IReq_ReprovisionCertificateDomain` | `reprovisionCertificateDomain` | Reprovision by domain (preferred) |
+
+#### Certificate Types
+```typescript
+type TCertificateStatus = 'valid' | 'expiring' | 'expired' | 'provisioning' | 'failed' | 'unknown';
+type TCertificateSource = 'acme' | 'provision-function' | 'static' | 'none';
+
+interface ICertificateInfo {
+  domain: string;
+  routeNames: string[];
+  status: TCertificateStatus;
+  source: TCertificateSource;
+  tlsMode: 'terminate' | 'terminate-and-reencrypt' | 'passthrough';
+  expiryDate?: string;
+  issuer?: string;
+  issuedAt?: string;
+  error?: string;
+  canReprovision: boolean;
+  backoffInfo?: {
+    failures: number;
+    retryAfter?: string;
+    lastError?: string;
+  };
+}
+```
+
 #### 📡 RADIUS
 | Interface | Method | Description |
 |-----------|--------|-------------|
@@ -173,7 +204,16 @@ console.log('Email:', metrics.emailStats);
 console.log('DNS:', metrics.dnsStats);
 console.log('Security:', metrics.securityMetrics);

-// 3. Check email queues
+// 3. Check certificate status
+const certClient = new typedrequest.TypedRequest<requests.IReq_GetCertificateOverview>(
+  'https://your-dcrouter:3000/typedrequest',
+  'getCertificateOverview'
+);
+
+const certs = await certClient.fire({ identity });
+console.log(`Certificates: ${certs.summary.valid} valid, ${certs.summary.failed} failed`);
+
+// 4. Check email queues
 const queueClient = new typedrequest.TypedRequest<requests.IReq_GetQueuedEmails>(
  'https://your-dcrouter:3000/typedrequest',
  'getQueuedEmails'
--- a/ts_web/00_commitinfo_data.ts
+++ b/ts_web/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '6.0.0',
+  version: '6.3.0',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts_web/readme.md
+++ b/ts_web/readme.md
@@ -34,6 +34,13 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Security** — Security incidents from email processing
 - Bounce record management and suppression list controls

+### 🔐 Certificate Management
+- Domain-centric certificate overview with status indicators
+- Certificate source tracking (ACME, provision function, static)
+- Expiry date monitoring and alerts
+- Per-domain backoff status for failed provisions
+- One-click reprovisioning per domain
+
 ### 📜 Log Viewer
 - Real-time log streaming
 - Filter by log level (error, warning, info, debug)
@@ -77,6 +84,7 @@ ts_web/
    ├── ops-view-overview.ts  # Overview statistics
    ├── ops-view-network.ts   # Network monitoring
    ├── ops-view-emails.ts    # Email queue management
+    ├── ops-view-certificates.ts  # Certificate overview & reprovisioning
    ├── ops-view-logs.ts      # Log viewer
    ├── ops-view-config.ts    # Configuration display
    ├── ops-view-security.ts  # Security dashboard
@@ -132,6 +140,7 @@ removeFromSuppressionAction(email) // Remove from suppression list
  /emails/sent      → Sent emails
  /emails/failed    → Failed emails
  /emails/security  → Security incidents
+/certificates    → Certificate management
 /logs            → Log viewer
 /configuration   → System configuration
 /security        → Security dashboard
Author	SHA1	Message	Date
Juergen Kunz	fb472f353c	v6.3.0 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 09:52:38 +00:00
Juergen Kunz	090bd747e1	feat(dcrouter): add configurable baseDir and centralized path resolution; use resolved data paths for storage, cache and DNS	2026-02-16 09:52:38 +00:00
Juergen Kunz	4d77a94bbb	v6.2.4 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 09:02:57 +00:00
Juergen Kunz	7f5284b10f	fix(deps): bump @push.rocks/smartproxy to ^25.5.0	2026-02-16 09:02:57 +00:00
Juergen Kunz	9cd5db2d81	v6.2.3 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 02:50:25 +00:00
Juergen Kunz	de0b7d1fe0	fix(dcrouter): persist proxy certificate validity dates and improve certificate status initialization	2026-02-16 02:50:25 +00:00
Juergen Kunz	4e32745a8f	v6.2.2 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 01:58:39 +00:00
Juergen Kunz	121573de2f	fix(certs): Populate certificate status for cert-store-loaded certificates after SmartProxy startup and check proxy-certs in opsserver certificate handler	2026-02-16 01:58:39 +00:00
Juergen Kunz	cd957526e2	v6.2.1 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 00:56:41 +00:00
Juergen Kunz	7aa5f07731	fix(smartacme,storage): Respect wildcard domain requests when retrieving certificates and treat empty/whitespace storage values as null in getJSON	2026-02-16 00:56:41 +00:00
Juergen Kunz	5b6f7b30c3	v6.2.0 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 00:26:35 +00:00
Juergen Kunz	18cc21a49e	feat(ts_web): add Certificate Management documentation and ops-view-certificates reference	2026-02-16 00:26:35 +00:00
Juergen Kunz	46fa2f6ade	v6.1.0 Some checks failed Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-02-16 00:22:23 +00:00
Juergen Kunz	0a6315f177	feat(certs): integrate smartacme v9 for ACME certificate provisioning and add certificate management features, docs, dashboard views, API endpoints, and per-domain backoff scheduler	2026-02-16 00:22:23 +00:00