feat: expose dcrouter gateway settings

- Implemented SecretSettingsManager to handle secret settings with encryption.
- Added functionality to migrate legacy plaintext settings into encrypted storage.
- Introduced methods for setting, getting, and clearing secret settings.
- Created tests for verifying the migration and canonicalization of secret settings.
- Updated app state to handle service updates via socket communication.
- Added interface for push service updates to manage service state changes.

.claude/CLAUDE.md

@@ -1,140 +0,0 @@
-# Onebox Development Notes
-
-## ⚠️ CRITICAL DEVELOPMENT RULES ⚠️
-
-### NEVER GUESS - ALWAYS READ THE ACTUAL CODE
-**FUCKING ALWAYS look at the dependency actual code. Don't start fucking guessing stuff.**
-
-run "pnpm run watch" when starting to do stuff, so the UI gets recompiled and the server automatically restarts on file changes.
-
-When working with any dependency:
-1. **READ the actual source code** in `node_modules/` or check the package documentation
-2. **CHECK the exact API** - don't assume based on similar libraries
-3. **VERIFY method names, return types, and property structures** before using them
-4. **TEST with the actual implementation** - APIs change between versions
-
-Common mistakes to avoid:
-- ❌ Assuming API structure based on similar libraries
-- ❌ Guessing method names or property paths
-- ❌ Using outdated documentation without checking current version
-- ✅ Read the actual TypeScript definitions in node_modules
-- ✅ Check the package's README and changelog
-- ✅ Test the actual behavior before implementing
-
-## Architecture Changes
-
-### Reverse Proxy Implementation
-- **Replaced Nginx** with native Deno reverse proxy (`ts/classes/reverseproxy.ts`)
-- Features:
-  - HTTP/HTTPS dual servers (ports 80/443)
-  - TLS/SSL certificate management with hot-reload
-  - WebSocket bidirectional proxying
-  - Dynamic routing from database
-  - SNI (Server Name Indication) support
-
-### Code Organization
-- Removed "onebox." prefix from all TypeScript files
-- Organized into subfolders:
-  - `ts/classes/` - All class implementations
-  - `ts/` - Root level utilities (logging, types, plugins, cli, info)
-
-### WebSocket Real-time Communication
-- **Backend**: WebSocket endpoint at `/api/ws` (`ts/classes/httpserver.ts:96-174`)
-  - Connection management with client Set tracking
-  - Broadcast methods: `broadcast()`, `broadcastServiceUpdate()`, `broadcastServiceStatus()`
-  - Integrated with service lifecycle (start/stop/restart actions)
-  - Status monitoring loop broadcasts changes automatically
-- **Frontend**: Angular WebSocket service (`ui/src/app/core/services/websocket.service.ts`)
-  - Auto-connects on app initialization
-  - Exponential backoff reconnection (max 5 attempts)
-  - RxJS Observable-based message streaming
-  - Components subscribe to real-time updates
-- **Message Types**:
-  - `connected` - Initial connection confirmation
-  - `service_update` - Service lifecycle changes (action: created/updated/deleted/started/stopped)
-  - `service_status` - Real-time status changes from monitoring loop
-  - `system_status` - System-wide updates
-- **Testing**: Use `.nogit/test-ws-updates.ts` to monitor WebSocket messages
-
-### Docker Configuration
-- **System Docker**: Uses root Docker at `/var/run/docker.sock` (NOT rootless)
-- **Swarm Mode**: Enabled for service orchestration
-- **API Access**: Interact with Docker via direct API calls to the socket
-  - ❌ DO NOT switch Docker CLI contexts
-  - ✅ Use curl/HTTP requests to `/var/run/docker.sock`
-- **Network**: Overlay network `onebox-network` with `Attachable: true`
-- **Services vs Containers**: All workloads run as Swarm services (not standalone containers)
-
-## Debugging Tips
-
-### Backend Logs
-Use the background bash task to check server logs:
-```bash
-# Check for specific patterns (e.g., Login attempts)
-BashOutput tool with filter: "Login|error|Error"
-
-# Check all recent output
-BashOutput tool without filter
-```
-
-The dev server runs with `--watch` so it auto-restarts on file changes.
-
-### Frontend Testing
-Use Playwright for UI testing:
-```typescript
-// Navigate to app
-mcp__playwright__browser_navigate({ url: "http://localhost:3000" })
-
-// Fill login form
-mcp__playwright__browser_fill_form({
-  fields: [
-    { name: "Username", type: "textbox", ref: "...", value: "admin" },
-    { name: "Password", type: "textbox", ref: "...", value: "admin" }
-  ]
-})
-
-// Click button
-mcp__playwright__browser_click({ element: "Sign in button", ref: "..." })
-
-// Check console errors
-// Playwright automatically shows console messages in results
-```
-
-### Common Issues
-
-#### Login Issue (Fixed)
-**Problem**: `admin/admin` credentials returned "Invalid credentials"
-
-**Root Cause**: `rowToUser()` function in database.ts was accessing rows as arrays `row[2]` instead of objects `row.password_hash`. The @db/sqlite library returns rows as objects with snake_case column names.
-
-**Fix**: Updated `rowToUser()` to support both access patterns:
-```typescript
-private rowToUser(row: any): IUser {
-  return {
-    passwordHash: String(row.password_hash || row[2]),
-    // ... other fields
-  };
-}
-```
-
-**Location**: `ts/classes/database.ts:506-515`
-
-## Default Credentials
-- Username: `admin`
-- Password: `admin`
-- ⚠️ Change immediately after first login!
-
-## Development Server
-```bash
-# Main server (port 3000)
-deno task dev
-
-# Check server status
-curl http://localhost:3000/api/status
-```
-
-## API Endpoints
-- `POST /api/auth/login` - Login (returns JWT-like token)
-- `GET /api/status` - System status (requires auth)
-- `GET /api/services` - List services (requires auth)
-- See `ts/classes/httpserver.ts` for full API

.gitea/release-template.md

@@ -0,0 +1,37 @@
+## Onebox {{VERSION}}
+
+Pre-compiled binaries for multiple platforms.
+
+### Installation
+
+#### Option 1: Via npm (recommended)
+
+```bash
+npm install -g @serve.zone/onebox
+```
+
+#### Option 2: Via installer script
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+```
+
+#### Option 3: Direct binary download
+
+Download the appropriate binary for your platform from the assets below and make it executable.
+
+### Supported Platforms
+
+- Linux x86_64 (x64)
+- Linux ARM64 (aarch64)
+- macOS x86_64 (Intel)
+- macOS ARM64 (Apple Silicon)
+- Windows x86_64
+
+### Checksums
+
+SHA256 checksums are provided in `SHA256SUMS.txt` for binary verification.
+
+### npm Package
+
+The npm package includes automatic binary detection and installation for your platform.

.gitea/workflows/release.yml

@@ -0,0 +1,211 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Install dependencies
+        run: pnpm install --ignore-scripts
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Building version: $VERSION"
+
+      - name: Verify deno.json version matches tag
+        run: |
+          DENO_VERSION=$(grep -o '"version": "[^"]*"' deno.json | cut -d'"' -f4)
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "deno.json version: $DENO_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$DENO_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            echo "deno.json has version $DENO_VERSION but tag is $TAG_VERSION"
+            exit 1
+          fi
+
+      - name: Compile binaries for all platforms
+        run: mkdir -p dist/binaries && npx tsdeno compile
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+          cd ../..
+
+      - name: Extract changelog for this version
+        id: changelog
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Check if CHANGELOG.md exists
+          if [ ! -f CHANGELOG.md ] && [ ! -f changelog.md ]; then
+            echo "No changelog found, using default release notes"
+            cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          Pre-compiled binaries for multiple platforms.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+
+          Or download the binary for your platform and make it executable.
+
+          ### Supported Platforms
+          - Linux x86_64 (x64)
+          - Linux ARM64 (aarch64)
+          - macOS x86_64 (Intel)
+          - macOS ARM64 (Apple Silicon)
+          - Windows x86_64
+
+          ### Checksums
+          SHA256 checksums are provided in SHA256SUMS.txt
+          EOF
+          else
+            CHANGELOG_FILE=$([ -f CHANGELOG.md ] && echo "CHANGELOG.md" || echo "changelog.md")
+            awk "/## \[$VERSION\]/,/## \[/" "$CHANGELOG_FILE" | sed '$d' > /tmp/release_notes.md || cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          See changelog.md for full details.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+          EOF
+          fi
+
+          echo "Release notes:"
+          cat /tmp/release_notes.md
+
+      - name: Delete existing release if it exists
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          echo "Checking for existing release $VERSION..."
+
+          # Try to get existing release by tag
+          EXISTING_RELEASE_ID=$(curl -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/tags/$VERSION" \
+            | jq -r '.id // empty')
+
+          if [ -n "$EXISTING_RELEASE_ID" ]; then
+            echo "Found existing release (ID: $EXISTING_RELEASE_ID), deleting..."
+            curl -X DELETE -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$EXISTING_RELEASE_ID"
+            echo "Existing release deleted"
+            sleep 2
+          else
+            echo "No existing release found, proceeding with creation"
+          fi
+
+      - name: Create Gitea Release
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_NOTES=$(cat /tmp/release_notes.md)
+
+          # Create the release
+          echo "Creating release for $VERSION..."
+          RELEASE_ID=$(curl -X POST -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" \
+            -d "{
+              \"tag_name\": \"$VERSION\",
+              \"name\": \"Onebox $VERSION\",
+              \"body\": $(jq -Rs . /tmp/release_notes.md),
+              \"draft\": false,
+              \"prerelease\": false
+            }" | jq -r '.id')
+
+          echo "Release created with ID: $RELEASE_ID"
+
+          # Upload binaries as release assets
+          for binary in dist/binaries/*; do
+            filename=$(basename "$binary")
+            echo "Uploading $filename..."
+            curl -X POST -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@$binary" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$RELEASE_ID/assets?name=$filename"
+          done
+
+          echo "All assets uploaded successfully"
+
+      - name: Clean up old releases
+        run: |
+          echo "Cleaning up old releases (keeping only last 3)..."
+
+          # Fetch all releases sorted by creation date
+          RELEASES=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" | \
+            jq -r 'sort_by(.created_at) | reverse | .[3:] | .[].id')
+
+          # Delete old releases
+          if [ -n "$RELEASES" ]; then
+            echo "Found releases to delete:"
+            for release_id in $RELEASES; do
+              echo "  Deleting release ID: $release_id"
+              curl -X DELETE -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$release_id"
+            done
+            echo "Old releases deleted successfully"
+          else
+            echo "No old releases to delete (less than 4 releases total)"
+          fi
+          echo ""
+
+      - name: Release Summary
+        run: |
+          echo "================================================"
+          echo "  Release ${{ steps.version.outputs.version }} Complete!"
+          echo "================================================"
+          echo ""
+          echo "Binaries published:"
+          ls -lh dist/binaries/
+          echo ""
+          echo "Release URL:"
+          echo "https://code.foss.global/serve.zone/onebox/releases/tag/${{ steps.version.outputs.version }}"
+          echo ""
+          echo "Installation command:"
+          echo "curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+          echo ""

.gitignore

@@ -1,3 +1,30 @@
+.nogit/
+
+# artifacts
+coverage/
+public/
+
+# installs
+node_modules/
+
+# caches
+.yarn/
+.cache/
+.rpt2_cache
+
+# builds
+dist/
+dist_*/
+
+# rust
+rust/target/
+dist_rust/
+
+# AI
+.claude/
+.serena/
+
+#------# custom
 # Deno
 .deno/
 deno.lock

.smartconfig.json

@@ -0,0 +1,79 @@
+{
+  "@git.zone/tsbundle": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "includeFiles": [
+          {
+            "from": "./html/index.html",
+            "to": "index.html"
+          }
+        ]
+      }
+    ]
+  },
+  "@git.zone/tsdeno": {
+    "compileTargets": [
+      {
+        "name": "onebox-linux-x64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "x86_64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      },
+      {
+        "name": "onebox-linux-arm64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "aarch64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      }
+    ]
+  },
+  "@git.zone/tswatch": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "watchPatterns": ["./ts_web/**/*", "./html/**/*"],
+        "includeFiles": [
+          {
+            "from": "./html/index.html",
+            "to": "index.html"
+          }
+        ]
+      }
+    ],
+    "watchers": [
+      {
+        "name": "backend",
+        "watch": ["./ts/**/*", "./ts_interfaces/**/*", "./ts_bundled/**/*"],
+        "command": "deno run --allow-all --unstable-ffi mod.ts server --ephemeral --monitor",
+        "restart": true,
+        "debounce": 500,
+        "runOnStart": true
+      }
+    ]
+  },
+  "@git.zone/cli": {
+    "projectType": "denoSaaS",
+    "module": {
+      "githost": "code.foss.global",
+      "gitscope": "serve.zone",
+      "gitrepo": "onebox",
+      "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
+      "npmPackagename": "@serve.zone/onebox",
+      "license": "MIT"
+    }
+  },
+  "@ship.zone/szci": {}
+}

changelog.md

@@ -1,6 +1,435 @@
 # Changelog
 
+## 2026-03-24 - 1.24.2 - fix(deps)
+bump runtime and build tool dependencies
+
+- update @design.estate/dees-catalog to ^3.49.0
+- update development tooling packages @git.zone/tsbundle, @git.zone/tsdeno, and @git.zone/tswatch
+
+## 2026-03-24 - 1.24.1 - fix(repo)
+migrate smart build config to .smartconfig.json and tidy repository metadata
+
+- Rename npmextra.json to .smartconfig.json and extend it with CLI project metadata for the repository.
+- Mark the package as private and add an empty pnpm overrides block in package.json.
+- Expand .gitignore to cover common build artifacts, caches, install directories, and local tooling folders.
+- Reformat changelog and README files for cleaner spacing and Markdown table alignment without changing documented behavior.
+
+## 2026-03-24 - 1.24.0 - feat(backup)
+
+add containerarchive-backed backup storage, restore, download, and pruning support
+
+- add database support for archive snapshot IDs and stored size tracking for backups
+- initialize and close the backup archive during onebox lifecycle startup and shutdown
+- allow backup download and restore flows to work with archive snapshots as well as legacy file-based backups
+- schedule daily archive pruning based on the most generous configured retention policy
+- replace smarts3 with smartstorage for registry-backed S3-compatible storage
+
+## 2026-03-21 - 1.23.0 - feat(appstore)
+
+add remote app store templates with service upgrades and Redis/MariaDB platform support
+
+- introduces an App Store manager, API handlers, shared request types, and web UI flow for browsing remote templates and deploying services from template metadata
+- tracks app template id and version on services, adds upgrade discovery and migration-based service upgrades, and includes a database migration for template version columns
+- adds Redis and MariaDB platform service providers with provisioning plus backup and restore support, and exposes their requirements through service creation and app template config
+
+## 2026-03-18 - 1.22.2 - fix(web-ui)
+
+stabilize app store service creation flow and add Ghost sqlite defaults
+
+- Defers App Store navigation to the services view to avoid destroying the current view during the deploy event handler.
+- Processes pending app templates after services view updates so the create flow opens reliably.
+- Adds default Ghost environment variables for sqlite3 and the database file path in the App Store template.
+- Removes obsolete Gitea CI and npm publish workflow definitions.
+
+## 2026-03-18 - 1.22.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-18 - 1.22.0 - feat(web-appstore)
+
+add an App Store view for quick service deployment from curated templates
+
+- adds a new App Store tab to the web UI with curated Docker app templates
+- passes selected app templates through UI state into the services view for quick deployment
+- supports quick deploy creation with prefilled image, port, environment variables, and optional platform service flags
+- updates @serve.zone/catalog to ^2.8.0 to support the new app store view
+
+## 2026-03-18 - 1.21.0 - feat(opsserver)
+
+add container workspace API and backend execution environment for services
+
+- introduces typed workspace handlers for reading, writing, listing, creating, removing, and executing commands inside service containers
+- adds frontend backend-execution environment integration so the service view can open a workspace against a selected service
+- extends Docker exec lookup to resolve Swarm service container IDs when a direct container ID is unavailable
+
+## 2026-03-17 - 1.20.0 - feat(ops-dashboard)
+
+stream user service logs to the ops dashboard and resolve service containers for Docker log streaming
+
+- add typed socket support for pushing live user service log entries to the web app
+- extend platform log streaming to include running user services with separate dashboard handlers
+- fall back from direct container lookup to service-to-container resolution when streaming Docker logs
+- update log parsing to preserve timestamps and infer log levels for service log entries
+- bump @serve.zone/catalog to ^2.7.0
+
+## 2026-03-17 - 1.19.12 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.11 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.10 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.6 - fix(repository)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.5 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.4 - fix(repository)
+
+no changes to commit
+
+## 2026-03-16 - 1.19.3 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.19.2 - fix(docs)
+
+remove outdated UI screenshot assets from project documentation
+
+- Deletes multiple PNG screenshots that documented previous dashboard, service form, and hello-world states.
+- Reduces repository clutter by removing obsolete image assets no longer needed in docs.
+
+## 2026-03-16 - 1.19.1 - fix(dashboard)
+
+add updated dashboard screenshots for refresh and resource usage states
+
+- Adds new dashboard screenshots covering post-refresh, resource usage, and populated data views.
+- Updates visual assets to document current dashboard behavior and UI states.
+
+## 2026-03-16 - 1.19.1 - fix(dashboard)
+
+add aggregated resource usage stats to the dashboard
+
+- Aggregate CPU, memory, and network stats across all running user and platform service containers in getSystemStatus
+- Extend ISystemStatus.docker interface with cpuUsage, memoryUsage, memoryTotal, networkIn, networkOut fields
+- Fix getContainerStats to properly handle Swarm service IDs by catching exceptions and falling back to label-based container lookup
+- Wire dashboard resource usage card to display real aggregated data from the backend
+
+## 2026-03-16 - 1.19.0 - feat(opsserver,web)
+
+add real-time platform service log streaming to the dashboard
+
+- stream running platform service container logs from the ops server to connected dashboard clients via TypedSocket
+- parse Docker log timestamps and levels for both pushed and fetched platform service log entries
+- enhance the platform service detail view with mapped statuses and predefined host, port, version, and config metadata
+- add the typedsocket dependency and update the catalog package for dashboard support
+
+## 2026-03-16 - 1.18.5 - fix(platform-services)
+
+fix platform service detail view navigation and log display
+
+- Add back button to platform service detail view for returning to services list
+- Fix DOM lifecycle when switching between platform services (destroy and recreate dees-chart-log)
+- Fix timestamp format for log entries to use ISO 8601 for dees-chart-log compatibility
+- Clear previous stats/logs state before fetching new platform service data
+
+## 2026-03-16 - 1.18.4 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.3 - fix(deps)
+
+bump @serve.zone/catalog to ^2.6.1
+
+- Updates the @serve.zone/catalog runtime dependency from ^2.6.0 to ^2.6.1.
+
+## 2026-03-16 - 1.18.2 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.0 - feat(platform-services)
+
+add platform service log retrieval and display in the services UI
+
+- add typed request support in the ops server to fetch Docker logs for platform service containers
+- store fetched platform service logs in web app state and load them when opening platform service details
+- render platform service logs in the services detail view and add sidebar icons for main navigation tabs
+
+## 2026-03-16 - 1.17.4 - fix(docs)
+
+add hello world running screenshot for documentation
+
+- Adds a new PNG asset showing the application in a running hello world state.
+- Supports project documentation or README usage without changing runtime behavior.
+
+## 2026-03-16 - 1.17.3 - fix(mongodb)
+
+downgrade the MongoDB service image to 4.4 and use the legacy mongo shell for container operations
+
+- changes the default MongoDB container image from mongo:7 to mongo:4.4
+- replaces mongosh with mongo for health checks, provisioning, and deprovisioning inside the container
+
+## 2026-03-16 - 1.17.2 - fix(platform-services)
+
+provision ClickHouse, MinIO, and MongoDB resources via docker exec instead of host port access
+
+- switch ClickHouse provisioning and teardown to in-container client commands to avoid host port mapping issues
+- replace MinIO host-side S3 API calls with in-container mc commands for bucket creation and removal
+- run MongoDB provisioning and deprovisioning through mongosh inside the container and improve docker exec failure reporting
+
+## 2026-03-16 - 1.17.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.17.0 - feat(web/services)
+
+add deploy service action to the services view
+
+- Adds a prominent "Deploy Service" button to the services page header.
+- Routes users into the create service view directly from the services listing.
+- Includes a new service creation form screenshot asset for the updated interface.
+
+## 2026-03-16 - 1.16.0 - feat(services)
+
+add platform service navigation and stats in the services UI
+
+- add platform service stats state and fetch action
+- show platform services in the services list and open a platform detail view
+- enable dashboard clicks to jump directly to the selected platform service
+- refresh platform service stats after start and restart actions
+- bump @serve.zone/catalog to ^2.6.0 for the new platform service UI components
+
+## 2026-03-16 - 1.15.3 - fix(install)
+
+refresh systemd service configuration before restarting previously running installations
+
+- Re-enable the systemd service during updates so unit file changes are applied before restart
+- Add a log message indicating the service configuration is being refreshed
+
+## 2026-03-16 - 1.15.2 - fix(systemd)
+
+set HOME and DENO_DIR for the systemd service environment
+
+- Adds HOME=/root to the generated onebox systemd unit
+- Adds DENO_DIR=/root/.cache/deno so Deno cache paths are available when running as a service
+
+## 2026-03-16 - 1.15.1 - fix(systemd)
+
+move Docker installation and swarm initialization to systemd enable flow
+
+- Ensures Docker is installed before writing and enabling the systemd unit that depends on docker.service.
+- Removes Docker auto-installation from Onebox initialization so setup happens in the service management path.
+
+## 2026-03-16 - 1.15.0 - feat(systemd)
+
+replace smartdaemon-based service management with native systemd commands
+
+- adds a dedicated OneboxSystemd manager for enabling, disabling, starting, stopping, checking status, and following logs
+- introduces a new `onebox systemd` CLI command set and updates install and help output to use it
+- removes the smartdaemon dependency and related service management code
+
+## 2026-03-16 - 1.14.10 - fix(services)
+
+stop auto-update monitoring during shutdown
+
+- Track the auto-update polling interval in the services manager
+- Clear the auto-update interval when Onebox shuts down to prevent background checks after shutdown
+
+## 2026-03-16 - 1.14.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.6 - fix(project)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.5 - fix(onebox)
+
+move Docker auto-install and swarm initialization into Onebox startup flow
+
+- removes Docker setup from daemon service installation
+- ensures Docker is installed before Docker initialization during Onebox startup
+- preserves automatic Docker Swarm initialization on fresh servers
+
+## 2026-03-16 - 1.14.4 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.3 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.2 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.0 - feat(daemon)
+
+auto-install Docker and initialize Swarm during daemon service setup
+
+- Adds a Docker availability check before installing the Onebox daemon service
+- Installs Docker automatically when it is missing using the standard installation script
+- Attempts to initialize Docker Swarm after installation and handles already-initialized environments gracefully
+
+## 2026-03-16 - 1.13.17 - fix(ci)
+
+remove forced container image pulling from Gitea workflow jobs
+
+- Drops the `--pull always` container option from CI, npm publish, and release workflows.
+- Keeps workflow container images unchanged while avoiding forced pulls on every job run.
+
+## 2026-03-16 - 1.13.16 - fix(ci)
+
+refresh workflow container images on every run and bump @apiclient.xyz/docker to ^5.1.1
+
+- add --pull always to CI, release, and npm publish workflow containers to avoid stale images
+- update @apiclient.xyz/docker from ^5.1.0 to ^5.1.1 in deno.json
+
+## 2026-03-15 - 1.13.15 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.14 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.13 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.12 - fix(ci)
+
+run pnpm install with --ignore-scripts in CI and release workflows
+
+- Update CI workflow dependency installation steps to skip lifecycle scripts during builds.
+- Apply the same install change to the release workflow for consistent automation behavior.
+
+## 2026-03-15 - 1.13.11 - fix(project)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.10 - fix(deps)
+
+bump @git.zone/tsdeno to ^1.2.0
+
+- Updates the tsdeno development dependency from ^1.1.1 to ^1.2.0.
+
+## 2026-03-15 - 1.13.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.6 - fix(ci)
+
+correct workflow container image registry path
+
+- Update Gitea CI, release, and npm publish workflows to use the corrected ht-docker-node image path
+- Align all workflow container references from hosttoday to host.today to prevent pipeline image resolution issues
+
+## 2026-03-15 - 1.13.5 - fix(workflows)
+
+switch Gitea workflow containers from ht-docker-dbase to ht-docker-node
+
+- Updates the CI, release, and npm publish workflows to use the Node-focused container image consistently.
+- Aligns workflow runtime images with the project's Node and Deno build and publish steps.
+
+## 2026-03-15 - 1.13.4 - fix(ci)
+
+run workflows in the shared build container and enable corepack for pnpm installs
+
+- adds the ht-docker-dbase container image to CI, release, and npm publish workflows
+- enables corepack before pnpm install in build and release jobs to ensure package manager availability
+
+## 2026-03-15 - 1.13.3 - fix(build)
+
+replace custom Deno compile scripts with tsdeno-based binary builds in CI and release workflows
+
+- adds @git.zone/tsdeno as a dev dependency and configures compile targets in npmextra.json
+- updates CI and release workflows to install Node.js dependencies before running tsdeno compile
+- removes the legacy scripts/compile-all.sh script and points the compile task to tsdeno compile
+
+## 2026-03-15 - 1.13.2 - fix(scripts)
+
+install production dependencies before compiling binaries and exclude local node_modules from builds
+
+- Adds a dependency installation step using the application entrypoint before cross-platform compilation
+- Updates all deno compile targets to use --node-modules-dir=none to avoid bundling local node_modules
+
+## 2026-03-15 - 1.13.1 - fix(deno)
+
+remove nodeModulesDir from Deno configuration
+
+- Drops the explicit nodeModulesDir setting from deno.json.
+- Keeps the package version unchanged at 1.13.0 while simplifying runtime configuration.
+
+## 2026-03-15 - 1.13.0 - feat(install)
+
+improve installer with version selection, service restart handling, and upgrade documentation
+
+- Adds installer command-line options for help, specific version selection, and custom install directory.
+- Fetches the latest release from the Gitea API when no version is provided and installs the matching platform binary.
+- Preserves Onebox data directories, stops and restarts the systemd service during updates, and refreshes installation instructions in the README including upgrade usage.
+
+## 2026-03-15 - 1.12.1 - fix(package.json)
+
+update package metadata
+
+- Single metadata-only file changed (+1, -1)
+- No source code or runtime behavior modified; safe patch release
+
+## 2026-03-15 - 1.12.0 - feat(cli,release)
+
+add self-upgrade command and automate CI, release, and npm publishing workflows
+
+- adds a new `onebox upgrade` CLI command that checks the latest release and reinstalls the current binary via the installer script
+- introduces Gitea CI workflows for type checks, build verification, multi-platform binary compilation, release creation, and npm publishing
+- adds a reusable release template describing installation options, supported platforms, and checksum availability
+
 ## 2026-03-03 - 1.11.0 - feat(services)
+
 map backend service data to UI components, add stats & logs parsing, fetch service stats, and fix logs request param
 
 - Fix: rename service logs request property from 'lines' to 'tail' when calling typedRequest
@@ -10,21 +439,24 @@ map backend service data to UI components, add stats & logs parsing, fetch servi
 - Parse and normalize logs into timestamp/message pairs for the detail view
 
 ## 2026-03-02 - 1.10.3 - fix(bin)
+
 make bin/onebox-wrapper.js executable
 
 - Metadata-only change: file mode updated for bin/onebox-wrapper.js to include the executable bit
 - No source or behavior changes to the code
 
 ## 2026-03-02 - 1.10.2 - fix(build)
+
 update build/watch configuration, switch to esbuild bundler and tswatch, and bump catalog and tooling dependencies
 
 - Switch watch script to 'tswatch' (replaced previous concurrently command invoking deno + tswatch).
-- npmextra.json: set bundler to 'esbuild', enable production mode, include html/index.html in the bundle, and extend watchPatterns to include ./html/**/*.
+- npmextra.json: set bundler to 'esbuild', enable production mode, include html/index.html in the bundle, and extend watchPatterns to include ./html/\*_/_.
 - Backend watcher: expanded watch globs and changed command to include --unstable-ffi and runtime flags (--ephemeral --monitor); restart and debounce kept.
 - Bump runtime deps: @design.estate/dees-catalog -> ^3.43.3, @serve.zone/catalog -> ^2.5.0.
 - Bump devDependencies: @git.zone/tsbundle -> ^2.9.0, @git.zone/tswatch -> ^3.2.0.
 
 ## 2026-02-24 - 1.10.1 - fix(package.json)
+
 update package metadata
 
 - Single metadata-only file changed (+1 -1)
@@ -32,6 +464,7 @@ update package metadata
 - Current package version is 1.10.0; recommend patch bump to 1.10.1
 
 ## 2026-02-24 - 1.10.0 - feat(opsserver)
+
 introduce OpsServer (TypedRequest API) and new lightweight web UI; replace legacy Angular UI and add typed interfaces
 
 - Add OpsServer (ts/opsserver) with TypedRequest handlers for admin, services, platform, dns, domains, registry, network, backups, schedules, settings and logs.
@@ -44,21 +477,24 @@ introduce OpsServer (TypedRequest API) and new lightweight web UI; replace legac
 - Note: This adds many new endpoints and internal API changes (TypedRequest-based); consumers of the old UI/HTTP endpoints should migrate to the new OpsServer TypedRequest API and web components.
 
 ## 2025-12-03 - 1.9.2 - fix(ui)
+
 Add VS Code configs for the UI workspace and normalize dark theme CSS variables
 
 - Add VS Code workspace files under ui/.vscode:
--   - extensions.json: recommend the Angular language support extension
--   - launch.json: Chrome launch configurations for 'ng serve' and 'ng test' (preLaunchTask hooks)
--   - tasks.json: npm 'start' and 'test' tasks with a background TypeScript problem matcher to improve dev workflow
+- - extensions.json: recommend the Angular language support extension
+- - launch.json: Chrome launch configurations for 'ng serve' and 'ng test' (preLaunchTask hooks)
+- - tasks.json: npm 'start' and 'test' tasks with a background TypeScript problem matcher to improve dev workflow
 - Update ui/src/styles.css dark theme variables to use neutral black/gray HSL values for background, foreground, cards, popovers, accents, borders, inputs and ring to improve contrast and consistency
 
 ## 2025-11-27 - 1.9.1 - fix(ui)
+
 Correct import success toast and add VS Code launch/tasks recommendations for the UI
 
 - Fix backup import success toast in backups-tab.component to reference response.data.service.name (previously response.data.serviceName), preventing incorrect service name display.
 - Add VS Code workspace settings for the UI: extensions recommendation, launch configurations for 'ng serve' and 'ng test', and npm tasks for start/test to simplify local development and debugging.
 
 ## 2025-11-27 - 1.9.0 - feat(backups)
+
 Add backup import API and improve backup download/import flow in UI
 
 - Backend: add /api/backups/import endpoint to accept multipart file uploads or JSON with a URL and import backups (saves temp file, validates .tar.enc, calls backupManager.restoreBackup in import mode).
@@ -68,6 +504,7 @@ Add backup import API and improve backup download/import flow in UI
 - Dev: add VS Code launch, tasks and recommended extensions for the ui workspace to simplify local development.
 
 ## 2025-11-27 - 1.8.0 - feat(backup)
+
 Add backup scheduling system with GFS retention, API and UI integration
 
 - Introduce backup scheduling subsystem (BackupScheduler) and integrate it into Onebox lifecycle (init & shutdown)
@@ -80,6 +517,7 @@ Add backup scheduling system with GFS retention, API and UI integration
 - Type and repository updates across codebase to support schedule-aware backups, schedule CRUD, and retention enforcement
 
 ## 2025-11-27 - 1.7.0 - feat(backup)
+
 Add backup system: BackupManager, DB schema, API endpoints and UI support
 
 Introduce a complete service backup/restore subsystem with encrypted archives, database records and REST endpoints. Implements BackupManager with export/import for service config, platform resources (MongoDB, MinIO, ClickHouse), and Docker images; adds BackupRepository and migrations for backups table and include_image_in_backup; integrates backup flows into the HTTP API and the UI client; exposes backup password management and restore modes (restore/import/clone). Wire BackupManager into Onebox initialization.
@@ -92,6 +530,7 @@ Introduce a complete service backup/restore subsystem with encrypted archives, d
 - Integrate BackupManager into Onebox core (initialized in Onebox constructor) and wire HTTP handlers to use the new manager; add DB repository export/import glue so backups are stored and referenced by ID.
 
 ## 2025-11-27 - 1.6.0 - feat(ui.dashboard)
+
 Add Resource Usage card to dashboard and make dashboard cards full-height; add VSCode launch/tasks/config
 
 - Introduce ResourceUsageCardComponent and include it as a full-width row in the dashboard layout.
@@ -100,6 +539,7 @@ Add Resource Usage card to dashboard and make dashboard cards full-height; add V
 - Add VSCode workspace configuration: recommended Angular extension, launch configurations for ng serve/ng test, and npm tasks to run/start the UI in development.
 
 ## 2025-11-27 - 1.5.0 - feat(network)
+
 Add traffic stats endpoint and dashboard UI; enhance platform services and certificate health reporting
 
 - Add /api/network/traffic-stats GET endpoint to the HTTP API with an optional minutes query parameter (validated, 1-60).
@@ -111,26 +551,29 @@ Add traffic stats endpoint and dashboard UI; enhance platform services and certi
 - Add VSCode workspace launch/tasks recommendations for the UI development environment.
 
 ## 2025-11-26 - 1.4.0 - feat(platform-services)
+
 Add ClickHouse platform service support and improve related healthchecks and tooling
 
 - Add ClickHouse as a first-class platform service: register provider, provision/cleanup support and env var injection
 - Expose ClickHouse endpoints in the HTTP API routing (list/get/start/stop/stats) and map default port (8123)
 - Enable services to request ClickHouse as a platform requirement (enableClickHouse / platformRequirements) during deploy/provision flows
 - Fix ClickHouse container health check to use absolute wget path (/usr/bin/wget) for more reliable in-container checks
-- Add VS Code workspace launch/tasks/extensions configs for the UI (ui/.vscode/*) to improve local dev experience
+- Add VS Code workspace launch/tasks/extensions configs for the UI (ui/.vscode/\*) to improve local dev experience
 
 ## 2025-11-26 - 1.3.0 - feat(platform-services)
+
 Add ClickHouse platform service support (provider, types, provisioning, UI and port mappings)
 
 - Introduce ClickHouse as a first-class platform service: added ClickHouseProvider and registered it in PlatformServicesManager
 - Support provisioning ClickHouse resources for user services and storing encrypted credentials in platform_resources
 - Add ClickHouse to core types (TPlatformServiceType, IPlatformRequirements, IServiceDeployOptions) and service DB handling so services can request ClickHouse
-- Inject ClickHouse-related environment variables into deployed services (CLICKHOUSE_* mappings) when provisioning resources
+- Inject ClickHouse-related environment variables into deployed services (CLICKHOUSE\_\* mappings) when provisioning resources
 - Expose ClickHouse default port (8123) in platform port mappings / network targets
 - UI: add checkbox and description for enabling ClickHouse during service creation; form now submits enableClickHouse
 - Add VS Code recommendations and launch/tasks for the UI development workflow
 
 ## 2025-11-26 - 1.2.1 - fix(platform-services/minio)
+
 Improve MinIO provider: reuse existing data and credentials, use host-bound port for provisioning, and safer provisioning/deprovisioning
 
 - MinIO provider now detects existing data directory and will reuse stored admin credentials when available instead of regenerating them.
@@ -141,15 +584,17 @@ Improve MinIO provider: reuse existing data and credentials, use host-bound port
 - Added VSCode workspace files (extensions, launch, tasks) for the ui project to improve developer experience.
 
 ## 2025-11-26 - 1.2.0 - feat(ui)
+
 Sync UI tab state with URL and update routes/links
 
-- Add VSCode workspace recommendations, launch and tasks configs for the UI (ui/.vscode/*)
+- Add VSCode workspace recommendations, launch and tasks configs for the UI (ui/.vscode/\*)
 - Update Angular routes to support tab URL segments and default redirects for services, network and registries
 - Change service detail route to use explicit 'detail/:name' path and update links accordingly
 - Make ServicesList, Registries and Network components read tab from route params and navigate on tab changes; add ngOnDestroy to unsubscribe
 - Update Domain detail template link to point to the new services detail route
 
 ## 2025-11-26 - 1.1.0 - feat(platform-services)
+
 Add platform service log streaming, improve health checks and provisioning robustness
 
 - Add WebSocket log streaming support for platform services (backend + UI) to stream MinIO/MongoDB/Caddy logs in real time
@@ -169,6 +614,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+
 - Initial project structure
 - Core architecture classes
 - Docker container management
@@ -187,4 +633,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.0.0] - TBD
 
 ### Added
+
 - First stable release

deno.json

@@ -1,12 +1,11 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.11.0",
+  "version": "1.24.2",
   "exports": "./mod.ts",
-  "nodeModulesDir": "auto",
   "tasks": {
     "test": "deno test --allow-all test/",
     "test:watch": "deno test --allow-all --watch test/",
-    "compile": "bash scripts/compile-all.sh",
+    "compile": "tsdeno compile",
     "dev": "pnpm run watch"
   },
   "imports": {
@@ -16,18 +15,19 @@
     "@std/assert": "jsr:@std/assert@^1.0.15",
     "@std/encoding": "jsr:@std/encoding@^1.0.10",
     "@db/sqlite": "jsr:@db/sqlite@0.12.0",
-    "@push.rocks/smartdaemon": "npm:@push.rocks/smartdaemon@^2.1.0",
-    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.0",
+    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.1",
     "@apiclient.xyz/cloudflare": "npm:@apiclient.xyz/cloudflare@6.4.3",
     "@push.rocks/smartacme": "npm:@push.rocks/smartacme@^8.0.0",
     "@push.rocks/smartregistry": "npm:@push.rocks/smartregistry@^2.2.0",
-    "@push.rocks/smarts3": "npm:@push.rocks/smarts3@^5.1.0",
+    "@push.rocks/smartstorage": "npm:@push.rocks/smartstorage@^6.3.0",
     "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^3.1.0",
     "@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
     "@api.global/typedrequest": "npm:@api.global/typedrequest@^3.2.6",
     "@api.global/typedserver": "npm:@api.global/typedserver@^8.3.1",
     "@push.rocks/smartguard": "npm:@push.rocks/smartguard@^3.1.0",
-    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.1"
+    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.1",
+    "@api.global/typedsocket": "npm:@api.global/typedsocket@^4.1.2",
+    "@serve.zone/containerarchive": "npm:@serve.zone/containerarchive@^0.1.3"
   },
   "compilerOptions": {
     "lib": [

dist_serve/index.html

@@ -1,33 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta
-      name="viewport"
-      content="user-scalable=0, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height"
-    />
-    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-    <meta name="theme-color" content="#000000" />
-    <title>Onebox</title>
-    <link rel="preconnect" href="https://assetbroker.lossless.one/" crossorigin>
-    <link rel="stylesheet" href="https://assetbroker.lossless.one/fonts/fonts.css">
-    <style>
-      html {
-        -ms-text-size-adjust: 100%;
-        -webkit-text-size-adjust: 100%;
-      }
-      body {
-        position: relative;
-        background: #000;
-        margin: 0px;
-      }
-    </style>
-  </head>
-  <body>
-    <noscript>
-      <p style="color: #fff; text-align: center; margin-top: 100px;">
-        JavaScript is required to run the Onebox dashboard.
-      </p>
-    </noscript>
-  </body>
-  <script defer type="module" src="/bundle.js"></script>
-</html>

install.sh

@@ -1,192 +1,310 @@
 #!/bin/bash
+
+# Onebox Installer Script
+# Downloads and installs pre-compiled Onebox binary from Gitea releases
 #
-# Onebox installer script
+# Usage:
+#   Direct piped installation (recommended):
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
 #
+#   With version specification:
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0
+#
+# Options:
+#   -h, --help             Show this help message
+#   --version VERSION      Install specific version (e.g., v1.11.0)
+#   --install-dir DIR      Installation directory (default: /opt/onebox)
 
 set -e
 
-# Configuration
-REPO_URL="https://code.foss.global/serve.zone/onebox"
+# Default values
+SHOW_HELP=0
+SPECIFIED_VERSION=""
 INSTALL_DIR="/opt/onebox"
-BIN_LINK="/usr/local/bin/onebox"
+GITEA_BASE_URL="https://code.foss.global"
+GITEA_REPO="serve.zone/onebox"
+SERVICE_NAME="onebox"
 
-# Colors
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -h|--help)
+      SHOW_HELP=1
+      shift
+      ;;
+    --version)
+      SPECIFIED_VERSION="$2"
+      shift 2
+      ;;
+    --install-dir)
+      INSTALL_DIR="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown option: $1"
+      echo "Use -h or --help for usage information"
+      exit 1
+      ;;
+  esac
+done
 
-# Functions
-error() {
-    echo -e "${RED}Error: $1${NC}" >&2
-    exit 1
-}
-
-info() {
-    echo -e "${GREEN}$1${NC}"
-}
-
-warn() {
-    echo -e "${YELLOW}$1${NC}"
-}
-
-# Detect platform and architecture
-detect_platform() {
-    OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-    ARCH=$(uname -m)
-
-    case "$OS" in
-        linux)
-            PLATFORM="linux"
-            ;;
-        darwin)
-            PLATFORM="macos"
-            ;;
-        *)
-            error "Unsupported operating system: $OS"
-            ;;
-    esac
-
-    case "$ARCH" in
-        x86_64|amd64)
-            ARCH="x64"
-            ;;
-        aarch64|arm64)
-            ARCH="arm64"
-            ;;
-        *)
-            error "Unsupported architecture: $ARCH"
-            ;;
-    esac
-
-    BINARY_NAME="onebox-${PLATFORM}-${ARCH}"
-}
-
-# Get latest version from Gitea API
-get_latest_version() {
-    info "Fetching latest version..."
-    VERSION=$(curl -s "${REPO_URL}/releases" | grep -o '"tag_name":"v[^"]*' | head -1 | cut -d'"' -f4 | cut -c2-)
-
-    if [ -z "$VERSION" ]; then
-        warn "Could not fetch latest version, using 'main' branch"
-        VERSION="main"
-    else
-        info "Latest version: v${VERSION}"
-    fi
-}
+if [ $SHOW_HELP -eq 1 ]; then
+  echo "Onebox Installer Script"
+  echo "Downloads and installs pre-compiled Onebox binary"
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "Options:"
+  echo "  -h, --help             Show this help message"
+  echo "  --version VERSION      Install specific version (e.g., v1.11.0)"
+  echo "  --install-dir DIR      Installation directory (default: /opt/onebox)"
+  echo ""
+  echo "Examples:"
+  echo "  # Install latest version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+  echo ""
+  echo "  # Install specific version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0"
+  exit 0
+fi
 
 # Check if running as root
-check_root() {
-    if [ "$EUID" -ne 0 ]; then
-        error "This script must be run as root (use sudo)"
-    fi
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root (sudo bash install.sh or pipe to sudo bash)"
+  exit 1
+fi
+
+# Helper function to detect OS and architecture
+detect_platform() {
+  local os=$(uname -s)
+  local arch=$(uname -m)
+
+  # Map OS
+  case "$os" in
+    Linux)
+      os_name="linux"
+      ;;
+    Darwin)
+      os_name="macos"
+      ;;
+    MINGW*|MSYS*|CYGWIN*)
+      os_name="windows"
+      ;;
+    *)
+      echo "Error: Unsupported operating system: $os"
+      echo "Supported: Linux, macOS, Windows"
+      exit 1
+      ;;
+  esac
+
+  # Map architecture
+  case "$arch" in
+    x86_64|amd64)
+      arch_name="x64"
+      ;;
+    aarch64|arm64)
+      arch_name="arm64"
+      ;;
+    *)
+      echo "Error: Unsupported architecture: $arch"
+      echo "Supported: x86_64/amd64 (x64), aarch64/arm64 (arm64)"
+      exit 1
+      ;;
+  esac
+
+  # Construct binary name
+  if [ "$os_name" = "windows" ]; then
+    echo "onebox-${os_name}-${arch_name}.exe"
+  else
+    echo "onebox-${os_name}-${arch_name}"
+  fi
 }
 
+# Get latest release version from Gitea API
+get_latest_version() {
+  echo "Fetching latest release version from Gitea..." >&2
+
+  local api_url="${GITEA_BASE_URL}/api/v1/repos/${GITEA_REPO}/releases/latest"
+  local response=$(curl -sSL "$api_url" 2>/dev/null)
+
+  if [ $? -ne 0 ] || [ -z "$response" ]; then
+    echo "Error: Failed to fetch latest release information from Gitea API" >&2
+    echo "URL: $api_url" >&2
+    exit 1
+  fi
+
+  # Extract tag_name from JSON response
+  local version=$(echo "$response" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
+
+  if [ -z "$version" ]; then
+    echo "Error: Could not determine latest version from API response" >&2
+    exit 1
+  fi
+
+  echo "$version"
+}
+
+# Main installation process
+echo "================================================"
+echo "  Onebox Installation Script"
+echo "================================================"
+echo ""
+
+# Detect platform
+BINARY_NAME=$(detect_platform)
+echo "Detected platform: $BINARY_NAME"
+echo ""
+
+# Determine version to install
+if [ -n "$SPECIFIED_VERSION" ]; then
+  VERSION="$SPECIFIED_VERSION"
+  echo "Installing specified version: $VERSION"
+else
+  VERSION=$(get_latest_version)
+  echo "Installing latest version: $VERSION"
+fi
+echo ""
+
+# Construct download URL
+DOWNLOAD_URL="${GITEA_BASE_URL}/${GITEA_REPO}/releases/download/${VERSION}/${BINARY_NAME}"
+echo "Download URL: $DOWNLOAD_URL"
+echo ""
+
+# Check if service is running and stop it
+SERVICE_WAS_RUNNING=0
+if systemctl is-enabled --quiet "$SERVICE_NAME" 2>/dev/null || systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+  SERVICE_WAS_RUNNING=1
+  if systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    echo "Stopping Onebox service..."
+    systemctl stop "$SERVICE_NAME"
+  fi
+fi
+
+# Clean installation directory - ensure only binary exists
+if [ -d "$INSTALL_DIR" ]; then
+  echo "Cleaning installation directory: $INSTALL_DIR"
+  rm -rf "$INSTALL_DIR"
+fi
+
+# Create fresh installation directory
+echo "Creating installation directory: $INSTALL_DIR"
+mkdir -p "$INSTALL_DIR"
+
 # Download binary
-download_binary() {
-    info "Downloading Onebox ${VERSION} for ${PLATFORM}-${ARCH}..."
+echo "Downloading Onebox binary..."
+TEMP_FILE="$INSTALL_DIR/onebox.download"
+curl -sSL "$DOWNLOAD_URL" -o "$TEMP_FILE"
 
-    # Create temp directory
-    TMP_DIR=$(mktemp -d)
-    TMP_FILE="${TMP_DIR}/${BINARY_NAME}"
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to download binary from $DOWNLOAD_URL"
+  echo ""
+  echo "Please check:"
+  echo "  1. Your internet connection"
+  echo "  2. The specified version exists: ${GITEA_BASE_URL}/${GITEA_REPO}/releases"
+  echo "  3. The platform binary is available for this release"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi
 
-    # Try release download first
-    if [ "$VERSION" != "main" ]; then
-        DOWNLOAD_URL="${REPO_URL}/releases/download/v${VERSION}/${BINARY_NAME}"
-    else
-        DOWNLOAD_URL="${REPO_URL}/raw/branch/main/dist/binaries/${BINARY_NAME}"
-    fi
+# Check if download was successful (file exists and not empty)
+if [ ! -s "$TEMP_FILE" ]; then
+  echo "Error: Downloaded file is empty or does not exist"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi
 
-    if ! curl -L -f -o "$TMP_FILE" "$DOWNLOAD_URL"; then
-        error "Failed to download binary from $DOWNLOAD_URL"
-    fi
+# Move to final location
+BINARY_PATH="$INSTALL_DIR/onebox"
+mv "$TEMP_FILE" "$BINARY_PATH"
 
-    # Verify download
-    if [ ! -f "$TMP_FILE" ] || [ ! -s "$TMP_FILE" ]; then
-        error "Downloaded file is empty or missing"
-    fi
+if [ $? -ne 0 ] || [ ! -f "$BINARY_PATH" ]; then
+  echo "Error: Failed to move binary to $BINARY_PATH"
+  rm -f "$TEMP_FILE" 2>/dev/null
+  exit 1
+fi
 
-    info "✓ Download complete"
-}
+# Make executable
+chmod +x "$BINARY_PATH"
 
-# Install binary
-install_binary() {
-    info "Installing Onebox to ${INSTALL_DIR}..."
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to make binary executable"
+  exit 1
+fi
 
-    # Create install directory
-    mkdir -p "$INSTALL_DIR"
+echo "Binary installed successfully to: $BINARY_PATH"
+echo ""
 
-    # Copy binary
-    cp "$TMP_FILE" "${INSTALL_DIR}/onebox"
-    chmod +x "${INSTALL_DIR}/onebox"
+# Check if /usr/local/bin is in PATH
+if [[ ":$PATH:" == *":/usr/local/bin:"* ]]; then
+  BIN_DIR="/usr/local/bin"
+else
+  BIN_DIR="/usr/bin"
+fi
 
-    # Create symlink
-    ln -sf "${INSTALL_DIR}/onebox" "$BIN_LINK"
+# Create symlink for global access
+ln -sf "$BINARY_PATH" "$BIN_DIR/onebox"
+echo "Symlink created: $BIN_DIR/onebox -> $BINARY_PATH"
+echo ""
 
-    # Cleanup temp files
-    rm -rf "$TMP_DIR"
+# Create data directories
+mkdir -p /var/lib/onebox
+mkdir -p /var/www/certbot
 
-    info "✓ Installation complete"
-}
+# Re-enable and restart service if it was previously running (refreshes unit file)
+if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+  echo "Refreshing systemd service..."
+  onebox systemd enable
+  echo "Restarting Onebox service..."
+  systemctl restart "$SERVICE_NAME"
+  echo "Service restarted successfully."
+  echo ""
+fi
 
-# Initialize database and config
-initialize() {
-    info "Initializing Onebox..."
+echo "================================================"
+echo "  Onebox Installation Complete!"
+echo "================================================"
+echo ""
+echo "Installation details:"
+echo "  Binary location: $BINARY_PATH"
+echo "  Symlink location: $BIN_DIR/onebox"
+echo "  Version: $VERSION"
+echo ""
 
-    # Create data directory
-    mkdir -p /var/lib/onebox
-
-    # Create certbot directory for ACME challenges
-    mkdir -p /var/www/certbot
-
-    info "✓ Initialization complete"
-}
-
-# Print success message
-print_success() {
-    echo ""
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    info "  Onebox installed successfully!"
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    echo ""
-    echo "Next steps:"
-    echo ""
-    echo "1. Configure Cloudflare (optional):"
-    echo "   onebox config set cloudflareAPIKey <key>"
-    echo "   onebox config set cloudflareEmail <email>"
-    echo "   onebox config set cloudflareZoneID <zone-id>"
-    echo "   onebox config set serverIP <your-server-ip>"
-    echo ""
-    echo "2. Configure ACME email:"
-    echo "   onebox config set acmeEmail <your@email.com>"
-    echo ""
-    echo "3. Install daemon:"
-    echo "   onebox daemon install"
-    echo ""
-    echo "4. Start daemon:"
-    echo "   onebox daemon start"
-    echo ""
-    echo "5. Deploy your first service:"
-    echo "   onebox service add myapp --image nginx:latest --domain app.example.com"
-    echo ""
-    echo "Web UI: http://localhost:3000"
-    echo "Default credentials: admin / admin"
-    echo ""
-}
-
-# Main installation flow
-main() {
-    info "Onebox Installer"
-    echo ""
-
-    check_root
-    detect_platform
-    get_latest_version
-    download_binary
-    install_binary
-    initialize
-    print_success
-}
-
-# Run main function
-main
+# Check if database exists (indicates existing installation)
+if [ -f "/var/lib/onebox/onebox.db" ]; then
+  echo "Data directory: /var/lib/onebox (preserved)"
+  echo ""
+  echo "Your existing data has been preserved."
+  if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+    echo "The service has been restarted with your current settings."
+  else
+    echo "Start the service with: onebox systemd start"
+  fi
+else
+  echo "Get started:"
+  echo ""
+  echo "  onebox --version"
+  echo "  onebox --help"
+  echo ""
+  echo "  1. Configure Cloudflare (optional):"
+  echo "     onebox config set cloudflareAPIKey <key>"
+  echo "     onebox config set cloudflareEmail <email>"
+  echo "     onebox config set cloudflareZoneID <zone-id>"
+  echo "     onebox config set serverIP <your-server-ip>"
+  echo ""
+  echo "  2. Configure ACME email:"
+  echo "     onebox config set acmeEmail <your@email.com>"
+  echo ""
+  echo "  3. Enable systemd service:"
+  echo "     onebox systemd enable"
+  echo ""
+  echo "  4. Start service:"
+  echo "     onebox systemd start"
+  echo ""
+  echo "  5. Deploy your first service:"
+  echo "     onebox service add myapp --image nginx:latest --domain app.example.com"
+  echo ""
+  echo "  Web UI: http://localhost:3000"
+  echo "  Default credentials: admin / admin"
+fi
+echo ""

npmextra.json

@@ -1,37 +0,0 @@
-{
-  "@git.zone/tsbundle": {
-    "bundles": [
-      {
-        "from": "./ts_web/index.ts",
-        "to": "./ts_bundled/bundle.ts",
-        "outputMode": "base64ts",
-        "bundler": "esbuild",
-        "production": true,
-        "includeFiles": [{"from": "./html/index.html", "to": "index.html"}]
-      }
-    ]
-  },
-  "@git.zone/tswatch": {
-    "bundles": [
-      {
-        "from": "./ts_web/index.ts",
-        "to": "./ts_bundled/bundle.ts",
-        "outputMode": "base64ts",
-        "bundler": "esbuild",
-        "production": true,
-        "watchPatterns": ["./ts_web/**/*", "./html/**/*"],
-        "includeFiles": [{"from": "./html/index.html", "to": "index.html"}]
-      }
-    ],
-    "watchers": [
-      {
-        "name": "backend",
-        "watch": ["./ts/**/*", "./ts_interfaces/**/*", "./ts_bundled/**/*"],
-        "command": "deno run --allow-all --unstable-ffi mod.ts server --ephemeral --monitor",
-        "restart": true,
-        "debounce": 500,
-        "runOnStart": true
-      }
-    ]
-  }
-}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.11.0",
+  "version": "1.24.2",
   "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
   "main": "mod.ts",
   "type": "module",
@@ -55,12 +55,18 @@
   "packageManager": "pnpm@10.18.1+sha512.77a884a165cbba2d8d1c19e3b4880eee6d2fcabd0d879121e282196b80042351d5eb3ca0935fa599da1dc51265cc68816ad2bddd2a2de5ea9fdf92adbec7cd34",
   "dependencies": {
     "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@design.estate/dees-catalog": "^3.43.3",
+    "@api.global/typedsocket": "^4.1.2",
+    "@design.estate/dees-catalog": "^3.49.0",
     "@design.estate/dees-element": "^2.1.6",
-    "@serve.zone/catalog": "^2.5.0"
+    "@serve.zone/catalog": "^2.9.0"
   },
   "devDependencies": {
-    "@git.zone/tsbundle": "^2.9.0",
-    "@git.zone/tswatch": "^3.2.0"
+    "@git.zone/tsbundle": "^2.10.0",
+    "@git.zone/tsdeno": "^1.3.1",
+    "@git.zone/tswatch": "^3.3.2"
+  },
+  "private": true,
+  "pnpm": {
+    "overrides": {}
   }
 }

readme.hints.md

@@ -3,6 +3,7 @@
 ## SSL Certificate Storage (November 2025)
 
 SSL certificates are now stored directly in the SQLite database as PEM content instead of file paths:
+
 - `ISslCertificate` and `ICertificate` interfaces use `certPem`, `keyPem`, `fullchainPem` properties
 - Database migration 8 converted the `certificates` table schema
 - No filesystem storage for certificates - everything in DB
@@ -16,6 +17,7 @@ SSL certificates are now stored directly in the SQLite database as PEM content i
 The database layer has been refactored into a repository pattern:
 
 **Directory Structure:**
+
 ```
 ts/database/
 ├── index.ts              # Main OneboxDatabase class (composes repositories, handles migrations)
@@ -32,52 +34,59 @@ ts/database/
 ```
 
 **Import paths:**
+
 - Main: `import { OneboxDatabase } from './database/index.ts'`
 - Legacy (deprecated): `import { OneboxDatabase } from './classes/database.ts'` (re-exports from new location)
 
 **API Compatibility:**
+
 - The `OneboxDatabase` class maintains the same public API
 - All methods delegate to the appropriate repository
 - No breaking changes for existing code
 
-## Current Migration Version: 8
+## Current Migration Version: 15
 
-Migration 8 converted certificate storage from file paths to PEM content.
+Migration 15 renames the core reverse proxy platform service from `caddy` to `smartproxy`.
 
-## Reverse Proxy (November 2025 - Caddy Docker Service)
+## Reverse Proxy (April 2026 - SmartProxy Docker Service)
 
-The reverse proxy uses **Caddy** running as a Docker Swarm service for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
+The reverse proxy uses **SmartProxy** running as a Docker Swarm service for production-grade reverse proxying with TLS termination and WebSocket handling.
 
 **Architecture:**
-- Caddy runs as Docker Swarm service (`onebox-caddy`) on the overlay network
-- No binary download required - uses `caddy:2-alpine` Docker image
-- Configuration pushed dynamically via Caddy Admin API (port 2019)
+
+- SmartProxy runs as Docker Swarm service (`onebox-smartproxy`) on the overlay network
+- No host binary download required - uses `code.foss.global/host.today/ht-docker-smartproxy:latest`
+- Routes are pushed dynamically via the SmartProxy admin API (host port 2019)
 - Automatic HTTPS disabled - certificates managed externally via SmartACME
 - Zero-downtime configuration updates
 - Services reached by Docker service name (e.g., `onebox-hello-world:80`)
 
 **Key files:**
-- `ts/classes/caddy.ts` - CaddyManager class for Docker service and Admin API
-- `ts/classes/reverseproxy.ts` - Delegates to CaddyManager
+
+- `ts/classes/smartproxy.ts` - SmartProxyManager class for Docker service and Admin API
+- `ts/classes/reverseproxy.ts` - Delegates to SmartProxyManager
 
 **Certificate workflow:**
+
 1. `CertRequirementManager` creates requirements for domains
 2. Daemon processes requirements via `certmanager.ts`
 3. Certificates stored in database (PEM content)
-4. `reverseProxy.addCertificate()` passes PEM content to Caddy via `load_pem` (inline in config)
-5. Caddy serves TLS with the loaded certificates (no volume mounts needed)
+4. `reverseProxy.addCertificate()` passes PEM content to SmartProxy route config
+5. SmartProxy serves TLS with the loaded certificates (no volume mounts needed)
 
 **Docker Service Configuration:**
-- Service name: `onebox-caddy`
-- Image: `caddy:2-alpine`
+
+- Service name: `onebox-smartproxy`
+- Image: `code.foss.global/host.today/ht-docker-smartproxy:latest`
 - Network: `onebox-network` (overlay, attachable)
-- Startup: Writes initial config with `admin.listen: 0.0.0.0:2019` for host access
+- Startup: SmartProxy daemon admin API listens on container port 3000, published on host port 2019
 
 **Port Mapping:**
+
 - Dev mode: HTTP on 8080, HTTPS on 8443, Admin on 2019
 - Production: HTTP on 80, HTTPS on 443, Admin on 2019
 - All ports use `PublishMode: 'host'` for direct binding
 
 **Log Receiver:**
-- Caddy sends access logs to `tcp/172.17.0.1:9999` (Docker bridge gateway)
-- `CaddyLogReceiver` on host receives and processes logs
+
+- `ProxyLogReceiver` remains the host-side access-log stream endpoint for proxy log integrations

readme.md

@@ -1,8 +1,8 @@
 # @serve.zone/onebox
 
-> 🚀 Self-hosted Docker Swarm platform with Caddy reverse proxy, automatic SSL, and real-time WebSocket updates
+> 🚀 Self-hosted Docker Swarm platform with SmartProxy reverse proxy, automatic SSL, and real-time WebSocket updates
 
-**Onebox** transforms any Linux server into a powerful container hosting platform. Deploy Docker Swarm services with automatic HTTPS, DNS configuration, and Caddy reverse proxy running as a Docker service - all managed through a beautiful Angular web interface with real-time updates.
+**Onebox** transforms any Linux server into a powerful container hosting platform. Deploy Docker Swarm services with automatic HTTPS, DNS configuration, and SmartProxy reverse proxy running as a Docker service - all managed through a modern web interface with real-time updates.
 
 ## Issue Reporting and Security
 
@@ -10,47 +10,51 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 
 ## What Makes Onebox Different? 🎯
 
-- **Caddy Reverse Proxy in Docker** - Production-grade HTTP/HTTPS proxy running as a Swarm service with native service discovery, HTTP/2, HTTP/3, and bidirectional WebSocket proxying
+- **SmartProxy Reverse Proxy in Docker** - Production-grade HTTP/HTTPS proxy running as a Swarm service with native service discovery, TLS termination, and bidirectional WebSocket proxying
 - **Docker Swarm First** - All workloads (including the reverse proxy!) run as Swarm services on the overlay network for seamless service-to-service communication
 - **Real-time Everything** - WebSocket-powered live updates for service status, logs, and metrics across all connected clients
 - **Single Executable** - Compiles to a standalone binary - just run it, no dependencies
 - **Private Registry Included** - Built-in Docker registry with token-based auth and auto-deploy on push
-- **Zero Config SSL** - Automatic Let's Encrypt certificates with inline `load_pem` (no volume mounts needed)
+- **Zero Config SSL** - Automatic Let's Encrypt certificates passed directly into SmartProxy routes
 - **Cloudflare Integration** - Automatic DNS record management and zone synchronization
-- **Modern Stack** - Deno runtime + SQLite database + Angular 19 UI
+- **Modern Stack** - Deno runtime + SQLite database + typed web UI
 
 ## Features ✨
 
 ### Core Platform
+
 - 🐳 **Docker Swarm Management** - Deploy, scale, and orchestrate services with Swarm mode
-- 🌐 **Caddy Reverse Proxy** - Production-grade proxy running as Docker service with SNI, HTTP/2, HTTP/3
+- 🌐 **SmartProxy Reverse Proxy** - Production-grade proxy running as Docker service with TLS termination and WebSocket support
 - 🔒 **Automatic SSL Certificates** - Let's Encrypt integration with hot-reload and renewal monitoring
 - ☁️ **Cloudflare DNS Integration** - Automatic DNS record creation and zone synchronization
 - 📦 **Built-in Registry** - Private Docker registry with per-service tokens and auto-update
 - 🔄 **Real-time WebSocket Updates** - Live service status, logs, and system events
 
 ### Monitoring & Management
+
 - 📊 **Metrics Collection** - Historical CPU, memory, and network stats (every 60s)
 - 📝 **Centralized Logging** - Container logs with streaming and retention policies
-- 🎨 **Angular Web UI** - Modern, responsive interface with real-time updates
+- 🎨 **Web UI** - Modern, responsive interface with real-time updates
 - 👥 **Multi-user Support** - Role-based access control (admin/user)
 - 💾 **SQLite Database** - Embedded, zero-configuration storage
 
 ### Developer Experience
+
 - 🚀 **Auto-update on Push** - Push to registry and services update automatically
 - 🔐 **Private Registry Support** - Use Docker Hub, Gitea, or custom registries
 - 🔄 **Systemd Integration** - Run as a daemon with auto-restart
-- 🎛️ **Full CLI & API** - Manage everything from terminal or HTTP API
+- 🎛️ **Full CLI** - Manage everything from terminal or web interface
 
 ## Quick Start 🏁
 
 ### Installation
 
 ```bash
-# Download the latest release for your platform
-curl -sSL https://code.foss.global/serve.zone/onebox/releases/latest/download/onebox-linux-x64 -o onebox
-chmod +x onebox
-sudo mv onebox /usr/local/bin/
+# One-line install (recommended)
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+
+# Install a specific version
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0
 
 # Or install from npm
 pnpm install -g @serve.zone/onebox
@@ -74,6 +78,7 @@ onebox service add myapp \
 Open `http://localhost:3000` in your browser.
 
 **Default credentials:**
+
 - Username: `admin`
 - Password: `admin`
 
@@ -98,13 +103,13 @@ Onebox is built with modern technologies for performance and developer experienc
 
 ```
 ┌─────────────────────────────────────────────────┐
-│           Angular 19 Web UI                     │
+│              Web UI                             │
 │     (Real-time WebSocket Updates)               │
 └─────────────────┬───────────────────────────────┘
                   │ HTTP/WS
 ┌─────────────────▼───────────────────────────────┐
-│         Deno HTTP Server (Port 3000)            │
-│    REST API + WebSocket Broadcast               │
+│           OpsServer (Port 3000)                 │
+│     TypedRequest + TypedSocket                  │
 └─────────────────┬───────────────────────────────┘
                   │
 ┌─────────────────▼───────────────────────────────┐
@@ -112,7 +117,7 @@ Onebox is built with modern technologies for performance and developer experienc
 │        ┌──────────────────────────────┐         │
 │        │   onebox-network (overlay)   │         │
 │        ├──────────────────────────────┤         │
-│        │  onebox-caddy (Caddy proxy)  │         │
+│        │ onebox-smartproxy (proxy)    │         │
 │        │  HTTP (80) + HTTPS (443)     │         │
 │        │  Admin API → config updates  │         │
 │        ├──────────────────────────────┤         │
@@ -129,15 +134,15 @@ Onebox is built with modern technologies for performance and developer experienc
 
 ### Core Components
 
-| Component | Description |
-|-----------|-------------|
-| **Deno Runtime** | Modern TypeScript with built-in security |
-| **Caddy Reverse Proxy** | Docker Swarm service with HTTP/2, HTTP/3, SNI, and WebSocket support |
-| **Docker Swarm** | Container orchestration (all workloads run as services) |
-| **SQLite Database** | Configuration, metrics, and user data |
-| **WebSocket Server** | Real-time bidirectional communication |
-| **Let's Encrypt** | Automatic SSL certificate management |
-| **Cloudflare API** | DNS record automation |
+| Component               | Description                                                          |
+| ----------------------- | -------------------------------------------------------------------- |
+| **Deno Runtime**        | Modern TypeScript with built-in security                             |
+| **SmartProxy Reverse Proxy** | Docker Swarm service with TLS termination and WebSocket support |
+| **Docker Swarm**        | Container orchestration (all workloads run as services)              |
+| **SQLite Database**     | Configuration, metrics, and user data                                |
+| **OpsServer**           | TypedRequest API and TypedSocket real-time updates                   |
+| **Let's Encrypt**       | Automatic SSL certificate management                                 |
+| **Cloudflare API**      | DNS record automation                                                |
 
 ## CLI Reference 📖
 
@@ -230,9 +235,8 @@ onebox config show
 onebox config set <key> <value>
 
 # Example: Configure Cloudflare
-onebox config set cloudflareAPIKey your-api-key
-onebox config set cloudflareEmail your@email.com
-onebox config set cloudflareZoneID your-zone-id
+onebox config set cloudflareToken your-api-token
+onebox config set cloudflareZoneId your-zone-id
 ```
 
 ### System Status
@@ -242,6 +246,13 @@ onebox config set cloudflareZoneID your-zone-id
 onebox status
 ```
 
+### Upgrade
+
+```bash
+# Upgrade to the latest version (requires root)
+sudo onebox upgrade
+```
+
 ## Configuration 🔧
 
 ### System Requirements
@@ -254,11 +265,11 @@ onebox status
 
 ### Data Locations
 
-| Data | Location |
-|------|----------|
-| **Database** | `./onebox.db` (or custom path) |
-| **SSL Certificates** | Managed by CertManager |
-| **Registry Data** | `./.nogit/registry-data` |
+| Data                 | Location                       |
+| -------------------- | ------------------------------ |
+| **Database**         | `./onebox.db` (or custom path) |
+| **SSL Certificates** | Managed by CertManager         |
+| **Registry Data**    | `./.nogit/registry-data`       |
 
 ### Environment Variables
 
@@ -310,9 +321,8 @@ onebox/
 │   ├── classes/                    # Core implementations
 │   │   ├── onebox.ts               # Main coordinator
 │   │   ├── reverseproxy.ts         # Reverse proxy orchestration
-│   │   ├── caddy.ts                # Caddy Docker service management
+│   │   ├── smartproxy.ts           # SmartProxy Docker service management
 │   │   ├── docker.ts               # Docker Swarm API
-│   │   ├── httpserver.ts           # REST API + WebSocket
 │   │   ├── services.ts             # Service orchestration
 │   │   ├── certmanager.ts          # SSL certificate management
 │   │   ├── cert-requirement-manager.ts  # Certificate requirements
@@ -321,8 +331,10 @@ onebox/
 │   │   ├── registries.ts           # External registry management
 │   │   ├── dns.ts                  # DNS record management
 │   │   ├── cloudflare-sync.ts      # Cloudflare zone sync
-│   │   ├── daemon.ts               # Systemd daemon management
-│   │   └── apiclient.ts            # API client utilities
+│   │   └── daemon.ts               # Systemd daemon management
+│   ├── opsserver/                  # Active server implementation
+│   │   ├── classes.opsserver.ts    # TypedRequest + TypedSocket server
+│   │   └── handlers/               # Typed request handlers
 │   ├── database/                   # Database layer (repository pattern)
 │   │   ├── index.ts                # Main OneboxDatabase class
 │   │   ├── base.repository.ts      # Base repository class
@@ -336,98 +348,17 @@ onebox/
 │   ├── types.ts                    # TypeScript interfaces
 │   ├── logging.ts                  # Logging utilities
 │   └── plugins.ts                  # Dependency imports
-├── ui/                             # Angular 19 web interface
+├── ts_web/                         # Web interface source
 ├── test/                           # Test files
 ├── mod.ts                          # Main entry point
 └── deno.json                       # Deno configuration
 ```
 
-### API Endpoints
+### Active Server Surface
 
-The HTTP server exposes a comprehensive REST API:
+The active server surface is the `OpsServer`, which serves the bundled web UI and exposes typed operations via `TypedRequest` and real-time events via `TypedSocket`.
 
-#### Authentication
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `POST` | `/api/auth/login` | User authentication (returns token) |
-
-#### Services
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/services` | List all services |
-| `POST` | `/api/services` | Create/deploy service |
-| `GET` | `/api/services/:name` | Get service details |
-| `PUT` | `/api/services/:name` | Update service |
-| `DELETE` | `/api/services/:name` | Delete service |
-| `POST` | `/api/services/:name/start` | Start service |
-| `POST` | `/api/services/:name/stop` | Stop service |
-| `POST` | `/api/services/:name/restart` | Restart service |
-| `GET` | `/api/services/:name/logs` | Get service logs |
-| `WS` | `/api/services/:name/logs/stream` | Stream logs via WebSocket |
-
-#### SSL Certificates
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/ssl/list` | List all certificates |
-| `GET` | `/api/ssl/:domain` | Get certificate details |
-| `POST` | `/api/ssl/obtain` | Request new certificate |
-| `POST` | `/api/ssl/:domain/renew` | Force renew certificate |
-
-#### Domains
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/domains` | List all domains |
-| `GET` | `/api/domains/:domain` | Get domain details |
-| `POST` | `/api/domains/sync` | Sync domains from Cloudflare |
-
-#### DNS Records
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/dns` | List DNS records |
-| `POST` | `/api/dns` | Create DNS record |
-| `DELETE` | `/api/dns/:domain` | Delete DNS record |
-| `POST` | `/api/dns/sync` | Sync DNS from Cloudflare |
-
-#### Registry
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/registry/tags/:service` | Get registry tags for service |
-| `GET` | `/api/registry/tokens` | List registry tokens |
-| `POST` | `/api/registry/tokens` | Create registry token |
-| `DELETE` | `/api/registry/tokens/:id` | Delete registry token |
-
-#### System
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/status` | System status |
-| `GET` | `/api/settings` | Get settings |
-| `PUT` | `/api/settings` | Update settings |
-| `WS` | `/api/ws` | WebSocket for real-time updates |
-
-### WebSocket Messages
-
-Real-time updates are broadcast via WebSocket:
-
-```typescript
-// Service lifecycle updates
-{
-  type: 'service_update',
-  action: 'created' | 'updated' | 'deleted' | 'started' | 'stopped',
-  service: { id, name, status, ... }
-}
-
-// Service status changes
-{
-  type: 'service_status',
-  service: { id, name, status, ... }
-}
-
-// System status updates
-{
-  type: 'system_status',
-  status: { docker, reverseProxy, services, ... }
-}
-```
+The previously documented legacy `/api/*` REST interface has been removed.
 
 ## Advanced Usage 🚀
 
@@ -453,13 +384,7 @@ docker push localhost:4000/myapp:latest
 ### Registry Token Management
 
 ```bash
-# Create a CI/CD token via API
-curl -X POST http://localhost:3000/api/registry/tokens \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{"name": "github-actions", "type": "ci", "scope": ["myapp"], "expiresIn": "90d"}'
-
-# Use token for docker login
+# Create a CI/CD token in the web UI, then use it for docker login
 docker login localhost:4000 -u ci -p <token>
 ```
 
@@ -467,9 +392,8 @@ docker login localhost:4000 -u ci -p <token>
 
 ```bash
 # Configure Cloudflare (one-time setup)
-onebox config set cloudflareAPIKey your-api-key
-onebox config set cloudflareEmail your@email.com
-onebox config set cloudflareZoneID your-zone-id
+onebox config set cloudflareToken your-api-token
+onebox config set cloudflareZoneId your-zone-id
 
 # Deploy with automatic DNS
 onebox service add myapp \
@@ -543,7 +467,7 @@ onebox ssl force-renew yourdomain.com
 
 - ✅ Ensure firewall allows WebSocket connections
 - ✅ Check browser console for connection errors
-- ✅ Verify `/api/ws` endpoint is accessible
+- ✅ Verify the dashboard socket connection is established
 
 ### Service Not Starting
 

scripts/compile-all.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-#
-# Compile Onebox for all platforms
-#
-
-set -e
-
-VERSION=$(grep '"version"' deno.json | cut -d'"' -f4)
-echo "Compiling Onebox v${VERSION} for all platforms..."
-
-# Create dist directory
-mkdir -p dist/binaries
-
-# Compile for each platform
-echo "Compiling for Linux x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-x64" \
-  --target x86_64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for Linux ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-arm64" \
-  --target aarch64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for macOS x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-x64" \
-  --target x86_64-apple-darwin \
-  mod.ts
-
-echo "Compiling for macOS ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-arm64" \
-  --target aarch64-apple-darwin \
-  mod.ts
-
-echo "Compiling for Windows x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-windows-x64.exe" \
-  --target x86_64-pc-windows-msvc \
-  mod.ts
-
-echo ""
-echo "✓ Compilation complete!"
-echo ""
-echo "Binaries:"
-ls -lh dist/binaries/
-echo ""
-echo "Next steps:"
-echo "1. Test binaries on their respective platforms"
-echo "2. Create git tag: git tag v${VERSION}"
-echo "3. Push tag: git push origin v${VERSION}"
-echo "4. Upload binaries to Gitea release"
-echo "5. Publish to npm: pnpm publish"

test/auth_test.ts

@@ -0,0 +1,105 @@
+import { assert, assertEquals, fail } from '@std/assert';
+
+import * as plugins from '../ts/plugins.ts';
+import type { IUser as IDatabaseUser } from '../ts/types.ts';
+import { AdminHandler } from '../ts/opsserver/handlers/admin.handler.ts';
+import {
+  hashPassword,
+  isBcryptHash,
+  needsPasswordUpgrade,
+  verifyPassword,
+} from '../ts/utils/auth.ts';
+
+class FakeDatabase {
+  constructor(private users: Map<string, IDatabaseUser>) {}
+
+  getUserByUsername(username: string): IDatabaseUser | null {
+    return this.users.get(username) ?? null;
+  }
+
+  updateUserPassword(username: string, passwordHash: string): void {
+    const user = this.users.get(username);
+    if (!user) {
+      return;
+    }
+
+    this.users.set(username, {
+      ...user,
+      passwordHash,
+      updatedAt: Date.now(),
+    });
+  }
+}
+
+async function createAdminHandler(users: IDatabaseUser[]): Promise<AdminHandler> {
+  const userMap = new Map(users.map((user) => [user.username, user]));
+  const fakeOpsServer = {
+    typedrouter: new plugins.typedrequest.TypedRouter(),
+    oneboxRef: {
+      database: new FakeDatabase(userMap),
+    },
+  };
+
+  const adminHandler = new AdminHandler(fakeOpsServer as any);
+  await adminHandler.initialize();
+  return adminHandler;
+}
+
+Deno.test('password helpers support bcrypt and legacy password hashes', async () => {
+  const password = 'correct horse battery staple';
+  const bcryptHash = await hashPassword(password);
+
+  assert(isBcryptHash(bcryptHash));
+  assert(await verifyPassword(password, bcryptHash));
+  assert(!(await verifyPassword('wrong password', bcryptHash)));
+  assert(!needsPasswordUpgrade(bcryptHash));
+
+  const legacyHash = btoa(password);
+  assert(await verifyPassword(password, legacyHash));
+  assert(needsPasswordUpgrade(legacyHash));
+});
+
+Deno.test('verified identity is derived from the signed JWT and database, not client fields', async () => {
+  const adminHandler = await createAdminHandler([
+    {
+      id: 1,
+      username: 'alice',
+      passwordHash: await hashPassword('password123'),
+      role: 'user',
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    },
+  ]);
+
+  const expiresAt = Date.now() + 60_000;
+  const jwt = await adminHandler.smartjwtInstance.createJWT({
+    userId: '1',
+    username: 'alice',
+    role: 'user',
+    status: 'loggedIn',
+    expiresAt,
+  });
+
+  const verifiedIdentity = await adminHandler.getVerifiedIdentity({
+    jwt,
+    userId: '999',
+    username: 'mallory',
+    role: 'admin',
+    expiresAt: 0,
+  });
+
+  assertEquals(verifiedIdentity.userId, '1');
+  assertEquals(verifiedIdentity.username, 'alice');
+  assertEquals(verifiedIdentity.role, 'user');
+  assertEquals(verifiedIdentity.expiresAt, expiresAt);
+
+  let rejected = false;
+  try {
+    await adminHandler.getVerifiedAdminIdentity(verifiedIdentity);
+    fail('Expected admin-only identity verification to reject non-admin users');
+  } catch {
+    rejected = true;
+  }
+
+  assert(rejected);
+});

test/external_gateway_test.ts

@@ -0,0 +1,213 @@
+import { assert, assertEquals } from '@std/assert';
+
+import { ExternalGatewayManager } from '../ts/classes/external-gateway.ts';
+import type { IDomain, IService, ISslCertificate } from '../ts/types.ts';
+
+class FakeDatabase {
+  public settings = new Map<string, string>();
+  public secretSettings = new Map<string, string>();
+  public domains: IDomain[] = [];
+  public certificates = new Map<string, ISslCertificate>();
+  private nextDomainId = 1;
+
+  getSetting(key: string): string | null {
+    return this.settings.get(key) ?? null;
+  }
+
+  setSetting(key: string, value: string): void {
+    this.settings.set(key, value);
+  }
+
+  async getSecretSetting(key: string): Promise<string | null> {
+    return this.secretSettings.get(key) ?? null;
+  }
+
+  getDomainByName(domain: string): IDomain | null {
+    return this.domains.find((entry) => entry.domain === domain) ?? null;
+  }
+
+  createDomain(domain: Omit<IDomain, 'id'>): IDomain {
+    const createdDomain = { ...domain, id: this.nextDomainId++ };
+    this.domains.push(createdDomain);
+    return createdDomain;
+  }
+
+  updateDomain(id: number, updates: Partial<IDomain>): void {
+    const index = this.domains.findIndex((entry) => entry.id === id);
+    if (index === -1) return;
+    this.domains[index] = { ...this.domains[index], ...updates };
+  }
+
+  getDomainsByProvider(provider: NonNullable<IDomain['dnsProvider']>): IDomain[] {
+    return this.domains.filter((entry) => entry.dnsProvider === provider);
+  }
+
+  getSSLCertificate(domain: string): ISslCertificate | null {
+    return this.certificates.get(domain) ?? null;
+  }
+
+  updateSSLCertificate(domain: string, updates: Partial<ISslCertificate>): void {
+    const existing = this.certificates.get(domain);
+    if (!existing) return;
+    this.certificates.set(domain, { ...existing, ...updates });
+  }
+
+  async createSSLCertificate(cert: Omit<ISslCertificate, 'id'>): Promise<ISslCertificate> {
+    const storedCert = { ...cert, id: this.certificates.size + 1 };
+    this.certificates.set(cert.domain, storedCert);
+    return storedCert;
+  }
+}
+
+const makeOneboxRef = () => {
+  const database = new FakeDatabase();
+  database.settings.set('dcrouterGatewayUrl', 'https://edge.example.com');
+  database.settings.set('dcrouterWorkHosterId', 'onebox-1');
+  database.secretSettings.set('dcrouterGatewayApiToken', 'dcr-token');
+
+  let reloadCount = 0;
+  return {
+    database,
+    reverseProxy: {
+      reloadCertificates: async () => {
+        reloadCount++;
+      },
+      get reloadCount() {
+        return reloadCount;
+      },
+    },
+  };
+};
+
+Deno.test('ExternalGatewayManager syncs dcrouter domains into Onebox domains', async () => {
+  const oneboxRef = makeOneboxRef();
+  oneboxRef.database.domains.push({
+    id: 99,
+    domain: 'old.example.com',
+    dnsProvider: 'dcrouter',
+    isObsolete: false,
+    defaultWildcard: true,
+    createdAt: 1,
+    updatedAt: 1,
+  });
+
+  const manager = new ExternalGatewayManager(oneboxRef as any);
+  (manager as any).fireDcRouterRequest = async (method: string) => {
+    assertEquals(method, 'getWorkHosterDomains');
+    return {
+      domains: [
+        {
+          name: 'example.com',
+          capabilities: {
+            canCreateSubdomains: true,
+            canManageDnsRecords: true,
+            canIssueCertificates: true,
+            canHostEmail: true,
+          },
+        },
+      ],
+    };
+  };
+
+  const domains = await manager.syncDomains();
+
+  assertEquals(domains.length, 2);
+  assertEquals(oneboxRef.database.getDomainByName('example.com')?.dnsProvider, 'dcrouter');
+  assertEquals(oneboxRef.database.getDomainByName('example.com')?.defaultWildcard, true);
+  assertEquals(oneboxRef.database.getDomainByName('old.example.com')?.isObsolete, true);
+});
+
+Deno.test('ExternalGatewayManager syncs service routes to dcrouter WorkHoster API', async () => {
+  const oneboxRef = makeOneboxRef();
+  oneboxRef.database.settings.set('serverIP', '203.0.113.10');
+  oneboxRef.database.settings.set('httpPort', '8080');
+
+  const service: IService = {
+    id: 1,
+    name: 'hello',
+    image: 'nginx:latest',
+    envVars: {},
+    port: 3000,
+    domain: 'hello.example.com',
+    status: 'running',
+    createdAt: 1,
+    updatedAt: 1,
+  };
+
+  const requests: Array<{ method: string; requestData: Record<string, unknown> }> = [];
+  const manager = new ExternalGatewayManager(oneboxRef as any);
+  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
+    requests.push({ method, requestData });
+    if (method === 'exportCertificate') {
+      return { success: false };
+    }
+    return { success: true, action: 'created', routeId: 'route-1' };
+  };
+
+  await manager.syncServiceRoute(service);
+
+  const syncRequest = requests.find((request) => request.method === 'syncWorkAppRoute')!;
+  const route = syncRequest.requestData.route as any;
+  const ownership = syncRequest.requestData.ownership as any;
+
+  assertEquals(ownership, {
+    workHosterType: 'onebox',
+    workHosterId: 'onebox-1',
+    workAppId: 'hello',
+    hostname: 'hello.example.com',
+  });
+  assertEquals(route.match, { ports: [443], domains: ['hello.example.com'] });
+  assertEquals(route.action.targets, [{ host: '203.0.113.10', port: 8080 }]);
+  assertEquals(route.action.tls, { mode: 'terminate', certificate: 'auto' });
+  assertEquals(syncRequest.requestData.enabled, true);
+});
+
+Deno.test('ExternalGatewayManager deletes service routes through dcrouter WorkHoster API', async () => {
+  const oneboxRef = makeOneboxRef();
+  const manager = new ExternalGatewayManager(oneboxRef as any);
+  let deleteRequest: Record<string, unknown> | null = null;
+
+  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
+    assertEquals(method, 'syncWorkAppRoute');
+    deleteRequest = requestData;
+    return { success: true, action: 'deleted', routeId: 'route-1' };
+  };
+
+  await manager.deleteServiceRoute({
+    id: 1,
+    name: 'hello',
+    domain: 'hello.example.com',
+  });
+
+  assert(deleteRequest);
+  const capturedDeleteRequest = deleteRequest as Record<string, unknown>;
+  assertEquals(capturedDeleteRequest.delete, true);
+  assertEquals((capturedDeleteRequest.ownership as any).hostname, 'hello.example.com');
+});
+
+Deno.test('ExternalGatewayManager imports exported dcrouter certificates into Onebox', async () => {
+  const oneboxRef = makeOneboxRef();
+  const manager = new ExternalGatewayManager(oneboxRef as any);
+  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
+    assertEquals(method, 'exportCertificate');
+    assertEquals(requestData.domain, 'hello.example.com');
+    return {
+      success: true,
+      cert: {
+        id: 'cert-1',
+        domainName: 'hello.example.com',
+        created: 1,
+        validUntil: 2,
+        privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
+        publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
+        csr: '',
+      },
+    };
+  };
+
+  const imported = await manager.importCertificateForDomain('hello.example.com');
+
+  assert(imported);
+  assertEquals(oneboxRef.database.getSSLCertificate('hello.example.com')?.issuer, 'dcrouter');
+  assertEquals(oneboxRef.reverseProxy.reloadCount, 1);
+});

test/secret_settings_test.ts

@@ -0,0 +1,73 @@
+import { assert, assertEquals } from '@std/assert';
+
+import { SecretSettingsManager } from '../ts/database/secret-settings.ts';
+
+class FakeAuthRepository {
+  public settings = new Map<string, string>();
+  public secretSettings = new Map<string, string>();
+
+  getSetting(key: string): string | null {
+    return this.settings.get(key) ?? null;
+  }
+
+  setSetting(key: string, value: string): void {
+    this.settings.set(key, value);
+  }
+
+  deleteSetting(key: string): void {
+    this.settings.delete(key);
+  }
+
+  getSecretSetting(key: string): string | null {
+    return this.secretSettings.get(key) ?? null;
+  }
+
+  setSecretSetting(key: string, value: string): void {
+    this.secretSettings.set(key, value);
+  }
+
+  deleteSecretSetting(key: string): void {
+    this.secretSettings.delete(key);
+  }
+}
+
+Deno.test('secret settings migrate legacy plaintext aliases into encrypted storage', async () => {
+  const authRepo = new FakeAuthRepository();
+  authRepo.setSetting('cloudflareAPIKey', 'cf-secret-token');
+
+  const secretSettings = new SecretSettingsManager(authRepo as any);
+  const token = await secretSettings.get('cloudflareToken');
+
+  assertEquals(token, 'cf-secret-token');
+  assertEquals(authRepo.getSetting('cloudflareAPIKey'), null);
+  assertEquals(authRepo.getSetting('cloudflareToken'), null);
+
+  const storedSecret = authRepo.getSecretSetting('cloudflareToken');
+  assert(storedSecret?.startsWith('enc:v1:'));
+});
+
+Deno.test('secret settings canonicalize aliases and clear old secret entries', async () => {
+  const authRepo = new FakeAuthRepository();
+  const secretSettings = new SecretSettingsManager(authRepo as any);
+
+  await secretSettings.set('backup_encryption_password', 'backup-passphrase');
+
+  assertEquals(await secretSettings.get('backupPassword'), 'backup-passphrase');
+  assert(authRepo.getSecretSetting('backupPassword')?.startsWith('enc:v1:'));
+  assertEquals(authRepo.getSecretSetting('backup_encryption_password'), null);
+
+  secretSettings.clear('backupPassword');
+  assertEquals(await secretSettings.get('backupPassword'), null);
+});
+
+Deno.test('secret settings treat dcrouter gateway token as encrypted secret', async () => {
+  const authRepo = new FakeAuthRepository();
+  authRepo.setSetting('externalGatewayApiToken', 'dcr-secret-token');
+
+  const secretSettings = new SecretSettingsManager(authRepo as any);
+  const token = await secretSettings.get('dcrouterGatewayApiToken');
+
+  assertEquals(token, 'dcr-secret-token');
+  assertEquals(authRepo.getSetting('externalGatewayApiToken'), null);
+  assert(authRepo.getSecretSetting('dcrouterGatewayApiToken')?.startsWith('enc:v1:'));
+});

test/security_test.ts

@@ -0,0 +1,61 @@
+import { assert, assertEquals } from '@std/assert';
+
+import type { IRegistry } from '../ts/types.ts';
+import { credentialEncryption } from '../ts/classes/encryption.ts';
+import { OneboxRegistriesManager } from '../ts/classes/registries.ts';
+
+class FakeRegistryDatabase {
+  private registries = new Map<string, IRegistry>();
+
+  getRegistryByURL(url: string): IRegistry | null {
+    return this.registries.get(url) ?? null;
+  }
+
+  async createRegistry(registry: Omit<IRegistry, 'id'>): Promise<IRegistry> {
+    const savedRegistry: IRegistry = {
+      id: this.registries.size + 1,
+      ...registry,
+    };
+    this.registries.set(savedRegistry.url, savedRegistry);
+    return savedRegistry;
+  }
+
+  deleteRegistry(url: string): void {
+    this.registries.delete(url);
+  }
+
+  getAllRegistries(): IRegistry[] {
+    return Array.from(this.registries.values());
+  }
+}
+
+Deno.test('credential encryption lazily initializes and roundtrips payloads', async () => {
+  const encrypted = await credentialEncryption.encrypt({ password: 'super-secret' });
+  const decrypted = await credentialEncryption.decrypt<{ password: string }>(encrypted);
+
+  assert(encrypted.length > 0);
+  assertEquals(decrypted.password, 'super-secret');
+});
+
+Deno.test('registry passwords use encrypted storage with legacy decode fallback', async () => {
+  const fakeDatabase = new FakeRegistryDatabase();
+  const registriesManager = new OneboxRegistriesManager({ database: fakeDatabase } as any);
+
+  (registriesManager as any).loginToRegistry = async () => {};
+
+  const registry = await registriesManager.addRegistry(
+    'registry.example.com',
+    'ci-user',
+    'correct horse battery staple',
+  );
+
+  assert(registry.passwordEncrypted.startsWith('enc:v1:'));
+  assertEquals(
+    await (registriesManager as any).decryptPassword(registry.passwordEncrypted),
+    'correct horse battery staple',
+  );
+  assertEquals(
+    await (registriesManager as any).decryptPassword(btoa('legacy-password')),
+    'legacy-password',
+  );
+});

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/onebox',
-  version: '1.11.0',
+  version: '1.24.2',
   description: 'Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers'
 }

ts/classes/apiclient.ts

@@ -1,210 +0,0 @@
-/**
- * API Client for communicating with Onebox daemon
- *
- * Provides methods for CLI commands to interact with running daemon via HTTP API
- */
-
-import type {
-  IService,
-  IRegistry,
-  IDnsRecord,
-  ISslCertificate,
-  IServiceDeployOptions,
-} from '../types.ts';
-import { getErrorMessage } from '../utils/error.ts';
-
-export class OneboxApiClient {
-  private baseUrl: string;
-  private token?: string;
-
-  constructor(port = 3000) {
-    this.baseUrl = `http://localhost:${port}`;
-  }
-
-  /**
-   * Check if daemon is reachable
-   */
-  async isReachable(): Promise<boolean> {
-    try {
-      const response = await fetch(`${this.baseUrl}/api/status`, {
-        signal: AbortSignal.timeout(5000), // 5 second timeout
-      });
-      return response.ok;
-    } catch {
-      return false;
-    }
-  }
-
-  // ============ Service Operations ============
-
-  async deployService(config: IServiceDeployOptions): Promise<IService> {
-    return await this.request<IService>('POST', '/api/services', config);
-  }
-
-  async removeService(name: string): Promise<void> {
-    await this.request('DELETE', `/api/services/${name}`);
-  }
-
-  async startService(name: string): Promise<void> {
-    await this.request('POST', `/api/services/${name}/start`);
-  }
-
-  async stopService(name: string): Promise<void> {
-    await this.request('POST', `/api/services/${name}/stop`);
-  }
-
-  async restartService(name: string): Promise<void> {
-    await this.request('POST', `/api/services/${name}/restart`);
-  }
-
-  async listServices(): Promise<IService[]> {
-    return await this.request<IService[]>('GET', '/api/services');
-  }
-
-  async getServiceLogs(name: string, limit = 1000): Promise<string[]> {
-    const result = await this.request<{ logs: string[] }>(
-      'GET',
-      `/api/services/${name}/logs?limit=${limit}`
-    );
-    return result.logs;
-  }
-
-  // ============ Registry Operations ============
-
-  async addRegistry(url: string, username: string, password: string): Promise<void> {
-    await this.request('POST', '/api/registries', { url, username, password });
-  }
-
-  async removeRegistry(url: string): Promise<void> {
-    await this.request('DELETE', `/api/registries/${encodeURIComponent(url)}`);
-  }
-
-  async listRegistries(): Promise<IRegistry[]> {
-    return await this.request<IRegistry[]>('GET', '/api/registries');
-  }
-
-  // ============ DNS Operations ============
-
-  async addDnsRecord(domain: string): Promise<void> {
-    await this.request('POST', '/api/dns', { domain });
-  }
-
-  async removeDnsRecord(domain: string): Promise<void> {
-    await this.request('DELETE', `/api/dns/${domain}`);
-  }
-
-  async listDnsRecords(): Promise<IDnsRecord[]> {
-    return await this.request<IDnsRecord[]>('GET', '/api/dns');
-  }
-
-  async syncDns(): Promise<void> {
-    await this.request('POST', '/api/dns/sync');
-  }
-
-  // ============ SSL Operations ============
-
-  async renewCertificate(domain?: string): Promise<void> {
-    const path = domain ? `/api/ssl/renew/${domain}` : '/api/ssl/renew';
-    await this.request('POST', path);
-  }
-
-  async listCertificates(): Promise<ISslCertificate[]> {
-    return await this.request<ISslCertificate[]>('GET', '/api/ssl');
-  }
-
-  async forceRenewCertificate(domain: string): Promise<void> {
-    await this.request('POST', `/api/ssl/renew/${domain}?force=true`);
-  }
-
-  // ============ Nginx Operations ============
-
-  async reloadNginx(): Promise<void> {
-    await this.request('POST', '/api/nginx/reload');
-  }
-
-  async testNginx(): Promise<{ success: boolean; output: string }> {
-    return await this.request('POST', '/api/nginx/test');
-  }
-
-  async getNginxStatus(): Promise<{ status: string }> {
-    return await this.request('GET', '/api/nginx/status');
-  }
-
-  // ============ Config Operations ============
-
-  async getSettings(): Promise<Record<string, string>> {
-    return await this.request<Record<string, string>>('GET', '/api/config');
-  }
-
-  async setSetting(key: string, value: string): Promise<void> {
-    await this.request('POST', '/api/config', { key, value });
-  }
-
-  // ============ System Operations ============
-
-  async getStatus(): Promise<{
-    services: { total: number; running: number; stopped: number };
-    uptime: number;
-  }> {
-    return await this.request('GET', '/api/status');
-  }
-
-  // ============ Helper Methods ============
-
-  /**
-   * Make HTTP request to daemon
-   */
-  private async request<T = unknown>(
-    method: string,
-    path: string,
-    body?: unknown
-  ): Promise<T> {
-    const url = `${this.baseUrl}${path}`;
-
-    const headers: Record<string, string> = {
-      'Content-Type': 'application/json',
-    };
-
-    if (this.token) {
-      headers['Authorization'] = `Bearer ${this.token}`;
-    }
-
-    const options: RequestInit = {
-      method,
-      headers,
-      signal: AbortSignal.timeout(30000), // 30 second timeout
-    };
-
-    if (body) {
-      options.body = JSON.stringify(body);
-    }
-
-    try {
-      const response = await fetch(url, options);
-
-      if (!response.ok) {
-        const errorData = await response.json().catch(() => ({ message: response.statusText }));
-        throw new Error(errorData.message || `HTTP ${response.status}: ${response.statusText}`);
-      }
-
-      // For DELETE and some POST requests, there might be no content
-      if (response.status === 204 || response.headers.get('content-length') === '0') {
-        return undefined as T;
-      }
-
-      return await response.json();
-    } catch (error) {
-      if (error instanceof Error && error.name === 'TimeoutError') {
-        throw new Error('Request timed out. Daemon might be unresponsive.');
-      }
-      throw error;
-    }
-  }
-
-  /**
-   * Set authentication token
-   */
-  setToken(token: string): void {
-    this.token = token;
-  }
-}

ts/classes/appstore-types.ts

@@ -0,0 +1,73 @@
+/**
+ * App Store type definitions
+ */
+
+export interface ICatalog {
+  schemaVersion: number;
+  updatedAt: string;
+  apps: ICatalogApp[];
+}
+
+export interface ICatalogApp {
+  id: string;
+  name: string;
+  description: string;
+  category: string;
+  iconName?: string;
+  iconUrl?: string;
+  latestVersion: string;
+  tags?: string[];
+}
+
+export interface IAppMeta {
+  id: string;
+  name: string;
+  description: string;
+  category: string;
+  iconName?: string;
+  latestVersion: string;
+  versions: string[];
+  maintainer?: string;
+  links?: Record<string, string>;
+}
+
+export interface IAppVersionConfig {
+  image: string;
+  port: number;
+  envVars?: Array<{ key: string; value: string; description: string; required?: boolean }>;
+  volumes?: string[];
+  platformRequirements?: {
+    mongodb?: boolean;
+    s3?: boolean;
+    clickhouse?: boolean;
+    redis?: boolean;
+    mariadb?: boolean;
+  };
+  minOneboxVersion?: string;
+}
+
+export interface IMigrationContext {
+  service: {
+    name: string;
+    image: string;
+    envVars: Record<string, string>;
+    port: number;
+  };
+  fromVersion: string;
+  toVersion: string;
+}
+
+export interface IMigrationResult {
+  success: boolean;
+  envVars?: Record<string, string>;
+  image?: string;
+  warnings: string[];
+}
+
+export interface IUpgradeableService {
+  serviceName: string;
+  appTemplateId: string;
+  currentVersion: string;
+  latestVersion: string;
+  hasMigration: boolean;
+}

ts/classes/appstore.ts

@@ -0,0 +1,335 @@
+/**
+ * App Store Manager
+ * Fetches, caches, and serves app templates from the remote appstore-apptemplates repo.
+ * The remote repo is the single source of truth — no fallback catalog.
+ */
+
+import type {
+  ICatalog,
+  ICatalogApp,
+  IAppMeta,
+  IAppVersionConfig,
+  IMigrationContext,
+  IMigrationResult,
+  IUpgradeableService,
+} from './appstore-types.ts';
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+import type { Onebox } from './onebox.ts';
+import type { IService } from '../types.ts';
+
+export class AppStoreManager {
+  private oneboxRef: Onebox;
+  private catalogCache: ICatalog | null = null;
+  private lastFetchTime = 0;
+  private readonly repoBaseUrl = 'https://code.foss.global/serve.zone/appstore-apptemplates/raw/branch/main';
+  private readonly cacheTtlMs = 5 * 60 * 1000; // 5 minutes
+
+  constructor(oneboxRef: Onebox) {
+    this.oneboxRef = oneboxRef;
+  }
+
+  async init(): Promise<void> {
+    try {
+      await this.getCatalog();
+      logger.info(`App Store initialized with ${this.catalogCache?.apps.length || 0} templates`);
+    } catch (error) {
+      logger.warn(`App Store initialization failed: ${getErrorMessage(error)}`);
+      logger.warn('App Store will retry on next request');
+    }
+  }
+
+  /**
+   * Get the catalog (cached, refreshes after TTL)
+   */
+  async getCatalog(): Promise<ICatalog> {
+    const now = Date.now();
+    if (this.catalogCache && (now - this.lastFetchTime) < this.cacheTtlMs) {
+      return this.catalogCache;
+    }
+
+    try {
+      const catalog = await this.fetchJson('catalog.json') as ICatalog;
+      if (catalog && catalog.apps && Array.isArray(catalog.apps)) {
+        this.catalogCache = catalog;
+        this.lastFetchTime = now;
+        return catalog;
+      }
+      throw new Error('Invalid catalog format');
+    } catch (error) {
+      logger.warn(`Failed to fetch remote catalog: ${getErrorMessage(error)}`);
+      // Return cached if available, otherwise return empty catalog
+      if (this.catalogCache) {
+        return this.catalogCache;
+      }
+      return { schemaVersion: 1, updatedAt: '', apps: [] };
+    }
+  }
+
+  /**
+   * Get the catalog apps list (convenience method for the API)
+   */
+  async getApps(): Promise<ICatalogApp[]> {
+    const catalog = await this.getCatalog();
+    return catalog.apps;
+  }
+
+  /**
+   * Fetch app metadata (versions list, etc.)
+   */
+  async getAppMeta(appId: string): Promise<IAppMeta> {
+    try {
+      return await this.fetchJson(`apps/${appId}/app.json`) as IAppMeta;
+    } catch (error) {
+      throw new Error(`Failed to fetch metadata for app '${appId}': ${getErrorMessage(error)}`);
+    }
+  }
+
+  /**
+   * Fetch full config for an app version
+   */
+  async getAppVersionConfig(appId: string, version: string): Promise<IAppVersionConfig> {
+    try {
+      return await this.fetchJson(`apps/${appId}/versions/${version}/config.json`) as IAppVersionConfig;
+    } catch (error) {
+      throw new Error(`Failed to fetch config for ${appId}@${version}: ${getErrorMessage(error)}`);
+    }
+  }
+
+  /**
+   * Compare deployed services against catalog to find those with available upgrades
+   */
+  async getUpgradeableServices(): Promise<IUpgradeableService[]> {
+    const catalog = await this.getCatalog();
+    const services = this.oneboxRef.database.getAllServices();
+    const upgradeable: IUpgradeableService[] = [];
+
+    for (const service of services) {
+      if (!service.appTemplateId || !service.appTemplateVersion) continue;
+
+      const catalogApp = catalog.apps.find(a => a.id === service.appTemplateId);
+      if (!catalogApp) continue;
+
+      if (catalogApp.latestVersion !== service.appTemplateVersion) {
+        // Check if a migration script exists
+        const hasMigration = await this.hasMigrationScript(
+          service.appTemplateId,
+          service.appTemplateVersion,
+          catalogApp.latestVersion,
+        );
+
+        upgradeable.push({
+          serviceName: service.name,
+          appTemplateId: service.appTemplateId,
+          currentVersion: service.appTemplateVersion,
+          latestVersion: catalogApp.latestVersion,
+          hasMigration,
+        });
+      }
+    }
+
+    return upgradeable;
+  }
+
+  /**
+   * Check if a migration script exists for a specific version transition
+   */
+  async hasMigrationScript(appId: string, fromVersion: string, toVersion: string): Promise<boolean> {
+    try {
+      const scriptPath = `apps/${appId}/versions/${toVersion}/migrate-from-${fromVersion}.ts`;
+      await this.fetchText(scriptPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Execute a migration in a sandboxed Deno child process
+   */
+  async executeMigration(service: IService, fromVersion: string, toVersion: string): Promise<IMigrationResult> {
+    const appId = service.appTemplateId;
+    if (!appId) {
+      throw new Error('Service has no appTemplateId');
+    }
+
+    // Fetch the migration script
+    const scriptPath = `apps/${appId}/versions/${toVersion}/migrate-from-${fromVersion}.ts`;
+    let scriptContent: string;
+    try {
+      scriptContent = await this.fetchText(scriptPath);
+    } catch {
+      // No migration script — do a simple config-based upgrade
+      logger.info(`No migration script for ${appId} ${fromVersion} -> ${toVersion}, using config-only upgrade`);
+      const config = await this.getAppVersionConfig(appId, toVersion);
+      return {
+        success: true,
+        image: config.image,
+        envVars: undefined, // Keep existing env vars
+        warnings: [],
+      };
+    }
+
+    // Write to temp file
+    const tempFile = `/tmp/onebox-migration-${crypto.randomUUID()}.ts`;
+    await Deno.writeTextFile(tempFile, scriptContent);
+
+    try {
+      // Prepare context
+      const context: IMigrationContext = {
+        service: {
+          name: service.name,
+          image: service.image,
+          envVars: service.envVars,
+          port: service.port,
+        },
+        fromVersion,
+        toVersion,
+      };
+
+      // Execute in sandboxed Deno child process
+      const cmd = new Deno.Command('deno', {
+        args: ['run', '--allow-env', '--allow-net=none', '--allow-read=none', '--allow-write=none', tempFile],
+        stdin: 'piped',
+        stdout: 'piped',
+        stderr: 'piped',
+      });
+
+      const child = cmd.spawn();
+
+      // Write context to stdin
+      const writer = child.stdin.getWriter();
+      await writer.write(new TextEncoder().encode(JSON.stringify(context)));
+      await writer.close();
+
+      // Read result
+      const output = await child.output();
+      const exitCode = output.code;
+      const stdout = new TextDecoder().decode(output.stdout);
+      const stderr = new TextDecoder().decode(output.stderr);
+
+      if (exitCode !== 0) {
+        logger.error(`Migration script failed (exit ${exitCode}): ${stderr.substring(0, 500)}`);
+        return {
+          success: false,
+          warnings: [`Migration script failed: ${stderr.substring(0, 200)}`],
+        };
+      }
+
+      // Parse result from stdout
+      try {
+        const result = JSON.parse(stdout) as IMigrationResult;
+        result.success = true;
+        return result;
+      } catch {
+        logger.error(`Failed to parse migration output: ${stdout.substring(0, 200)}`);
+        return {
+          success: false,
+          warnings: ['Migration script produced invalid output'],
+        };
+      }
+    } finally {
+      // Cleanup temp file
+      try {
+        await Deno.remove(tempFile);
+      } catch {
+        // Ignore cleanup errors
+      }
+    }
+  }
+
+  /**
+   * Apply an upgrade: update image, env vars, recreate container
+   */
+  async applyUpgrade(
+    serviceName: string,
+    migrationResult: IMigrationResult,
+    newVersion: string,
+  ): Promise<IService> {
+    const service = this.oneboxRef.database.getServiceByName(serviceName);
+    if (!service) {
+      throw new Error(`Service not found: ${serviceName}`);
+    }
+
+    // Stop the existing container
+    if (service.containerID && service.status === 'running') {
+      await this.oneboxRef.services.stopService(serviceName);
+    }
+
+    // Update service record
+    const updates: Partial<IService> = {
+      appTemplateVersion: newVersion,
+    };
+
+    if (migrationResult.image) {
+      updates.image = migrationResult.image;
+    }
+
+    if (migrationResult.envVars) {
+      // Merge: migration result provides base, user overrides preserved
+      const mergedEnvVars = { ...migrationResult.envVars };
+      // Keep any user-set env vars that aren't in the migration result
+      for (const [key, value] of Object.entries(service.envVars)) {
+        if (!(key in mergedEnvVars)) {
+          mergedEnvVars[key] = value;
+        }
+      }
+      updates.envVars = mergedEnvVars;
+    }
+
+    this.oneboxRef.database.updateService(service.id!, updates);
+
+    // Pull new image if changed
+    const newImage = migrationResult.image || service.image;
+    if (migrationResult.image && migrationResult.image !== service.image) {
+      await this.oneboxRef.docker.pullImage(newImage);
+    }
+
+    // Recreate and start container
+    const updatedService = this.oneboxRef.database.getServiceByName(serviceName)!;
+
+    // Remove old container
+    if (service.containerID) {
+      try {
+        await this.oneboxRef.docker.removeContainer(service.containerID, true);
+      } catch {
+        // Container might already be gone
+      }
+    }
+
+    // Create new container
+    const containerID = await this.oneboxRef.docker.createContainer(updatedService);
+    this.oneboxRef.database.updateService(service.id!, { containerID, status: 'starting' });
+
+    // Start container
+    await this.oneboxRef.docker.startContainer(containerID);
+    this.oneboxRef.database.updateService(service.id!, { status: 'running' });
+
+    logger.success(`Service '${serviceName}' upgraded to template version ${newVersion}`);
+    return this.oneboxRef.database.getServiceByName(serviceName)!;
+  }
+
+  /**
+   * Fetch JSON from the remote repo
+   */
+  private async fetchJson(path: string): Promise<unknown> {
+    const url = `${this.repoBaseUrl}/${path}`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status} for ${url}`);
+    }
+    return response.json();
+  }
+
+  /**
+   * Fetch text from the remote repo
+   */
+  private async fetchText(path: string): Promise<string> {
+    const url = `${this.repoBaseUrl}/${path}`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status} for ${url}`);
+    }
+    return response.text();
+  }
+}

ts/classes/backup-scheduler.ts

@@ -59,6 +59,15 @@ export class BackupScheduler {
         await this.registerTask(schedule);
       }
 
+      // Add periodic archive prune task (runs daily at 3 AM)
+      const pruneTask = new plugins.taskbuffer.Task({
+        name: 'backup-archive-prune',
+        taskFunction: async () => {
+          await this.pruneArchive();
+        },
+      });
+      this.taskManager.addAndScheduleTask(pruneTask, '0 3 * * *');
+
       // Start the task manager (activates cron scheduling)
       await this.taskManager.start();
 
@@ -436,9 +445,11 @@ export class BackupScheduler {
       if (!toKeep.has(backup.id!)) {
         try {
           await this.oneboxRef.backupManager.deleteBackup(backup.id!);
-          logger.info(`Deleted backup ${backup.filename} (retention policy)`);
+          const backupRef = backup.snapshotId || backup.filename;
+          logger.info(`Deleted backup ${backupRef} (retention policy)`);
         } catch (error) {
-          logger.warn(`Failed to delete old backup ${backup.filename}: ${getErrorMessage(error)}`);
+          const backupRef = backup.snapshotId || backup.filename;
+          logger.warn(`Failed to delete old backup ${backupRef}: ${getErrorMessage(error)}`);
         }
       }
     }
@@ -647,4 +658,48 @@ export class BackupScheduler {
   private getRetentionDescription(retention: IRetentionPolicy): string {
     return `H:${retention.hourly} D:${retention.daily} W:${retention.weekly} M:${retention.monthly}`;
   }
+
+  /**
+   * Prune the containerarchive repository to reclaim storage.
+   * Uses the most generous retention policy across all schedules.
+   */
+  private async pruneArchive(): Promise<void> {
+    const archive = this.oneboxRef.backupManager.archive;
+    if (!archive) return;
+
+    try {
+      // Compute the most generous retention across all schedules
+      const schedules = this.oneboxRef.database.getAllBackupSchedules();
+
+      // Default minimums if no schedules exist
+      let maxDays = 7;
+      let maxWeeks = 4;
+      let maxMonths = 12;
+
+      for (const schedule of schedules) {
+        if (schedule.retention.daily > maxDays) maxDays = schedule.retention.daily;
+        if (schedule.retention.weekly > maxWeeks) maxWeeks = schedule.retention.weekly;
+        if (schedule.retention.monthly > maxMonths) maxMonths = schedule.retention.monthly;
+      }
+
+      const result = await archive.prune(
+        {
+          keepDays: maxDays,
+          keepWeeks: maxWeeks,
+          keepMonths: maxMonths,
+        },
+        false, // not dry run
+      );
+
+      if (result.removedSnapshots > 0 || result.freedBytes > 0) {
+        const freedMB = Math.round(result.freedBytes / (1024 * 1024) * 10) / 10;
+        logger.info(
+          `Archive prune: removed ${result.removedSnapshots} snapshot(s), ` +
+          `${result.removedPacks} pack(s), freed ${freedMB} MB`
+        );
+      }
+    } catch (error) {
+      logger.warn(`Archive prune failed: ${getErrorMessage(error)}`);
+    }
+  }
 }

ts/classes/caddy.ts

@@ -1,592 +0,0 @@
-/**
- * Caddy Manager for Onebox
- *
- * Manages Caddy as a Docker Swarm service instead of a host binary.
- * This allows Caddy to access services on the Docker overlay network.
- */
-
-import * as plugins from '../plugins.ts';
-import { logger } from '../logging.ts';
-import { getErrorMessage } from '../utils/error.ts';
-
-const CADDY_SERVICE_NAME = 'onebox-caddy';
-const CADDY_IMAGE = 'caddy:2-alpine';
-const DOCKER_GATEWAY_IP = '172.17.0.1'; // Docker bridge gateway for container-to-host communication
-
-export interface ICaddyRoute {
-  domain: string;
-  upstream: string; // e.g., "onebox-hello-world:80"
-}
-
-export interface ICaddyCertificate {
-  domain: string;
-  certPem: string;
-  keyPem: string;
-}
-
-interface ICaddyLoggingConfig {
-  logs: {
-    [name: string]: {
-      writer: {
-        output: string;
-        address?: string;
-        dial_timeout?: string;
-        soft_start?: boolean;
-      };
-      encoder?: { format: string };
-      level?: string;
-      include?: string[];
-    };
-  };
-}
-
-interface ICaddyConfig {
-  admin: {
-    listen: string;
-  };
-  logging?: ICaddyLoggingConfig;
-  apps: {
-    http: {
-      servers: {
-        [key: string]: {
-          listen: string[];
-          routes: ICaddyRouteConfig[];
-          automatic_https?: {
-            disable?: boolean;
-            disable_redirects?: boolean;
-          };
-          logs?: {
-            default_logger_name: string;
-          };
-        };
-      };
-    };
-    tls?: {
-      automation?: {
-        policies: Array<{ issuers: never[] }>;
-      };
-      certificates?: {
-        load_pem?: Array<{
-          certificate: string;
-          key: string;
-          tags?: string[];
-        }>;
-      };
-    };
-  };
-}
-
-interface ICaddyRouteConfig {
-  match: Array<{ host: string[] }>;
-  handle: Array<{
-    handler: string;
-    upstreams?: Array<{ dial: string }>;
-    routes?: ICaddyRouteConfig[];
-  }>;
-  terminal?: boolean;
-}
-
-export class CaddyManager {
-  private dockerClient: InstanceType<typeof plugins.docker.Docker> | null = null;
-  private certsDir: string;
-  private adminUrl: string;
-  private httpPort: number;
-  private httpsPort: number;
-  private logReceiverPort: number;
-  private loggingEnabled: boolean;
-  private routes: Map<string, ICaddyRoute> = new Map();
-  private certificates: Map<string, ICaddyCertificate> = new Map();
-  private networkName = 'onebox-network';
-  private serviceRunning = false;
-
-  constructor(options?: {
-    certsDir?: string;
-    adminPort?: number;
-    httpPort?: number;
-    httpsPort?: number;
-    logReceiverPort?: number;
-    loggingEnabled?: boolean;
-  }) {
-    this.certsDir = options?.certsDir || './.nogit/certs';
-    this.adminUrl = `http://localhost:${options?.adminPort || 2019}`;
-    this.httpPort = options?.httpPort || 8080;
-    this.httpsPort = options?.httpsPort || 8443;
-    this.logReceiverPort = options?.logReceiverPort || 9999;
-    this.loggingEnabled = options?.loggingEnabled ?? true;
-  }
-
-  /**
-   * Initialize Docker client for Caddy service management
-   */
-  private async ensureDockerClient(): Promise<void> {
-    if (!this.dockerClient) {
-      this.dockerClient = new plugins.docker.Docker({
-        socketPath: 'unix:///var/run/docker.sock',
-      });
-      await this.dockerClient.start();
-    }
-  }
-
-  /**
-   * Update listening ports (must call reloadConfig after if running)
-   */
-  setPorts(httpPort: number, httpsPort: number): void {
-    this.httpPort = httpPort;
-    this.httpsPort = httpsPort;
-  }
-
-  /**
-   * Start Caddy as a Docker Swarm service
-   */
-  async start(): Promise<void> {
-    if (this.serviceRunning) {
-      logger.warn('Caddy service is already running');
-      return;
-    }
-
-    try {
-      await this.ensureDockerClient();
-
-      // Create certs directory for backup/persistence
-      await Deno.mkdir(this.certsDir, { recursive: true });
-
-      logger.info('Starting Caddy Docker service...');
-
-      // Check if service already exists
-      const existingService = await this.getExistingService();
-      if (existingService) {
-        logger.info('Caddy service exists, removing old service...');
-        await this.removeService();
-        // Wait for service to be removed
-        await new Promise((resolve) => setTimeout(resolve, 2000));
-      }
-
-      // Get network ID
-      const networkId = await this.getNetworkId();
-
-      // Create Caddy Docker service
-      const response = await this.dockerClient!.request('POST', '/services/create', {
-        Name: CADDY_SERVICE_NAME,
-        Labels: {
-          'managed-by': 'onebox',
-          'onebox-type': 'caddy',
-        },
-        TaskTemplate: {
-          ContainerSpec: {
-            Image: CADDY_IMAGE,
-            // Start Caddy with admin listening on all interfaces so we can reach it from host
-            // Write minimal config to /tmp and start Caddy with that config
-            Command: ['sh', '-c', 'printf \'{"admin":{"listen":"0.0.0.0:2019"}}\' > /tmp/caddy.json && caddy run --config /tmp/caddy.json'],
-          },
-          Networks: [
-            {
-              Target: networkId,
-            },
-          ],
-          RestartPolicy: {
-            Condition: 'any',
-            MaxAttempts: 0,
-          },
-        },
-        Mode: {
-          Replicated: {
-            Replicas: 1,
-          },
-        },
-        EndpointSpec: {
-          Ports: [
-            {
-              Protocol: 'tcp',
-              TargetPort: 80,
-              PublishedPort: this.httpPort,
-              PublishMode: 'host',
-            },
-            {
-              Protocol: 'tcp',
-              TargetPort: 443,
-              PublishedPort: this.httpsPort,
-              PublishMode: 'host',
-            },
-            {
-              Protocol: 'tcp',
-              TargetPort: 2019,
-              PublishedPort: 2019,
-              PublishMode: 'host',
-            },
-          ],
-        },
-      });
-
-      if (response.statusCode >= 300) {
-        throw new Error(`Failed to create Caddy service: HTTP ${response.statusCode} - ${JSON.stringify(response.body)}`);
-      }
-
-      logger.info(`Caddy service created: ${response.body.ID}`);
-
-      // Wait for Admin API to be ready
-      await this.waitForReady();
-
-      this.serviceRunning = true;
-
-      // Now configure via Admin API with current routes and certificates
-      await this.reloadConfig();
-
-      logger.success(`Caddy started (HTTP: ${this.httpPort}, HTTPS: ${this.httpsPort}, Admin: ${this.adminUrl})`);
-    } catch (error) {
-      logger.error(`Failed to start Caddy: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Get existing Caddy service if any
-   */
-  private async getExistingService(): Promise<any | null> {
-    try {
-      const response = await this.dockerClient!.request('GET', `/services/${CADDY_SERVICE_NAME}`, {});
-      if (response.statusCode === 200) {
-        return response.body;
-      }
-      return null;
-    } catch {
-      return null;
-    }
-  }
-
-  /**
-   * Remove the Caddy service
-   */
-  private async removeService(): Promise<void> {
-    try {
-      await this.dockerClient!.request('DELETE', `/services/${CADDY_SERVICE_NAME}`, {});
-    } catch {
-      // Service may not exist
-    }
-  }
-
-  /**
-   * Get network ID by name
-   */
-  private async getNetworkId(): Promise<string> {
-    const networks = await this.dockerClient!.listNetworks();
-    const network = networks.find((n: any) => n.Name === this.networkName);
-    if (!network) {
-      throw new Error(`Network not found: ${this.networkName}`);
-    }
-    return network.Id;
-  }
-
-  /**
-   * Wait for Caddy Admin API to be ready
-   */
-  private async waitForReady(maxAttempts = 60, intervalMs = 500): Promise<void> {
-    for (let i = 0; i < maxAttempts; i++) {
-      try {
-        const response = await fetch(`${this.adminUrl}/config/`);
-        if (response.ok) {
-          return;
-        }
-      } catch {
-        // Not ready yet
-      }
-      await new Promise((resolve) => setTimeout(resolve, intervalMs));
-    }
-    throw new Error('Caddy service failed to start within timeout');
-  }
-
-  /**
-   * Stop Caddy Docker service
-   */
-  async stop(): Promise<void> {
-    if (!this.serviceRunning && !(await this.getExistingService())) {
-      return;
-    }
-
-    try {
-      await this.ensureDockerClient();
-
-      logger.info('Stopping Caddy service...');
-
-      await this.removeService();
-
-      this.serviceRunning = false;
-      logger.info('Caddy service stopped');
-    } catch (error) {
-      logger.error(`Failed to stop Caddy: ${getErrorMessage(error)}`);
-    }
-  }
-
-  /**
-   * Check if Caddy Admin API is healthy
-   */
-  async isHealthy(): Promise<boolean> {
-    try {
-      const response = await fetch(`${this.adminUrl}/config/`);
-      return response.ok;
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Check if Caddy service is running
-   */
-  async isRunning(): Promise<boolean> {
-    try {
-      await this.ensureDockerClient();
-      const service = await this.getExistingService();
-      if (!service) return false;
-
-      // Check if service has running tasks
-      const tasksResponse = await this.dockerClient!.request(
-        'GET',
-        `/tasks?filters=${encodeURIComponent(JSON.stringify({ service: [CADDY_SERVICE_NAME] }))}`,
-        {}
-      );
-
-      if (tasksResponse.statusCode !== 200) return false;
-
-      const tasks = tasksResponse.body;
-      return tasks.some((task: any) => task.Status?.State === 'running');
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Build Caddy JSON configuration from current routes and certificates
-   */
-  private buildConfig(): ICaddyConfig {
-    const routes: ICaddyRouteConfig[] = [];
-
-    // Add routes
-    for (const [domain, route] of this.routes) {
-      routes.push({
-        match: [{ host: [domain] }],
-        handle: [
-          {
-            handler: 'reverse_proxy',
-            upstreams: [{ dial: route.upstream }],
-          },
-        ],
-        terminal: true,
-      });
-    }
-
-    // Build certificate load_pem entries (inline PEM content)
-    const loadPem: Array<{ certificate: string; key: string; tags?: string[] }> = [];
-    for (const [domain, cert] of this.certificates) {
-      loadPem.push({
-        certificate: cert.certPem,
-        key: cert.keyPem,
-        tags: [domain],
-      });
-    }
-
-    const config: ICaddyConfig = {
-      admin: {
-        listen: '0.0.0.0:2019', // Listen on all interfaces inside container
-      },
-      apps: {
-        http: {
-          servers: {
-            main: {
-              listen: [':80', ':443'],
-              routes,
-              // Disable automatic HTTPS to prevent Caddy from trying to obtain certs
-              automatic_https: {
-                disable: true,
-              },
-            },
-          },
-        },
-      },
-    };
-
-    // Add access logging configuration if enabled
-    if (this.loggingEnabled) {
-      config.logging = {
-        logs: {
-          access: {
-            writer: {
-              output: 'net',
-              // Use Docker bridge gateway IP to reach log receiver on host
-              address: `tcp/${DOCKER_GATEWAY_IP}:${this.logReceiverPort}`,
-              dial_timeout: '5s',
-              soft_start: true, // Continue even if log receiver is down
-            },
-            encoder: { format: 'json' },
-            level: 'INFO',
-            include: ['http.log.access'],
-          },
-        },
-      };
-
-      // Associate server with access logger
-      config.apps.http.servers.main.logs = {
-        default_logger_name: 'access',
-      };
-    }
-
-    // Add TLS config if we have certificates
-    if (loadPem.length > 0) {
-      config.apps.tls = {
-        automation: {
-          // Disable automatic HTTPS - we manage certs ourselves
-          policies: [{ issuers: [] }],
-        },
-        certificates: {
-          load_pem: loadPem,
-        },
-      };
-    }
-
-    return config;
-  }
-
-  /**
-   * Reload Caddy configuration via Admin API
-   */
-  async reloadConfig(): Promise<void> {
-    const isRunning = await this.isRunning();
-    if (!isRunning) {
-      logger.warn('Caddy not running, cannot reload config');
-      return;
-    }
-
-    const config = this.buildConfig();
-
-    try {
-      const response = await fetch(`${this.adminUrl}/load`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(config),
-      });
-
-      if (!response.ok) {
-        const text = await response.text();
-        throw new Error(`Failed to reload Caddy config: ${response.status} ${text}`);
-      }
-
-      logger.debug('Caddy configuration reloaded');
-    } catch (error) {
-      logger.error(`Failed to reload Caddy config: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Add or update a route
-   */
-  async addRoute(domain: string, upstream: string): Promise<void> {
-    this.routes.set(domain, { domain, upstream });
-
-    if (await this.isRunning()) {
-      await this.reloadConfig();
-    }
-
-    logger.success(`Added Caddy route: ${domain} -> ${upstream}`);
-  }
-
-  /**
-   * Remove a route
-   */
-  async removeRoute(domain: string): Promise<void> {
-    if (this.routes.delete(domain)) {
-      if (await this.isRunning()) {
-        await this.reloadConfig();
-      }
-      logger.success(`Removed Caddy route: ${domain}`);
-    }
-  }
-
-  /**
-   * Add or update a TLS certificate
-   * Stores PEM content in memory for Admin API, also writes to disk for backup
-   */
-  async addCertificate(domain: string, certPem: string, keyPem: string): Promise<void> {
-    // Store PEM content in memory for buildConfig()
-    this.certificates.set(domain, {
-      domain,
-      certPem,
-      keyPem,
-    });
-
-    // Also write to disk for backup/persistence
-    try {
-      await Deno.mkdir(this.certsDir, { recursive: true });
-      await Deno.writeTextFile(`${this.certsDir}/${domain}.crt`, certPem);
-      await Deno.writeTextFile(`${this.certsDir}/${domain}.key`, keyPem);
-    } catch (error) {
-      logger.warn(`Failed to write certificate backup for ${domain}: ${getErrorMessage(error)}`);
-    }
-
-    if (await this.isRunning()) {
-      await this.reloadConfig();
-    }
-
-    logger.success(`Added TLS certificate for ${domain}`);
-  }
-
-  /**
-   * Remove a TLS certificate
-   */
-  async removeCertificate(domain: string): Promise<void> {
-    if (this.certificates.delete(domain)) {
-      // Remove backup files
-      try {
-        await Deno.remove(`${this.certsDir}/${domain}.crt`);
-        await Deno.remove(`${this.certsDir}/${domain}.key`);
-      } catch {
-        // Files may not exist
-      }
-
-      if (await this.isRunning()) {
-        await this.reloadConfig();
-      }
-
-      logger.success(`Removed TLS certificate for ${domain}`);
-    }
-  }
-
-  /**
-   * Get all current routes
-   */
-  getRoutes(): ICaddyRoute[] {
-    return Array.from(this.routes.values());
-  }
-
-  /**
-   * Get all current certificates
-   */
-  getCertificates(): ICaddyCertificate[] {
-    return Array.from(this.certificates.values());
-  }
-
-  /**
-   * Clear all routes and certificates (useful for reload from database)
-   */
-  clear(): void {
-    this.routes.clear();
-    this.certificates.clear();
-  }
-
-  /**
-   * Get status
-   */
-  getStatus(): {
-    running: boolean;
-    httpPort: number;
-    httpsPort: number;
-    routes: number;
-    certificates: number;
-  } {
-    return {
-      running: this.serviceRunning,
-      httpPort: this.httpPort,
-      httpsPort: this.httpsPort,
-      routes: this.routes.size,
-      certificates: this.certificates.size,
-    };
-  }
-}

ts/classes/cloudflare-sync.ts

@@ -24,7 +24,7 @@ export class CloudflareDomainSync {
    */
   async init(): Promise<void> {
     try {
-      const apiKey = this.database.getSetting('cloudflareAPIKey');
+      const apiKey = await this.database.getSecretSetting('cloudflareToken');
 
       if (!apiKey) {
         logger.warn('Cloudflare API key not configured. Domain sync will be limited.');

ts/classes/daemon.ts

@@ -4,9 +4,7 @@
  * Handles background monitoring, metrics collection, and automatic tasks
  */
 
-import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
-import { projectInfo } from '../info.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import type { Onebox } from './onebox.ts';
 
@@ -18,7 +16,6 @@ const FALLBACK_PID_FILE = `${FALLBACK_PID_DIR}/onebox.pid`;
 
 export class OneboxDaemon {
   private oneboxRef: Onebox;
-  private smartdaemon: plugins.smartdaemon.SmartDaemon | null = null;
   private running = false;
   private monitoringInterval: number | null = null;
   private statsInterval: number | null = null;
@@ -46,68 +43,6 @@ export class OneboxDaemon {
     }
   }
 
-  /**
-   * Install systemd service
-   */
-  async installService(): Promise<void> {
-    try {
-      logger.info('Installing Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      // Get installation directory
-      const execPath = Deno.execPath();
-
-      const service = await this.smartdaemon.addService({
-        name: 'onebox',
-        version: projectInfo.version,
-        command: `${execPath} run --allow-all ${Deno.cwd()}/mod.ts daemon start`,
-        description: 'Onebox - Self-hosted container platform',
-        workingDir: Deno.cwd(),
-      });
-
-      await service.save();
-      await service.enable();
-
-      logger.success('Onebox daemon service installed');
-      logger.info('Start with: sudo systemctl start smartdaemon_onebox');
-    } catch (error) {
-      logger.error(`Failed to install daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Uninstall systemd service
-   */
-  async uninstallService(): Promise<void> {
-    try {
-      logger.info('Uninstalling Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      const services = await this.smartdaemon.systemdManager.getServices();
-      const service = services.find(s => s.name === 'onebox');
-
-      if (service) {
-        await service.stop();
-        await service.disable();
-        await service.delete();
-      }
-
-      logger.success('Onebox daemon service uninstalled');
-    } catch (error) {
-      logger.error(`Failed to uninstall daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
   /**
    * Start daemon mode (background monitoring)
    */
@@ -482,36 +417,7 @@ export class OneboxDaemon {
   static async ensureNoDaemon(): Promise<void> {
     const running = await OneboxDaemon.isDaemonRunning();
     if (running) {
-      throw new Error('Daemon is already running. Please stop it first with: onebox daemon stop');
-    }
-  }
-
-  /**
-   * Get service status from systemd
-   */
-  async getServiceStatus(): Promise<string> {
-    try {
-      // Don't need smartdaemon to check status, just use systemctl directly
-      const command = new Deno.Command('systemctl', {
-        args: ['status', 'smartdaemon_onebox'],
-        stdout: 'piped',
-        stderr: 'piped',
-      });
-
-      const { code, stdout } = await command.output();
-      const output = new TextDecoder().decode(stdout);
-
-      if (code === 0 || output.includes('active (running)')) {
-        return 'running';
-      } else if (output.includes('inactive') || output.includes('dead')) {
-        return 'stopped';
-      } else if (output.includes('failed')) {
-        return 'failed';
-      } else {
-        return 'unknown';
-      }
-    } catch (error) {
-      return 'not-installed';
+      throw new Error('Daemon is already running. Please stop it first with: onebox systemd stop');
     }
   }
 }

ts/classes/dns.ts

@@ -27,12 +27,12 @@ export class OneboxDnsManager {
   async init(): Promise<void> {
     try {
       // Get Cloudflare credentials from settings
-      const apiKey = this.database.getSetting('cloudflareAPIKey');
+      const apiKey = await this.database.getSecretSetting('cloudflareToken');
       const serverIP = this.database.getSetting('serverIP');
 
       if (!apiKey) {
         logger.warn('Cloudflare credentials not configured. DNS management will be disabled.');
-        logger.info('Configure with: onebox config set cloudflareAPIKey <key>');
+        logger.info('Configure with: onebox config set cloudflareToken <key>');
         return;
       }
 

ts/classes/docker.ts

@@ -596,18 +596,26 @@ export class OneboxDockerManager {
   async getContainerStats(containerID: string): Promise<IContainerStats | null> {
     try {
       // Try to get container directly first
-      let container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Container not found by ID — might be a Swarm service ID
+      }
 
       // If not found, it might be a service ID - try to get the actual container ID
       if (!container) {
         const serviceContainerId = await this.getContainerIdForService(containerID);
         if (serviceContainerId) {
-          container = await this.dockerClient!.getContainerById(serviceContainerId);
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
         }
       }
 
       if (!container) {
-        // Container/service not found
         return null;
       }
 
@@ -849,7 +857,23 @@ export class OneboxDockerManager {
     cmd: string[]
   ): Promise<{ stdout: string; stderr: string; exitCode: number }> {
     try {
-      const container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Not a direct container ID — try Swarm service lookup
+      }
+
+      if (!container) {
+        const serviceContainerId = await this.getContainerIdForService(containerID);
+        if (serviceContainerId) {
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
+        }
+      }
 
       if (!container) {
         throw new Error(`Container not found: ${containerID}`);
@@ -881,12 +905,12 @@ export class OneboxDockerManager {
       ]);
 
       const execInfo = await inspect();
-      const exitCode = execInfo.ExitCode || 0;
+      const exitCode = execInfo.ExitCode ?? -1;
 
       return { stdout, stderr, exitCode };
     } catch (error) {
       logger.error(`Failed to exec in container ${containerID}: ${getErrorMessage(error)}`);
-      throw error;
+      return { stdout: '', stderr: getErrorMessage(error), exitCode: -1 };
     }
   }
 
@@ -911,8 +935,9 @@ export class OneboxDockerManager {
       logger.info(`Pulling image for platform service: ${options.image}`);
       await this.pullImage(options.image);
 
-      // Check if container already exists
-      const existingContainers = await this.dockerClient!.listContainers();
+      // Check running and stopped containers; stopped platform containers still reserve names.
+      const existingContainersResponse = await this.dockerClient!.request('GET', '/containers/json?all=true', {});
+      const existingContainers = Array.isArray(existingContainersResponse.body) ? existingContainersResponse.body : [];
       const existing = existingContainers.find((c: any) =>
         c.Names?.some((n: string) => n === `/${options.name}` || n === options.name)
       );
@@ -1011,7 +1036,23 @@ export class OneboxDockerManager {
     callback: (line: string, isError: boolean) => void
   ): Promise<void> {
     try {
-      const container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Not a direct container ID — try Swarm service lookup
+      }
+
+      if (!container) {
+        const serviceContainerId = await this.getContainerIdForService(containerID);
+        if (serviceContainerId) {
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
+        }
+      }
 
       if (!container) {
         throw new Error(`Container not found: ${containerID}`);

ts/classes/encryption.ts

@@ -97,7 +97,11 @@ export class CredentialEncryption {
    */
   async encrypt(data: Record<string, string>): Promise<string> {
     if (!this.key) {
-      throw new Error('Encryption not initialized. Call init() first.');
+      await this.init();
+    }
+    const key = this.key;
+    if (!key) {
+      throw new Error('Encryption key initialization failed.');
     }
 
     const iv = crypto.getRandomValues(new Uint8Array(this.ivLength));
@@ -105,7 +109,7 @@ export class CredentialEncryption {
 
     const ciphertext = await crypto.subtle.encrypt(
       { name: this.algorithm, iv },
-      this.key,
+      key,
       encoded
     );
 
@@ -120,9 +124,15 @@ export class CredentialEncryption {
   /**
    * Decrypt a base64 string back to credentials object
    */
-  async decrypt(encrypted: string): Promise<Record<string, string>> {
+  async decrypt<T extends Record<string, string> = Record<string, string>>(
+    encrypted: string,
+  ): Promise<T> {
     if (!this.key) {
-      throw new Error('Encryption not initialized. Call init() first.');
+      await this.init();
+    }
+    const key = this.key;
+    if (!key) {
+      throw new Error('Encryption key initialization failed.');
     }
 
     const combined = this.base64ToBytes(encrypted);
@@ -133,12 +143,12 @@ export class CredentialEncryption {
 
     const decrypted = await crypto.subtle.decrypt(
       { name: this.algorithm, iv },
-      this.key,
+      key,
       ciphertext
     );
 
     const decoded = new TextDecoder().decode(decrypted);
-    return JSON.parse(decoded);
+    return JSON.parse(decoded) as T;
   }
 
   /**

ts/classes/external-gateway.ts

@@ -0,0 +1,352 @@
+import * as plugins from '../plugins.ts';
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+import { OneboxDatabase } from './database.ts';
+import type { IDomain, IService } from '../types.ts';
+
+type TWorkHosterType = 'onebox';
+
+interface IExternalGatewayConfig {
+  url: string;
+  apiToken: string;
+  workHosterId: string;
+  targetHost?: string;
+  targetPort?: number;
+}
+
+interface IWorkHosterDomain {
+  name: string;
+  capabilities?: {
+    canCreateSubdomains: boolean;
+    canManageDnsRecords: boolean;
+    canIssueCertificates: boolean;
+    canHostEmail: boolean;
+  };
+}
+
+interface IWorkAppRouteOwnership {
+  workHosterType: TWorkHosterType;
+  workHosterId: string;
+  workAppId: string;
+  hostname: string;
+}
+
+interface IWorkAppRouteSyncResult {
+  success: boolean;
+  action?: 'created' | 'updated' | 'deleted' | 'unchanged';
+  routeId?: string;
+  message?: string;
+}
+
+interface IDcRouterCertificateExport {
+  success: boolean;
+  cert?: {
+    id: string;
+    domainName: string;
+    created: number;
+    validUntil: number;
+    privateKey: string;
+    publicKey: string;
+    csr: string;
+  };
+  message?: string;
+}
+
+interface IDcRouterRouteConfig {
+  name: string;
+  match: {
+    ports: number[];
+    domains: string[];
+  };
+  action: {
+    type: 'forward';
+    targets: Array<{ host: string; port: number }>;
+    tls: {
+      mode: 'terminate';
+      certificate: 'auto';
+    };
+    websocket: {
+      enabled: boolean;
+    };
+  };
+}
+
+export class ExternalGatewayManager {
+  private database: OneboxDatabase;
+
+  constructor(private oneboxRef: any) {
+    this.database = oneboxRef.database;
+  }
+
+  public async init(): Promise<void> {
+    if (!(await this.isConfigured())) {
+      logger.info('External dcrouter gateway not configured');
+      return;
+    }
+
+    await this.syncDomains();
+  }
+
+  public async isConfigured(): Promise<boolean> {
+    const config = await this.getConfig({ requireTarget: false });
+    return Boolean(config);
+  }
+
+  public async syncDomains(): Promise<IDomain[]> {
+    const config = await this.requireConfig({ requireTarget: false });
+    const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>(
+      'getWorkHosterDomains',
+      {},
+      config,
+    );
+
+    const activeDomainNames = new Set<string>();
+    const now = Date.now();
+
+    for (const gatewayDomain of response.domains) {
+      const domainName = gatewayDomain.name.trim().toLowerCase();
+      if (!domainName) continue;
+
+      activeDomainNames.add(domainName);
+      const existingDomain = this.database.getDomainByName(domainName);
+      const defaultWildcard = gatewayDomain.capabilities?.canIssueCertificates !== false;
+
+      if (existingDomain) {
+        this.database.updateDomain(existingDomain.id!, {
+          dnsProvider: 'dcrouter',
+          isObsolete: false,
+          defaultWildcard,
+          updatedAt: now,
+        });
+      } else {
+        this.database.createDomain({
+          domain: domainName,
+          dnsProvider: 'dcrouter',
+          isObsolete: false,
+          defaultWildcard,
+          createdAt: now,
+          updatedAt: now,
+        });
+      }
+    }
+
+    for (const domain of this.database.getDomainsByProvider('dcrouter')) {
+      if (!activeDomainNames.has(domain.domain)) {
+        this.database.updateDomain(domain.id!, {
+          isObsolete: true,
+          updatedAt: now,
+        });
+      }
+    }
+
+    logger.success(`Synced ${activeDomainNames.size} domain(s) from external dcrouter gateway`);
+    return this.database.getDomainsByProvider('dcrouter');
+  }
+
+  public async syncServiceRoute(service: IService): Promise<void> {
+    if (!service.domain) return;
+
+    const config = await this.getConfig({ requireTarget: true });
+    if (!config) return;
+
+    const result = await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
+      'syncWorkAppRoute',
+      {
+        ownership: this.buildOwnership(service, service.domain, config),
+        route: this.buildRoute(service, config),
+        enabled: service.status === 'running',
+      },
+      config,
+    );
+
+    if (!result.success) {
+      throw new Error(result.message || `dcrouter route sync failed for ${service.domain}`);
+    }
+
+    logger.success(`External gateway route ${result.action || 'synced'} for ${service.domain}`);
+    await this.importCertificateForDomain(service.domain).catch((error) => {
+      logger.debug(`External gateway certificate import skipped for ${service.domain}: ${getErrorMessage(error)}`);
+    });
+  }
+
+  public async deleteServiceRoute(service: Pick<IService, 'id' | 'name' | 'domain'>): Promise<void> {
+    if (!service.domain) return;
+
+    const config = await this.getConfig({ requireTarget: false });
+    if (!config) return;
+
+    const result = await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
+      'syncWorkAppRoute',
+      {
+        ownership: this.buildOwnership(service, service.domain, config),
+        delete: true,
+      },
+      config,
+    );
+
+    if (!result.success) {
+      throw new Error(result.message || `dcrouter route delete failed for ${service.domain}`);
+    }
+
+    logger.info(`External gateway route ${result.action || 'deleted'} for ${service.domain}`);
+  }
+
+  public async importCertificateForDomain(domain: string): Promise<boolean> {
+    const config = await this.getConfig({ requireTarget: false });
+    if (!config) return false;
+
+    const result = await this.fireDcRouterRequest<IDcRouterCertificateExport>(
+      'exportCertificate',
+      { domain },
+      config,
+    );
+
+    if (!result.success || !result.cert) {
+      return false;
+    }
+
+    const now = Date.now();
+    const existingCertificate = this.database.getSSLCertificate(domain);
+    if (existingCertificate) {
+      this.database.updateSSLCertificate(domain, {
+        certPem: result.cert.publicKey,
+        keyPem: result.cert.privateKey,
+        fullchainPem: result.cert.publicKey,
+        expiryDate: result.cert.validUntil,
+        updatedAt: now,
+      });
+    } else {
+      await this.database.createSSLCertificate({
+        domain,
+        certPem: result.cert.publicKey,
+        keyPem: result.cert.privateKey,
+        fullchainPem: result.cert.publicKey,
+        expiryDate: result.cert.validUntil,
+        issuer: 'dcrouter',
+        createdAt: now,
+        updatedAt: now,
+      });
+    }
+
+    await this.oneboxRef.reverseProxy.reloadCertificates();
+    logger.success(`Imported external gateway certificate for ${domain}`);
+    return true;
+  }
+
+  private async getConfig(options: { requireTarget?: boolean } = {}): Promise<IExternalGatewayConfig | null> {
+    const url = this.normalizeUrl(this.database.getSetting('dcrouterGatewayUrl') || '');
+    const apiToken = await this.database.getSecretSetting('dcrouterGatewayApiToken');
+    if (!url || !apiToken) {
+      return null;
+    }
+
+    const config: IExternalGatewayConfig = {
+      url,
+      apiToken,
+      workHosterId: this.ensureWorkHosterId(),
+    };
+
+    if (options.requireTarget !== false) {
+      config.targetHost = this.database.getSetting('dcrouterTargetHost')
+        || this.database.getSetting('serverIP')
+        || undefined;
+      const targetPort = this.parsePort(
+        this.database.getSetting('dcrouterTargetPort')
+          || this.database.getSetting('httpPort')
+          || '80',
+      );
+      config.targetPort = targetPort;
+
+      if (!config.targetHost) {
+        throw new Error('dcrouterTargetHost or serverIP must be configured for external gateway route sync');
+      }
+    }
+
+    return config;
+  }
+
+  private async requireConfig(options: { requireTarget?: boolean } = {}): Promise<IExternalGatewayConfig> {
+    const config = await this.getConfig(options);
+    if (!config) {
+      throw new Error('External dcrouter gateway is not configured');
+    }
+    return config;
+  }
+
+  private normalizeUrl(url: string): string {
+    const trimmedUrl = url.trim().replace(/\/+$/, '');
+    if (!trimmedUrl) return '';
+    if (/^https?:\/\//.test(trimmedUrl)) return trimmedUrl;
+    return `https://${trimmedUrl}`;
+  }
+
+  private parsePort(portValue: string): number {
+    const port = Number(portValue);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+      throw new Error(`Invalid dcrouter target port: ${portValue}`);
+    }
+    return port;
+  }
+
+  private ensureWorkHosterId(): string {
+    let workHosterId = this.database.getSetting('dcrouterWorkHosterId');
+    if (!workHosterId) {
+      workHosterId = crypto.randomUUID();
+      this.database.setSetting('dcrouterWorkHosterId', workHosterId);
+    }
+    return workHosterId;
+  }
+
+  private buildOwnership(
+    service: Pick<IService, 'id' | 'name'>,
+    hostname: string,
+    config: IExternalGatewayConfig,
+  ): IWorkAppRouteOwnership {
+    return {
+      workHosterType: 'onebox',
+      workHosterId: config.workHosterId,
+      workAppId: service.name || `service-${service.id}`,
+      hostname,
+    };
+  }
+
+  private buildRoute(service: IService, config: IExternalGatewayConfig): IDcRouterRouteConfig {
+    return {
+      name: this.routeName(service.domain!),
+      match: {
+        ports: [443],
+        domains: [service.domain!],
+      },
+      action: {
+        type: 'forward',
+        targets: [{ host: config.targetHost!, port: config.targetPort! }],
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+        },
+        websocket: {
+          enabled: true,
+        },
+      },
+    };
+  }
+
+  private routeName(domain: string): string {
+    return `onebox-${domain.replace(/[^a-zA-Z0-9]+/g, '-').replace(/^-|-$/g, '')}`;
+  }
+
+  private async fireDcRouterRequest<TResponse>(
+    method: string,
+    requestData: Record<string, unknown>,
+    config: IExternalGatewayConfig,
+  ): Promise<TResponse> {
+    const typedRequest = new plugins.typedrequest.TypedRequest<any>(
+      `${config.url}/typedrequest`,
+      method,
+    );
+    return await typedRequest.fire({
+      ...requestData,
+      apiToken: config.apiToken,
+    }) as TResponse;
+  }
+}

ts/classes/onebox.ts

@@ -6,6 +6,7 @@
 
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
+import { hashPassword } from '../utils/auth.ts';
 import { OneboxDatabase } from './database.ts';
 import { OneboxDockerManager } from './docker.ts';
 import { OneboxServicesManager } from './services.ts';
@@ -14,14 +15,16 @@ import { OneboxReverseProxy } from './reverseproxy.ts';
 import { OneboxDnsManager } from './dns.ts';
 import { OneboxSslManager } from './ssl.ts';
 import { OneboxDaemon } from './daemon.ts';
-import { OneboxHttpServer } from './httpserver.ts';
+import { OneboxSystemd } from './systemd.ts';
 import { CloudflareDomainSync } from './cloudflare-sync.ts';
 import { CertRequirementManager } from './cert-requirement-manager.ts';
 import { RegistryManager } from './registry.ts';
 import { PlatformServicesManager } from './platform-services/index.ts';
-import { CaddyLogReceiver } from './caddy-log-receiver.ts';
+import { AppStoreManager } from './appstore.ts';
+import { ProxyLogReceiver } from './proxy-log-receiver.ts';
 import { BackupManager } from './backup-manager.ts';
 import { BackupScheduler } from './backup-scheduler.ts';
+import { ExternalGatewayManager } from './external-gateway.ts';
 import { OpsServer } from '../opsserver/index.ts';
 
 export class Onebox {
@@ -33,14 +36,16 @@ export class Onebox {
   public dns: OneboxDnsManager;
   public ssl: OneboxSslManager;
   public daemon: OneboxDaemon;
-  public httpServer: OneboxHttpServer;
+  public systemd: OneboxSystemd;
   public cloudflareDomainSync: CloudflareDomainSync;
   public certRequirementManager: CertRequirementManager;
   public registry: RegistryManager;
   public platformServices: PlatformServicesManager;
-  public caddyLogReceiver: CaddyLogReceiver;
+  public appStore: AppStoreManager;
+  public proxyLogReceiver: ProxyLogReceiver;
   public backupManager: BackupManager;
   public backupScheduler: BackupScheduler;
+  public externalGateway: ExternalGatewayManager;
   public opsServer: OpsServer;
 
   private initialized = false;
@@ -57,7 +62,7 @@ export class Onebox {
     this.dns = new OneboxDnsManager(this);
     this.ssl = new OneboxSslManager(this);
     this.daemon = new OneboxDaemon(this);
-    this.httpServer = new OneboxHttpServer(this);
+    this.systemd = new OneboxSystemd();
     this.registry = new RegistryManager({
       dataDir: './.nogit/registry-data',
       port: 4000,
@@ -71,8 +76,11 @@ export class Onebox {
     // Initialize platform services manager
     this.platformServices = new PlatformServicesManager(this);
 
-    // Initialize Caddy log receiver
-    this.caddyLogReceiver = new CaddyLogReceiver(9999);
+    // Initialize App Store manager
+    this.appStore = new AppStoreManager(this);
+
+    // Initialize reverse proxy log receiver
+    this.proxyLogReceiver = new ProxyLogReceiver(9999);
 
     // Initialize Backup manager
     this.backupManager = new BackupManager(this);
@@ -80,6 +88,9 @@ export class Onebox {
     // Initialize Backup scheduler
     this.backupScheduler = new BackupScheduler(this);
 
+    // Initialize optional dcrouter edge gateway integration
+    this.externalGateway = new ExternalGatewayManager(this);
+
     // Initialize OpsServer (TypedRequest-based server)
     this.opsServer = new OpsServer(this);
   }
@@ -100,11 +111,11 @@ export class Onebox {
       // Initialize Docker
       await this.docker.init();
 
-      // Start Caddy log receiver BEFORE reverse proxy (so Caddy can connect to it)
+      // Start proxy log receiver before reverse proxy startup.
       try {
-        await this.caddyLogReceiver.start();
+        await this.proxyLogReceiver.start();
       } catch (error) {
-        logger.warn(`Failed to start Caddy log receiver: ${getErrorMessage(error)}`);
+        logger.warn(`Failed to start proxy log receiver: ${getErrorMessage(error)}`);
       }
 
       // Initialize Reverse Proxy
@@ -154,6 +165,14 @@ export class Onebox {
         logger.warn('Cloudflare domain sync initialization failed - domain sync will be limited');
       }
 
+      // Initialize external dcrouter gateway (non-critical)
+      try {
+        await this.externalGateway.init();
+      } catch (error) {
+        logger.warn('External dcrouter gateway initialization failed - edge sync will be disabled');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
       // Initialize Onebox Registry (non-critical)
       try {
         await this.registry.init();
@@ -170,12 +189,28 @@ export class Onebox {
         logger.warn(`Error: ${getErrorMessage(error)}`);
       }
 
+      // Initialize App Store (non-critical)
+      try {
+        await this.appStore.init();
+      } catch (error) {
+        logger.warn('App Store initialization failed - app templates will be unavailable until reconnected');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
       // Login to all registries
       await this.registries.loginToAllRegistries();
 
       // Start auto-update monitoring for registry services
       this.services.startAutoUpdateMonitoring();
 
+      // Initialize BackupManager (containerarchive repository, non-critical)
+      try {
+        await this.backupManager.init();
+      } catch (error) {
+        logger.warn('BackupManager initialization failed - backups will be limited');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
       // Initialize Backup Scheduler (non-critical)
       try {
         await this.backupScheduler.init();
@@ -202,8 +237,7 @@ export class Onebox {
       if (!adminUser) {
         logger.info('Creating default admin user...');
 
-        // Simple base64 encoding for now - should use bcrypt in production
-        const passwordHash = btoa('admin');
+        const passwordHash = await hashPassword('admin');
 
         await this.database.createUser({
           username: 'admin',
@@ -247,9 +281,9 @@ export class Onebox {
       const providers = this.platformServices.getAllProviders();
       const platformServicesStatus = providers.map((provider) => {
         const service = platformServices.find((s) => s.type === provider.type);
-        // For Caddy, check actual runtime status since it starts without a DB record
+        // For SmartProxy, check actual runtime status since it starts without a DB record
         let status = service?.status || 'not-deployed';
-        if (provider.type === 'caddy') {
+        if (provider.type === 'smartproxy') {
           status = proxyStatus.http.running ? 'running' : 'stopped';
         }
         // Count resources for this platform service
@@ -288,10 +322,65 @@ export class Onebox {
       // Sort expiring domains by days remaining (ascending)
       expiringDomains.sort((a, b) => a.daysRemaining - b.daysRemaining);
 
+      // Aggregate resource usage across all running service containers
+      let totalCpu = 0;
+      let totalMemoryUsed = 0;
+      let totalMemoryLimit = 0;
+      let totalNetworkIn = 0;
+      let totalNetworkOut = 0;
+
+      if (dockerRunning) {
+        const allServices = this.services.listServices();
+        const runningUserServices = allServices.filter((s) => s.status === 'running' && s.containerID);
+        logger.debug(`Resource stats: ${runningUserServices.length} running user services`);
+
+        const statsPromises = runningUserServices
+          .map((s) => {
+            logger.debug(`Fetching stats for user service: ${s.name} (${s.containerID})`);
+            return this.docker.getContainerStats(s.containerID!).catch((err) => {
+              logger.debug(`Stats failed for ${s.name}: ${(err as Error).message}`);
+              return null;
+            });
+          });
+
+        // Also get stats for platform service containers
+        const allPlatformServices = this.platformServices.getAllPlatformServices();
+        const runningPlatformServices = allPlatformServices.filter((s) => s.status === 'running' && s.containerId);
+        logger.debug(`Resource stats: ${runningPlatformServices.length} running platform services`);
+
+        const platformStatsPromises = runningPlatformServices
+          .map((s) => {
+            logger.debug(`Fetching stats for platform service: ${s.type} (${s.containerId})`);
+            return this.docker.getContainerStats(s.containerId!).catch((err) => {
+              logger.debug(`Stats failed for ${s.type}: ${(err as Error).message}`);
+              return null;
+            });
+          });
+
+        const allStats = await Promise.all([...statsPromises, ...platformStatsPromises]);
+        let successCount = 0;
+        for (const stats of allStats) {
+          if (stats) {
+            successCount++;
+            totalCpu += stats.cpuPercent;
+            totalMemoryUsed += stats.memoryUsed;
+            totalMemoryLimit = Math.max(totalMemoryLimit, stats.memoryLimit);
+            totalNetworkIn += stats.networkRx;
+            totalNetworkOut += stats.networkTx;
+          }
+        }
+        logger.debug(`Resource stats: ${successCount}/${allStats.length} containers returned stats. CPU: ${totalCpu}, Mem: ${totalMemoryUsed}`);
+      }
+
       return {
         docker: {
           running: dockerRunning,
           version: dockerRunning ? await this.docker.getDockerVersion() : null,
+          cpuUsage: Math.round(totalCpu * 10) / 10,
+          memoryUsage: totalMemoryUsed,
+          memoryTotal: totalMemoryLimit,
+          networkIn: totalNetworkIn,
+          networkOut: totalNetworkOut,
         },
         reverseProxy: proxyStatus,
         dns: {
@@ -320,20 +409,6 @@ export class Onebox {
     }
   }
 
-  /**
-   * Start daemon mode
-   */
-  async startDaemon(): Promise<void> {
-    await this.daemon.start();
-  }
-
-  /**
-   * Stop daemon mode
-   */
-  async stopDaemon(): Promise<void> {
-    await this.daemon.stop();
-  }
-
   /**
    * Start OpsServer (TypedRequest-based, serves new UI)
    */
@@ -355,6 +430,9 @@ export class Onebox {
     try {
       logger.info('Shutting down Onebox...');
 
+      // Stop auto-update monitoring
+      this.services.stopAutoUpdateMonitoring();
+
       // Stop backup scheduler
       await this.backupScheduler.stop();
 
@@ -367,8 +445,14 @@ export class Onebox {
       // Stop reverse proxy if running
       await this.reverseProxy.stop();
 
-      // Stop Caddy log receiver
-      await this.caddyLogReceiver.stop();
+      // Stop proxy log receiver
+      await this.proxyLogReceiver.stop();
+
+      // Stop built-in registry and backing smartstorage server
+      await this.registry.stop();
+
+      // Close backup archive
+      await this.backupManager.close();
 
       // Close database
       this.database.close();

ts/classes/platform-services/index.ts

@@ -8,3 +8,6 @@ export type { IPlatformServiceProvider } from './providers/base.ts';
 export { BasePlatformServiceProvider } from './providers/base.ts';
 export { MongoDBProvider } from './providers/mongodb.ts';
 export { MinioProvider } from './providers/minio.ts';
+export { ClickHouseProvider } from './providers/clickhouse.ts';
+export { MariaDBProvider } from './providers/mariadb.ts';
+export { RedisProvider } from './providers/redis.ts';

ts/classes/platform-services/manager.ts

@@ -14,8 +14,10 @@ import type {
 import type { IPlatformServiceProvider } from './providers/base.ts';
 import { MongoDBProvider } from './providers/mongodb.ts';
 import { MinioProvider } from './providers/minio.ts';
-import { CaddyProvider } from './providers/caddy.ts';
+import { SmartProxyProvider } from './providers/smartproxy.ts';
 import { ClickHouseProvider } from './providers/clickhouse.ts';
+import { MariaDBProvider } from './providers/mariadb.ts';
+import { RedisProvider } from './providers/redis.ts';
 import { logger } from '../../logging.ts';
 import { getErrorMessage } from '../../utils/error.ts';
 import { credentialEncryption } from '../encryption.ts';
@@ -39,8 +41,10 @@ export class PlatformServicesManager {
     // Register providers
     this.registerProvider(new MongoDBProvider(this.oneboxRef));
     this.registerProvider(new MinioProvider(this.oneboxRef));
-    this.registerProvider(new CaddyProvider(this.oneboxRef));
+    this.registerProvider(new SmartProxyProvider(this.oneboxRef));
     this.registerProvider(new ClickHouseProvider(this.oneboxRef));
+    this.registerProvider(new MariaDBProvider(this.oneboxRef));
+    this.registerProvider(new RedisProvider(this.oneboxRef));
 
     logger.info(`Platform services manager initialized with ${this.providers.size} providers`);
   }
@@ -304,6 +308,60 @@ export class PlatformServicesManager {
       logger.success(`ClickHouse provisioned for service '${service.name}'`);
     }
 
+    // Provision Redis if requested
+    if (requirements.redis) {
+      logger.info(`Provisioning Redis for service '${service.name}'...`);
+
+      // Ensure Redis is running
+      const redisService = await this.ensureRunning('redis');
+      const provider = this.providers.get('redis')!;
+
+      // Provision cache resource
+      const result = await provider.provisionResource(service);
+
+      // Store resource record
+      const encryptedCreds = await credentialEncryption.encrypt(result.credentials);
+      this.oneboxRef.database.createPlatformResource({
+        platformServiceId: redisService.id!,
+        serviceId: service.id!,
+        resourceType: result.type,
+        resourceName: result.name,
+        credentialsEncrypted: encryptedCreds,
+        createdAt: Date.now(),
+      });
+
+      // Merge env vars
+      Object.assign(allEnvVars, result.envVars);
+      logger.success(`Redis provisioned for service '${service.name}'`);
+    }
+
+    // Provision MariaDB if requested
+    if (requirements.mariadb) {
+      logger.info(`Provisioning MariaDB for service '${service.name}'...`);
+
+      // Ensure MariaDB is running
+      const mariadbService = await this.ensureRunning('mariadb');
+      const provider = this.providers.get('mariadb')!;
+
+      // Provision database
+      const result = await provider.provisionResource(service);
+
+      // Store resource record
+      const encryptedCreds = await credentialEncryption.encrypt(result.credentials);
+      this.oneboxRef.database.createPlatformResource({
+        platformServiceId: mariadbService.id!,
+        serviceId: service.id!,
+        resourceType: result.type,
+        resourceName: result.name,
+        credentialsEncrypted: encryptedCreds,
+        createdAt: Date.now(),
+      });
+
+      // Merge env vars
+      Object.assign(allEnvVars, result.envVars);
+      logger.success(`MariaDB provisioned for service '${service.name}'`);
+    }
+
     return allEnvVars;
   }
 

ts/classes/platform-services/providers/base.ts

@@ -103,6 +103,17 @@ export abstract class BasePlatformServiceProvider implements IPlatformServicePro
     return `onebox-${this.type}`;
   }
 
+  /**
+   * Get the host data directory for a platform service.
+   */
+  protected getPlatformDataDir(serviceDirectoryArg: string): string {
+    const configuredDataDir = this.oneboxRef.database.getSetting('dataDir');
+    const baseDataDir = configuredDataDir ||
+      (Deno.env.get('ONEBOX_DEV') === 'true' ? './.nogit/platform-data' : '/var/lib/onebox');
+    const absoluteBaseDataDir = baseDataDir.startsWith('/') ? baseDataDir : `${Deno.cwd()}/${baseDataDir}`;
+    return `${absoluteBaseDataDir.replace(/\/+$/, '')}/${serviceDirectoryArg}`;
+  }
+
   /**
    * Generate a resource name from a user service name
    */

ts/classes/platform-services/providers/caddy.ts

@@ -1,110 +0,0 @@
-/**
- * Caddy Platform Service Provider
- *
- * Caddy is a core infrastructure service that provides reverse proxy functionality.
- * Unlike other platform services:
- * - It doesn't provision resources for user services
- * - It's started automatically by Onebox and cannot be stopped by users
- * - It delegates to the existing CaddyManager for actual operations
- */
-
-import { BasePlatformServiceProvider } from './base.ts';
-import type {
-  IService,
-  IPlatformResource,
-  IPlatformServiceConfig,
-  IProvisionedResource,
-  IEnvVarMapping,
-  TPlatformServiceType,
-  TPlatformResourceType,
-} from '../../../types.ts';
-import { logger } from '../../../logging.ts';
-import type { Onebox } from '../../onebox.ts';
-
-export class CaddyProvider extends BasePlatformServiceProvider {
-  readonly type: TPlatformServiceType = 'caddy';
-  readonly displayName = 'Caddy Reverse Proxy';
-  readonly resourceTypes: TPlatformResourceType[] = []; // Caddy doesn't provision resources
-  readonly isCore = true; // Core infrastructure - cannot be stopped by users
-
-  constructor(oneboxRef: Onebox) {
-    super(oneboxRef);
-  }
-
-  getDefaultConfig(): IPlatformServiceConfig {
-    return {
-      image: 'caddy:2-alpine',
-      port: 80,
-      volumes: [],
-      environment: {},
-    };
-  }
-
-  getEnvVarMappings(): IEnvVarMapping[] {
-    // Caddy doesn't inject any env vars into user services
-    return [];
-  }
-
-  /**
-   * Deploy Caddy container - delegates to CaddyManager via reverseProxy
-   */
-  async deployContainer(): Promise<string> {
-    logger.info('Starting Caddy via reverse proxy manager...');
-
-    // Get the reverse proxy which manages Caddy
-    const reverseProxy = this.oneboxRef.reverseProxy;
-
-    // Start reverse proxy (which starts Caddy)
-    await reverseProxy.startHttp();
-
-    // Get Caddy status to find container ID
-    const status = reverseProxy.getStatus();
-
-    // Update platform service record
-    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
-    if (platformService) {
-      this.oneboxRef.database.updatePlatformService(platformService.id!, {
-        status: 'running',
-        containerId: 'onebox-caddy', // Service name for Swarm services
-      });
-    }
-
-    logger.success('Caddy platform service started');
-    return 'onebox-caddy';
-  }
-
-  /**
-   * Stop Caddy container - NOT ALLOWED for core infrastructure
-   */
-  async stopContainer(_containerId: string): Promise<void> {
-    throw new Error('Caddy is a core infrastructure service and cannot be stopped');
-  }
-
-  /**
-   * Check if Caddy is healthy via the reverse proxy
-   */
-  async healthCheck(): Promise<boolean> {
-    try {
-      const reverseProxy = this.oneboxRef.reverseProxy;
-      const status = reverseProxy.getStatus();
-      return status.http.running;
-    } catch (error) {
-      logger.debug(`Caddy health check failed: ${error}`);
-      return false;
-    }
-  }
-
-  /**
-   * Caddy doesn't provision resources for user services
-   */
-  async provisionResource(_userService: IService): Promise<IProvisionedResource> {
-    throw new Error('Caddy does not provision resources for user services');
-  }
-
-  /**
-   * Caddy doesn't deprovision resources
-   */
-  async deprovisionResource(_resource: IPlatformResource, _credentials: Record<string, string>): Promise<void> {
-    throw new Error('Caddy does not manage resources for user services');
-  }
-}

ts/classes/platform-services/providers/clickhouse.ts

@@ -30,7 +30,7 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
     return {
       image: 'clickhouse/clickhouse-server:latest',
       port: 8123, // HTTP interface
-      volumes: ['/var/lib/onebox/clickhouse:/var/lib/clickhouse'],
+      volumes: [`${this.getPlatformDataDir('clickhouse')}:/var/lib/clickhouse`],
       environment: {
         CLICKHOUSE_DB: 'default',
         // Password will be generated and stored encrypted
@@ -53,7 +53,7 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
   async deployContainer(): Promise<string> {
     const config = this.getDefaultConfig();
     const containerName = this.getContainerName();
-    const dataDir = '/var/lib/onebox/clickhouse';
+    const dataDir = this.getPlatformDataDir('clickhouse');
 
     logger.info(`Deploying ClickHouse platform service as ${containerName}...`);
 
@@ -76,7 +76,9 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
     if (dataExists && platformService?.adminCredentialsEncrypted) {
       // Reuse existing credentials from database
       logger.info('Reusing existing ClickHouse credentials (data directory already initialized)');
-      adminCredentials = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+      adminCredentials = await credentialEncryption.decrypt<{ username: string; password: string }>(
+        platformService.adminCredentialsEncrypted,
+      );
     } else {
       // Generate new credentials for fresh deployment
       logger.info('Generating new ClickHouse admin credentials');
@@ -191,15 +193,11 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
       throw new Error('ClickHouse platform service not found or not configured');
     }
 
-    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const adminCreds = await credentialEncryption.decrypt<{ username: string; password: string }>(
+      platformService.adminCredentialsEncrypted,
+    );
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
-
     // Generate resource names and credentials
     const dbName = this.generateResourceName(userService.name);
     const username = this.generateResourceName(userService.name);
@@ -207,35 +205,16 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
 
     logger.info(`Provisioning ClickHouse database '${dbName}' for service '${userService.name}'...`);
 
-    // Connect to ClickHouse via localhost and the mapped host port
-    const baseUrl = `http://127.0.0.1:${hostPort}`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const queries = [
+      `CREATE DATABASE IF NOT EXISTS ${dbName}`,
+      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`,
+      `GRANT ALL ON ${dbName}.* TO ${username}`,
+    ];
 
-    // Create database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE DATABASE IF NOT EXISTS ${dbName}`
-    );
-    logger.info(`Created ClickHouse database '${dbName}'`);
-
-    // Create user with access to this database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`
-    );
-    logger.info(`Created ClickHouse user '${username}'`);
-
-    // Grant permissions on the database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `GRANT ALL ON ${dbName}.* TO ${username}`
-    );
-    logger.info(`Granted permissions to user '${username}' on database '${dbName}'`);
+    for (const query of queries) {
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, query);
+    }
 
     logger.success(`ClickHouse database '${dbName}' provisioned with user '${username}'`);
 
@@ -272,39 +251,15 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
       throw new Error('ClickHouse platform service not found or not configured');
     }
 
-    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
-
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
+    const adminCreds = await credentialEncryption.decrypt<{ username: string; password: string }>(
+      platformService.adminCredentialsEncrypted,
+    );
 
     logger.info(`Deprovisioning ClickHouse database '${resource.resourceName}'...`);
 
-    const baseUrl = `http://127.0.0.1:${hostPort}`;
-
     try {
-      // Drop the user
-      try {
-        await this.executeQuery(
-          baseUrl,
-          adminCreds.username,
-          adminCreds.password,
-          `DROP USER IF EXISTS ${credentials.username}`
-        );
-        logger.info(`Dropped ClickHouse user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop ClickHouse user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await this.executeQuery(
-        baseUrl,
-        adminCreds.username,
-        adminCreds.password,
-        `DROP DATABASE IF EXISTS ${resource.resourceName}`
-      );
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP USER IF EXISTS ${credentials.username}`);
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP DATABASE IF EXISTS ${resource.resourceName}`);
       logger.success(`ClickHouse database '${resource.resourceName}' dropped`);
     } catch (e) {
       logger.error(`Failed to deprovision ClickHouse database: ${getErrorMessage(e)}`);
@@ -313,26 +268,27 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
   }
 
   /**
-   * Execute a ClickHouse SQL query via HTTP interface
+   * Execute a ClickHouse SQL query via docker exec inside the container
    */
-  private async executeQuery(
-    baseUrl: string,
-    username: string,
-    password: string,
+  private async execClickHouseQuery(
+    containerId: string,
+    adminCreds: { username: string; password: string },
     query: string
   ): Promise<string> {
-    const url = `${baseUrl}/?user=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}`;
+    const result = await this.oneboxRef.docker.execInContainer(
+      containerId,
+      [
+        'clickhouse-client',
+        '--user', adminCreds.username,
+        '--password', adminCreds.password,
+        '--query', query,
+      ]
+    );
 
-    const response = await fetch(url, {
-      method: 'POST',
-      body: query,
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`ClickHouse query failed: ${errorText}`);
+    if (result.exitCode !== 0) {
+      throw new Error(`ClickHouse query failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
     }
 
-    return await response.text();
+    return result.stdout;
   }
 }

ts/classes/platform-services/providers/mariadb.ts

@@ -0,0 +1,281 @@
+/**
+ * MariaDB Platform Service Provider
+ */
+
+import { BasePlatformServiceProvider } from './base.ts';
+import type {
+  IService,
+  IPlatformResource,
+  IPlatformServiceConfig,
+  IProvisionedResource,
+  IEnvVarMapping,
+  TPlatformServiceType,
+  TPlatformResourceType,
+} from '../../../types.ts';
+import { logger } from '../../../logging.ts';
+import { getErrorMessage } from '../../../utils/error.ts';
+import { credentialEncryption } from '../../encryption.ts';
+import type { Onebox } from '../../onebox.ts';
+
+export class MariaDBProvider extends BasePlatformServiceProvider {
+  readonly type: TPlatformServiceType = 'mariadb';
+  readonly displayName = 'MariaDB';
+  readonly resourceTypes: TPlatformResourceType[] = ['database'];
+
+  constructor(oneboxRef: Onebox) {
+    super(oneboxRef);
+  }
+
+  getDefaultConfig(): IPlatformServiceConfig {
+    return {
+      image: 'mariadb:11',
+      port: 3306,
+      volumes: [`${this.getPlatformDataDir('mariadb')}:/var/lib/mysql`],
+      environment: {
+        MARIADB_ROOT_PASSWORD: '',
+        // Password will be generated and stored encrypted
+      },
+    };
+  }
+
+  getEnvVarMappings(): IEnvVarMapping[] {
+    return [
+      { envVar: 'MARIADB_HOST', credentialPath: 'host' },
+      { envVar: 'MARIADB_PORT', credentialPath: 'port' },
+      { envVar: 'MARIADB_DATABASE', credentialPath: 'database' },
+      { envVar: 'MARIADB_USER', credentialPath: 'username' },
+      { envVar: 'MARIADB_PASSWORD', credentialPath: 'password' },
+      { envVar: 'MARIADB_URI', credentialPath: 'connectionString' },
+    ];
+  }
+
+  async deployContainer(): Promise<string> {
+    const config = this.getDefaultConfig();
+    const containerName = this.getContainerName();
+    const dataDir = this.getPlatformDataDir('mariadb');
+
+    logger.info(`Deploying MariaDB platform service as ${containerName}...`);
+
+    // Check if we have existing data and stored credentials
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    let adminCredentials: { username: string; password: string };
+    let dataExists = false;
+
+    // Check if data directory has existing MariaDB data
+    try {
+      const stat = await Deno.stat(`${dataDir}/ibdata1`);
+      dataExists = stat.isFile;
+      logger.info(`MariaDB data directory exists with ibdata1 file`);
+    } catch {
+      // ibdata1 file doesn't exist, this is a fresh install
+      dataExists = false;
+    }
+
+    if (dataExists && platformService?.adminCredentialsEncrypted) {
+      // Reuse existing credentials from database
+      logger.info('Reusing existing MariaDB credentials (data directory already initialized)');
+      adminCredentials = await credentialEncryption.decrypt<{ username: string; password: string }>(
+        platformService.adminCredentialsEncrypted,
+      );
+    } else {
+      // Generate new credentials for fresh deployment
+      logger.info('Generating new MariaDB admin credentials');
+      adminCredentials = {
+        username: 'root',
+        password: credentialEncryption.generatePassword(32),
+      };
+
+      // If data exists but we don't have credentials, we need to wipe the data
+      if (dataExists) {
+        logger.warn('MariaDB data exists but no credentials in database - wiping data directory');
+        try {
+          await Deno.remove(dataDir, { recursive: true });
+        } catch (e) {
+          logger.error(`Failed to wipe MariaDB data directory: ${getErrorMessage(e)}`);
+          throw new Error('Cannot deploy MariaDB: data directory exists without credentials');
+        }
+      }
+    }
+
+    // Ensure data directory exists
+    try {
+      await Deno.mkdir(dataDir, { recursive: true });
+    } catch (e) {
+      // Directory might already exist
+      if (!(e instanceof Deno.errors.AlreadyExists)) {
+        logger.warn(`Could not create MariaDB data directory: ${getErrorMessage(e)}`);
+      }
+    }
+
+    // Create container using Docker API
+    const envVars = [
+      `MARIADB_ROOT_PASSWORD=${adminCredentials.password}`,
+    ];
+
+    // Use Docker to create the container
+    const containerId = await this.oneboxRef.docker.createPlatformContainer({
+      name: containerName,
+      image: config.image,
+      port: config.port,
+      env: envVars,
+      volumes: config.volumes,
+      network: this.getNetworkName(),
+    });
+
+    // Store encrypted admin credentials (only update if new or changed)
+    const encryptedCreds = await credentialEncryption.encrypt(adminCredentials);
+    if (platformService) {
+      this.oneboxRef.database.updatePlatformService(platformService.id!, {
+        containerId,
+        adminCredentialsEncrypted: encryptedCreds,
+        status: 'starting',
+      });
+    }
+
+    logger.success(`MariaDB container created: ${containerId}`);
+    return containerId;
+  }
+
+  async stopContainer(containerId: string): Promise<void> {
+    logger.info(`Stopping MariaDB container ${containerId}...`);
+    await this.oneboxRef.docker.stopContainer(containerId);
+    logger.success('MariaDB container stopped');
+  }
+
+  async healthCheck(): Promise<boolean> {
+    try {
+      logger.info('MariaDB health check: starting...');
+      const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+      if (!platformService) {
+        logger.info('MariaDB health check: platform service not found in database');
+        return false;
+      }
+      if (!platformService.adminCredentialsEncrypted) {
+        logger.info('MariaDB health check: no admin credentials stored');
+        return false;
+      }
+      if (!platformService.containerId) {
+        logger.info('MariaDB health check: no container ID in database record');
+        return false;
+      }
+
+      logger.info(`MariaDB health check: using container ID ${platformService.containerId.substring(0, 12)}...`);
+      const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+      // Use docker exec to run health check inside the container
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['mariadb-admin', 'ping', '-u', 'root', `-p${adminCreds.password}`]
+      );
+
+      if (result.exitCode === 0) {
+        logger.info('MariaDB health check: success');
+        return true;
+      } else {
+        logger.info(`MariaDB health check failed: exit code ${result.exitCode}, stderr: ${result.stderr.substring(0, 200)}`);
+        return false;
+      }
+    } catch (error) {
+      logger.info(`MariaDB health check exception: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+
+  async provisionResource(userService: IService): Promise<IProvisionedResource> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('MariaDB platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const containerName = this.getContainerName();
+
+    // Generate resource names and credentials
+    const dbName = this.generateResourceName(userService.name);
+    const username = this.generateResourceName(userService.name);
+    const password = credentialEncryption.generatePassword(32);
+
+    logger.info(`Provisioning MariaDB database '${dbName}' for service '${userService.name}'...`);
+
+    // Create database and user via mariadb inside the container
+    const sql = [
+      `CREATE DATABASE IF NOT EXISTS \`${dbName}\`;`,
+      `CREATE USER IF NOT EXISTS '${username}'@'%' IDENTIFIED BY '${password.replace(/'/g, "\\'")}';`,
+      `GRANT ALL PRIVILEGES ON \`${dbName}\`.* TO '${username}'@'%';`,
+      `FLUSH PRIVILEGES;`,
+    ].join(' ');
+
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mariadb',
+        '-u', 'root',
+        `-p${adminCreds.password}`,
+        '-e', sql,
+      ]
+    );
+
+    if (result.exitCode !== 0) {
+      throw new Error(`Failed to provision MariaDB database: exit code ${result.exitCode}, output: ${result.stdout.substring(0, 200)} ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`MariaDB database '${dbName}' provisioned with user '${username}'`);
+
+    // Build the credentials and env vars
+    const credentials: Record<string, string> = {
+      host: containerName,
+      port: '3306',
+      database: dbName,
+      username,
+      password,
+      connectionString: `mysql://${username}:${password}@${containerName}:3306/${dbName}`,
+    };
+
+    // Map credentials to env vars
+    const envVars: Record<string, string> = {};
+    for (const mapping of this.getEnvVarMappings()) {
+      if (credentials[mapping.credentialPath]) {
+        envVars[mapping.envVar] = credentials[mapping.credentialPath];
+      }
+    }
+
+    return {
+      type: 'database',
+      name: dbName,
+      credentials,
+      envVars,
+    };
+  }
+
+  async deprovisionResource(resource: IPlatformResource, credentials: Record<string, string>): Promise<void> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('MariaDB platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+    logger.info(`Deprovisioning MariaDB database '${resource.resourceName}'...`);
+
+    const sql = [
+      `DROP USER IF EXISTS '${credentials.username}'@'%';`,
+      `DROP DATABASE IF EXISTS \`${resource.resourceName}\`;`,
+    ].join(' ');
+
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mariadb',
+        '-u', 'root',
+        `-p${adminCreds.password}`,
+        '-e', sql,
+      ]
+    );
+
+    if (result.exitCode !== 0) {
+      logger.warn(`MariaDB deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`MariaDB database '${resource.resourceName}' dropped`);
+  }
+}

ts/classes/platform-services/providers/minio.ts

@@ -30,7 +30,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
     return {
       image: 'minio/minio:latest',
       port: 9000,
-      volumes: ['/var/lib/onebox/minio:/data'],
+      volumes: [`${this.getPlatformDataDir('minio')}:/data`],
       command: 'server /data --console-address :9001',
       environment: {
         MINIO_ROOT_USER: 'admin',
@@ -57,7 +57,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
   async deployContainer(): Promise<string> {
     const config = this.getDefaultConfig();
     const containerName = this.getContainerName();
-    const dataDir = '/var/lib/onebox/minio';
+    const dataDir = this.getPlatformDataDir('minio');
 
     logger.info(`Deploying MinIO platform service as ${containerName}...`);
 
@@ -80,7 +80,9 @@ export class MinioProvider extends BasePlatformServiceProvider {
     if (dataExists && platformService?.adminCredentialsEncrypted) {
       // Reuse existing credentials from database
       logger.info('Reusing existing MinIO credentials (data directory already initialized)');
-      adminCredentials = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+      adminCredentials = await credentialEncryption.decrypt<{ username: string; password: string }>(
+        platformService.adminCredentialsEncrypted,
+      );
     } else {
       // Generate new credentials for fresh deployment
       logger.info('Generating new MinIO admin credentials');
@@ -196,84 +198,28 @@ export class MinioProvider extends BasePlatformServiceProvider {
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
-    // Generate bucket name and credentials
+    // Generate bucket name
     const bucketName = this.generateBucketName(userService.name);
-    const accessKey = credentialEncryption.generateAccessKey(20);
-    const secretKey = credentialEncryption.generateSecretKey(40);
 
     logger.info(`Provisioning MinIO bucket '${bucketName}' for service '${userService.name}'...`);
 
-    // Connect to MinIO via localhost and the mapped host port (for provisioning from host)
-    const provisioningEndpoint = `http://127.0.0.1:${hostPort}`;
-
-    // Import AWS S3 client
-    const { S3Client, CreateBucketCommand, PutBucketPolicyCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    // Create S3 client with admin credentials - connect via host port
-    const s3Client = new S3Client({
-      endpoint: provisioningEndpoint,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Use docker exec with mc (MinIO Client) inside the container
+    // First configure mc alias for local server
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);
 
     // Create the bucket
-    try {
-      await s3Client.send(new CreateBucketCommand({
-        Bucket: bucketName,
-      }));
-      logger.info(`Created MinIO bucket '${bucketName}'`);
-    } catch (e: any) {
-      if (e.name !== 'BucketAlreadyOwnedByYou' && e.name !== 'BucketAlreadyExists') {
-        throw e;
-      }
-      logger.warn(`Bucket '${bucketName}' already exists`);
-    }
+    const mbResult = await this.execMc(platformService.containerId, [
+      'mb', '--ignore-existing', `local/${bucketName}`,
+    ]);
+    logger.info(`Created MinIO bucket '${bucketName}'`);
 
-    // Create service account/access key using MinIO Admin API
-    // MinIO Admin API requires mc client or direct API calls
-    // For simplicity, we'll use root credentials and bucket policy isolation
-    // In production, you'd use MinIO's Admin API to create service accounts
-
-    // Set bucket policy to allow access only with this bucket's credentials
-    const bucketPolicy = {
-      Version: '2012-10-17',
-      Statement: [
-        {
-          Effect: 'Allow',
-          Principal: { AWS: ['*'] },
-          Action: ['s3:GetObject', 's3:PutObject', 's3:DeleteObject', 's3:ListBucket'],
-          Resource: [
-            `arn:aws:s3:::${bucketName}`,
-            `arn:aws:s3:::${bucketName}/*`,
-          ],
-        },
-      ],
-    };
-
-    try {
-      await s3Client.send(new PutBucketPolicyCommand({
-        Bucket: bucketName,
-        Policy: JSON.stringify(bucketPolicy),
-      }));
-      logger.info(`Set bucket policy for '${bucketName}'`);
-    } catch (e) {
-      logger.warn(`Could not set bucket policy: ${getErrorMessage(e)}`);
-    }
-
-    // Note: For proper per-service credentials, MinIO Admin API should be used
-    // For now, we're providing the bucket with root access
-    // TODO: Implement MinIO service account creation
-    logger.warn('Using root credentials for MinIO access. Consider implementing service accounts for production.');
+    // Set bucket policy to allow public read/write (services on the same network use root creds)
+    await this.execMc(platformService.containerId, [
+      'anonymous', 'set', 'none', `local/${bucketName}`,
+    ]);
 
     // Use container name for the endpoint in credentials (user services run in same network)
     const serviceEndpoint = `http://${containerName}:9000`;
@@ -281,7 +227,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
     const credentials: Record<string, string> = {
       endpoint: serviceEndpoint,
       bucket: bucketName,
-      accessKey: adminCreds.username, // Using root for now
+      accessKey: adminCreds.username,
       secretKey: adminCreds.password,
       region: 'us-east-1',
     };
@@ -312,57 +258,37 @@ export class MinioProvider extends BasePlatformServiceProvider {
 
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
     logger.info(`Deprovisioning MinIO bucket '${resource.resourceName}'...`);
 
-    const { S3Client, DeleteBucketCommand, ListObjectsV2Command, DeleteObjectsCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    const s3Client = new S3Client({
-      endpoint: `http://127.0.0.1:${hostPort}`,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Configure mc alias
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);
 
     try {
-      // First, delete all objects in the bucket
-      let continuationToken: string | undefined;
-      do {
-        const listResponse = await s3Client.send(new ListObjectsV2Command({
-          Bucket: resource.resourceName,
-          ContinuationToken: continuationToken,
-        }));
-
-        if (listResponse.Contents && listResponse.Contents.length > 0) {
-          await s3Client.send(new DeleteObjectsCommand({
-            Bucket: resource.resourceName,
-            Delete: {
-              Objects: listResponse.Contents.map(obj => ({ Key: obj.Key! })),
-            },
-          }));
-          logger.info(`Deleted ${listResponse.Contents.length} objects from bucket`);
-        }
-
-        continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : undefined;
-      } while (continuationToken);
-
-      // Now delete the bucket
-      await s3Client.send(new DeleteBucketCommand({
-        Bucket: resource.resourceName,
-      }));
-
+      // Remove all objects and the bucket
+      await this.execMc(platformService.containerId, [
+        'rb', '--force', `local/${resource.resourceName}`,
+      ]);
       logger.success(`MinIO bucket '${resource.resourceName}' deleted`);
     } catch (e) {
       logger.error(`Failed to delete MinIO bucket: ${getErrorMessage(e)}`);
       throw e;
     }
   }
+
+  /**
+   * Execute mc (MinIO Client) command inside the container
+   */
+  private async execMc(
+    containerId: string,
+    args: string[],
+  ): Promise<{ stdout: string; stderr: string }> {
+    const result = await this.oneboxRef.docker.execInContainer(containerId, ['mc', ...args]);
+    if (result.exitCode !== 0) {
+      throw new Error(`mc command failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
+    }
+    return result;
+  }
 }

ts/classes/platform-services/providers/mongodb.ts

@@ -28,9 +28,9 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
 
   getDefaultConfig(): IPlatformServiceConfig {
     return {
-      image: 'mongo:7',
+      image: 'mongo:4.4',
       port: 27017,
-      volumes: ['/var/lib/onebox/mongodb:/data/db'],
+      volumes: [`${this.getPlatformDataDir('mongodb')}:/data/db`],
       environment: {
         MONGO_INITDB_ROOT_USERNAME: 'admin',
         // Password will be generated and stored encrypted
@@ -52,7 +52,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
   async deployContainer(): Promise<string> {
     const config = this.getDefaultConfig();
     const containerName = this.getContainerName();
-    const dataDir = '/var/lib/onebox/mongodb';
+    const dataDir = this.getPlatformDataDir('mongodb');
 
     logger.info(`Deploying MongoDB platform service as ${containerName}...`);
 
@@ -74,7 +74,9 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
     if (dataExists && platformService?.adminCredentialsEncrypted) {
       // Reuse existing credentials from database
       logger.info('Reusing existing MongoDB credentials (data directory already initialized)');
-      adminCredentials = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+      adminCredentials = await credentialEncryption.decrypt<{ username: string; password: string }>(
+        platformService.adminCredentialsEncrypted,
+      );
     } else {
       // Generate new credentials for fresh deployment
       logger.info('Generating new MongoDB admin credentials');
@@ -165,7 +167,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
       // This avoids network issues with overlay networks
       const result = await this.oneboxRef.docker.execInContainer(
         platformService.containerId,
-        ['mongosh', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
+        ['mongo', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
       );
 
       if (result.exitCode === 0) {
@@ -190,12 +192,6 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
-
     // Generate resource names and credentials
     const dbName = this.generateResourceName(userService.name);
     const username = this.generateResourceName(userService.name);
@@ -203,32 +199,40 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
 
     logger.info(`Provisioning MongoDB database '${dbName}' for service '${userService.name}'...`);
 
-    // Connect to MongoDB via localhost and the mapped host port
-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const escapedPassword = password.replace(/'/g, "'\\''");
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");
 
-    const client = new MongoClient(adminUri);
-    await client.connect();
-
-    try {
-      // Create the database by switching to it (MongoDB creates on first write)
-      const db = client.db(dbName);
-
-      // Create a collection to ensure the database exists
-      await db.createCollection('_onebox_init');
-
-      // Create user with readWrite access to this database
-      await db.command({
-        createUser: username,
-        pwd: password,
-        roles: [{ role: 'readWrite', db: dbName }],
+    // Create database and user via mongo inside the container
+    const mongoScript = `
+      db = db.getSiblingDB('${dbName}');
+      db.createCollection('_onebox_init');
+      db.createUser({
+        user: '${username}',
+        pwd: '${escapedPassword}',
+        roles: [{ role: 'readWrite', db: '${dbName}' }]
       });
+      print('PROVISION_SUCCESS');
+    `;
 
-      logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
-    } finally {
-      await client.close();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );
+
+    if (result.exitCode !== 0 || !result.stdout.includes('PROVISION_SUCCESS')) {
+      throw new Error(`Failed to provision MongoDB database: exit code ${result.exitCode}, output: ${result.stdout.substring(0, 200)} ${result.stderr.substring(0, 200)}`);
     }
 
+    logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
+
     // Build the credentials and env vars
     const credentials: Record<string, string> = {
       host: containerName,
@@ -262,37 +266,33 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
     }
 
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
-
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");
 
     logger.info(`Deprovisioning MongoDB database '${resource.resourceName}'...`);
 
-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    const mongoScript = `
+      db = db.getSiblingDB('${resource.resourceName}');
+      try { db.dropUser('${credentials.username}'); } catch(e) { print('User drop failed: ' + e); }
+      db.dropDatabase();
+      print('DEPROVISION_SUCCESS');
+    `;
 
-    const client = new MongoClient(adminUri);
-    await client.connect();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );
 
-    try {
-      const db = client.db(resource.resourceName);
-
-      // Drop the user
-      try {
-        await db.command({ dropUser: credentials.username });
-        logger.info(`Dropped MongoDB user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop MongoDB user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await db.dropDatabase();
-      logger.success(`MongoDB database '${resource.resourceName}' dropped`);
-    } finally {
-      await client.close();
+    if (result.exitCode !== 0) {
+      logger.warn(`MongoDB deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
     }
+
+    logger.success(`MongoDB database '${resource.resourceName}' dropped`);
   }
 }

ts/classes/platform-services/providers/redis.ts

@@ -0,0 +1,285 @@
+/**
+ * Redis Platform Service Provider
+ */
+
+import { BasePlatformServiceProvider } from './base.ts';
+import type {
+  IService,
+  IPlatformResource,
+  IPlatformServiceConfig,
+  IProvisionedResource,
+  IEnvVarMapping,
+  TPlatformServiceType,
+  TPlatformResourceType,
+} from '../../../types.ts';
+import { logger } from '../../../logging.ts';
+import { getErrorMessage } from '../../../utils/error.ts';
+import { credentialEncryption } from '../../encryption.ts';
+import type { Onebox } from '../../onebox.ts';
+
+export class RedisProvider extends BasePlatformServiceProvider {
+  readonly type: TPlatformServiceType = 'redis';
+  readonly displayName = 'Redis';
+  readonly resourceTypes: TPlatformResourceType[] = ['cache'];
+
+  constructor(oneboxRef: Onebox) {
+    super(oneboxRef);
+  }
+
+  getDefaultConfig(): IPlatformServiceConfig {
+    return {
+      image: 'redis:7-alpine',
+      port: 6379,
+      volumes: [`${this.getPlatformDataDir('redis')}:/data`],
+      environment: {},
+    };
+  }
+
+  getEnvVarMappings(): IEnvVarMapping[] {
+    return [
+      { envVar: 'REDIS_HOST', credentialPath: 'host' },
+      { envVar: 'REDIS_PORT', credentialPath: 'port' },
+      { envVar: 'REDIS_PASSWORD', credentialPath: 'password' },
+      { envVar: 'REDIS_DB', credentialPath: 'db' },
+      { envVar: 'REDIS_URL', credentialPath: 'connectionString' },
+    ];
+  }
+
+  async deployContainer(): Promise<string> {
+    const config = this.getDefaultConfig();
+    const containerName = this.getContainerName();
+    const dataDir = this.getPlatformDataDir('redis');
+
+    logger.info(`Deploying Redis platform service as ${containerName}...`);
+
+    // Check if we have existing data and stored credentials
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    let adminCredentials: { username: string; password: string };
+    let dataExists = false;
+
+    // Check if data directory has existing Redis data
+    try {
+      const stat = await Deno.stat(`${dataDir}/dump.rdb`);
+      dataExists = stat.isFile;
+      logger.info(`Redis data directory exists with dump.rdb file`);
+    } catch {
+      // Also check for appendonly file
+      try {
+        const stat = await Deno.stat(`${dataDir}/appendonly.aof`);
+        dataExists = stat.isFile;
+        logger.info(`Redis data directory exists with appendonly.aof file`);
+      } catch {
+        dataExists = false;
+      }
+    }
+
+    if (dataExists && platformService?.adminCredentialsEncrypted) {
+      // Reuse existing credentials from database
+      logger.info('Reusing existing Redis credentials (data directory already initialized)');
+      adminCredentials = await credentialEncryption.decrypt<{ username: string; password: string }>(
+        platformService.adminCredentialsEncrypted,
+      );
+    } else {
+      // Generate new credentials for fresh deployment
+      logger.info('Generating new Redis admin credentials');
+      adminCredentials = {
+        username: 'default',
+        password: credentialEncryption.generatePassword(32),
+      };
+
+      // If data exists but we don't have credentials, we need to wipe the data
+      if (dataExists) {
+        logger.warn('Redis data exists but no credentials in database - wiping data directory');
+        try {
+          await Deno.remove(dataDir, { recursive: true });
+        } catch (e) {
+          logger.error(`Failed to wipe Redis data directory: ${getErrorMessage(e)}`);
+          throw new Error('Cannot deploy Redis: data directory exists without credentials');
+        }
+      }
+    }
+
+    // Ensure data directory exists
+    try {
+      await Deno.mkdir(dataDir, { recursive: true });
+    } catch (e) {
+      // Directory might already exist
+      if (!(e instanceof Deno.errors.AlreadyExists)) {
+        logger.warn(`Could not create Redis data directory: ${getErrorMessage(e)}`);
+      }
+    }
+
+    // Redis uses command args for password, not env vars
+    const containerId = await this.oneboxRef.docker.createPlatformContainer({
+      name: containerName,
+      image: config.image,
+      port: config.port,
+      env: [],
+      volumes: config.volumes,
+      network: this.getNetworkName(),
+      command: ['redis-server', '--requirepass', adminCredentials.password, '--appendonly', 'yes'],
+    });
+
+    // Store encrypted admin credentials (only update if new or changed)
+    const encryptedCreds = await credentialEncryption.encrypt(adminCredentials);
+    if (platformService) {
+      this.oneboxRef.database.updatePlatformService(platformService.id!, {
+        containerId,
+        adminCredentialsEncrypted: encryptedCreds,
+        status: 'starting',
+      });
+    }
+
+    logger.success(`Redis container created: ${containerId}`);
+    return containerId;
+  }
+
+  async stopContainer(containerId: string): Promise<void> {
+    logger.info(`Stopping Redis container ${containerId}...`);
+    await this.oneboxRef.docker.stopContainer(containerId);
+    logger.success('Redis container stopped');
+  }
+
+  async healthCheck(): Promise<boolean> {
+    try {
+      logger.info('Redis health check: starting...');
+      const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+      if (!platformService) {
+        logger.info('Redis health check: platform service not found in database');
+        return false;
+      }
+      if (!platformService.adminCredentialsEncrypted) {
+        logger.info('Redis health check: no admin credentials stored');
+        return false;
+      }
+      if (!platformService.containerId) {
+        logger.info('Redis health check: no container ID in database record');
+        return false;
+      }
+
+      logger.info(`Redis health check: using container ID ${platformService.containerId.substring(0, 12)}...`);
+      const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+      // Use docker exec to run health check inside the container
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['redis-cli', '-a', adminCreds.password, 'ping']
+      );
+
+      if (result.exitCode === 0 && result.stdout.includes('PONG')) {
+        logger.info('Redis health check: success');
+        return true;
+      } else {
+        logger.info(`Redis health check failed: exit code ${result.exitCode}, stdout: ${result.stdout.substring(0, 200)}`);
+        return false;
+      }
+    } catch (error) {
+      logger.info(`Redis health check exception: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+
+  async provisionResource(userService: IService): Promise<IProvisionedResource> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted) {
+      throw new Error('Redis platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const containerName = this.getContainerName();
+
+    // Determine the next available DB index (1-15, reserving 0 for admin)
+    const existingResources = this.oneboxRef.database.getPlatformResourcesByPlatformService(platformService.id!);
+    const usedIndexes = new Set<number>();
+
+    for (const resource of existingResources) {
+      try {
+        const creds = await credentialEncryption.decrypt(resource.credentialsEncrypted);
+        if (creds.db) {
+          usedIndexes.add(parseInt(creds.db, 10));
+        }
+      } catch {
+        // Skip resources with corrupt credentials
+      }
+    }
+
+    let dbIndex = -1;
+    for (let i = 1; i <= 15; i++) {
+      if (!usedIndexes.has(i)) {
+        dbIndex = i;
+        break;
+      }
+    }
+
+    if (dbIndex === -1) {
+      throw new Error('No available Redis database indexes (max 15 services per Redis instance)');
+    }
+
+    const resourceName = this.generateResourceName(userService.name);
+
+    logger.info(`Provisioning Redis database index ${dbIndex} for service '${userService.name}'...`);
+
+    // No server-side creation needed - Redis DB indexes exist implicitly
+    // Just verify connectivity
+    if (platformService.containerId) {
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['redis-cli', '-a', adminCreds.password, '-n', String(dbIndex), 'ping']
+      );
+
+      if (result.exitCode !== 0 || !result.stdout.includes('PONG')) {
+        throw new Error(`Failed to verify Redis database ${dbIndex}: exit code ${result.exitCode}`);
+      }
+    }
+
+    logger.success(`Redis database index ${dbIndex} provisioned for service '${userService.name}'`);
+
+    // Build the credentials and env vars
+    const credentials: Record<string, string> = {
+      host: containerName,
+      port: '6379',
+      password: adminCreds.password,
+      db: String(dbIndex),
+      connectionString: `redis://:${adminCreds.password}@${containerName}:6379/${dbIndex}`,
+    };
+
+    // Map credentials to env vars
+    const envVars: Record<string, string> = {};
+    for (const mapping of this.getEnvVarMappings()) {
+      if (credentials[mapping.credentialPath]) {
+        envVars[mapping.envVar] = credentials[mapping.credentialPath];
+      }
+    }
+
+    return {
+      type: 'cache',
+      name: resourceName,
+      credentials,
+      envVars,
+    };
+  }
+
+  async deprovisionResource(resource: IPlatformResource, credentials: Record<string, string>): Promise<void> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('Redis platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const dbIndex = credentials.db || '0';
+
+    logger.info(`Deprovisioning Redis database index ${dbIndex} for resource '${resource.resourceName}'...`);
+
+    // Flush the specific database
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      ['redis-cli', '-a', adminCreds.password, '-n', dbIndex, 'FLUSHDB']
+    );
+
+    if (result.exitCode !== 0) {
+      logger.warn(`Redis deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`Redis database index ${dbIndex} flushed for resource '${resource.resourceName}'`);
+  }
+}

ts/classes/platform-services/providers/smartproxy.ts

@@ -0,0 +1,87 @@
+/**
+ * SmartProxy Platform Service Provider
+ *
+ * SmartProxy is a core infrastructure service that provides reverse proxy functionality.
+ * Unlike other platform services:
+ * - It doesn't provision resources for user services
+ * - It's started automatically by Onebox and cannot be stopped by users
+ * - It delegates to the existing reverse proxy manager for actual operations
+ */
+
+import { BasePlatformServiceProvider } from './base.ts';
+import type {
+  IService,
+  IPlatformResource,
+  IPlatformServiceConfig,
+  IProvisionedResource,
+  IEnvVarMapping,
+  TPlatformServiceType,
+  TPlatformResourceType,
+} from '../../../types.ts';
+import { logger } from '../../../logging.ts';
+import type { Onebox } from '../../onebox.ts';
+
+export class SmartProxyProvider extends BasePlatformServiceProvider {
+  readonly type: TPlatformServiceType = 'smartproxy';
+  readonly displayName = 'SmartProxy Reverse Proxy';
+  readonly resourceTypes: TPlatformResourceType[] = [];
+  readonly isCore = true;
+
+  constructor(oneboxRef: Onebox) {
+    super(oneboxRef);
+  }
+
+  getDefaultConfig(): IPlatformServiceConfig {
+    return {
+      image: 'code.foss.global/host.today/ht-docker-smartproxy:latest',
+      port: 80,
+      volumes: [],
+      environment: {},
+    };
+  }
+
+  getEnvVarMappings(): IEnvVarMapping[] {
+    return [];
+  }
+
+  async deployContainer(): Promise<string> {
+    logger.info('Starting SmartProxy via reverse proxy manager...');
+
+    const reverseProxy = this.oneboxRef.reverseProxy;
+    await reverseProxy.startHttp();
+
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (platformService) {
+      this.oneboxRef.database.updatePlatformService(platformService.id!, {
+        status: 'running',
+        containerId: 'onebox-smartproxy',
+      });
+    }
+
+    logger.success('SmartProxy platform service started');
+    return 'onebox-smartproxy';
+  }
+
+  async stopContainer(_containerId: string): Promise<void> {
+    throw new Error('SmartProxy is a core infrastructure service and cannot be stopped');
+  }
+
+  async healthCheck(): Promise<boolean> {
+    try {
+      const reverseProxy = this.oneboxRef.reverseProxy;
+      const status = reverseProxy.getStatus();
+      return status.http.running;
+    } catch (error) {
+      logger.debug(`SmartProxy health check failed: ${error}`);
+      return false;
+    }
+  }
+
+  async provisionResource(_userService: IService): Promise<IProvisionedResource> {
+    throw new Error('SmartProxy does not provision resources for user services');
+  }
+
+  async deprovisionResource(_resource: IPlatformResource, _credentials: Record<string, string>): Promise<void> {
+    throw new Error('SmartProxy does not manage resources for user services');
+  }
+}

ts/classes/proxy-log-receiver.ts

@@ -1,7 +1,7 @@
 /**
- * Caddy Log Receiver for Onebox
+ * Proxy Log Receiver for Onebox
  *
- * TCP server that receives access logs from Caddy and broadcasts them to WebSocket clients.
+ * TCP server that receives reverse proxy access logs and broadcasts them to WebSocket clients.
  * Supports per-client filtering by domain and adaptive sampling at high volume.
  */
 
@@ -18,9 +18,9 @@ export interface ILogFilter {
 }
 
 /**
- * Caddy access log entry structure (from Caddy JSON format)
+ * Reverse proxy access log entry structure.
  */
-export interface ICaddyAccessLog {
+export interface IProxyAccessLog {
   ts: number;
   level?: string;
   logger?: string;
@@ -60,9 +60,9 @@ interface ILogClient {
 }
 
 /**
- * CaddyLogReceiver - TCP server for Caddy access logs
+ * ProxyLogReceiver - TCP server for reverse proxy access logs
  */
-export class CaddyLogReceiver {
+export class ProxyLogReceiver {
   private server: Deno.TcpListener | null = null;
   private clients: Map<string, ILogClient> = new Map();
   private port: number;
@@ -76,7 +76,7 @@ export class CaddyLogReceiver {
   private logCounter = 0;
 
   // Ring buffer for recent logs (for late-joining clients)
-  private recentLogs: ICaddyAccessLog[] = [];
+  private recentLogs: IProxyAccessLog[] = [];
   private maxRecentLogs = 100;
 
   // Traffic stats aggregation (hourly rolling window)
@@ -137,7 +137,7 @@ export class CaddyLogReceiver {
   /**
    * Record a request in traffic stats
    */
-  private recordTrafficStats(log: ICaddyAccessLog): void {
+  private recordTrafficStats(log: IProxyAccessLog): void {
     const bucket = this.getCurrentStatsBucket();
 
     bucket.requestCount++;
@@ -164,25 +164,25 @@ export class CaddyLogReceiver {
    */
   async start(): Promise<void> {
     if (this.running) {
-      logger.warn('CaddyLogReceiver is already running');
+      logger.warn('ProxyLogReceiver is already running');
       return;
     }
 
     try {
       this.server = Deno.listen({ port: this.port, transport: 'tcp' });
       this.running = true;
-      logger.success(`CaddyLogReceiver started on TCP port ${this.port}`);
+      logger.success(`ProxyLogReceiver started on TCP port ${this.port}`);
 
       // Start accepting connections in background
       this.acceptConnections();
     } catch (error) {
-      logger.error(`Failed to start CaddyLogReceiver: ${getErrorMessage(error)}`);
+      logger.error(`Failed to start ProxyLogReceiver: ${getErrorMessage(error)}`);
       throw error;
     }
   }
 
   /**
-   * Accept incoming TCP connections from Caddy
+   * Accept incoming TCP connections from the reverse proxy
    */
   private async acceptConnections(): Promise<void> {
     if (!this.server) return;
@@ -194,17 +194,17 @@ export class CaddyLogReceiver {
       }
     } catch (error) {
       if (this.running) {
-        logger.error(`CaddyLogReceiver accept error: ${getErrorMessage(error)}`);
+        logger.error(`ProxyLogReceiver accept error: ${getErrorMessage(error)}`);
       }
     }
   }
 
   /**
-   * Handle a single TCP connection from Caddy
+   * Handle a single TCP connection from the reverse proxy
    */
   private async handleConnection(conn: Deno.TcpConn): Promise<void> {
     const remoteAddr = conn.remoteAddr as Deno.NetAddr;
-    logger.debug(`CaddyLogReceiver: Connection from ${remoteAddr.hostname}:${remoteAddr.port}`);
+    logger.debug(`ProxyLogReceiver: Connection from ${remoteAddr.hostname}:${remoteAddr.port}`);
 
     const reader = conn.readable.getReader();
     const decoder = new TextDecoder();
@@ -217,7 +217,7 @@ export class CaddyLogReceiver {
 
         buffer += decoder.decode(value, { stream: true });
 
-        // Process complete lines (Caddy sends newline-delimited JSON)
+        // Process complete newline-delimited JSON log lines.
         const lines = buffer.split('\n');
         buffer = lines.pop() || ''; // Keep incomplete line in buffer
 
@@ -229,7 +229,7 @@ export class CaddyLogReceiver {
       }
     } catch (error) {
       if (this.running) {
-        logger.debug(`CaddyLogReceiver connection closed: ${getErrorMessage(error)}`);
+        logger.debug(`ProxyLogReceiver connection closed: ${getErrorMessage(error)}`);
       }
     } finally {
       this.connections.delete(conn);
@@ -242,18 +242,18 @@ export class CaddyLogReceiver {
   }
 
   /**
-   * Process a single log line from Caddy
+   * Process a single access log line
    */
   private processLogLine(line: string): void {
     try {
-      const log = JSON.parse(line) as ICaddyAccessLog;
+      const log = JSON.parse(line) as IProxyAccessLog;
 
       // Only process access logs (check for http.log.access or just access, or any log with request/status)
       const isAccessLog = log.logger === 'http.log.access' ||
                           log.logger === 'access' ||
                           (log.request && typeof log.status === 'number');
       if (!isAccessLog) {
-        logger.debug(`CaddyLogReceiver: Skipping non-access log: ${log.logger || 'unknown'}`);
+        logger.debug(`ProxyLogReceiver: Skipping non-access log: ${log.logger || 'unknown'}`);
         return;
       }
 
@@ -268,7 +268,7 @@ export class CaddyLogReceiver {
         return;
       }
 
-      logger.debug(`CaddyLogReceiver: Access log received - ${log.request?.method} ${log.request?.host}${log.request?.uri} (status: ${log.status})`);
+      logger.debug(`ProxyLogReceiver: Access log received - ${log.request?.method} ${log.request?.host}${log.request?.uri} (status: ${log.status})`);
 
       // Add to recent logs buffer
       this.recentLogs.push(log);
@@ -277,10 +277,10 @@ export class CaddyLogReceiver {
       }
 
       // Broadcast to WebSocket clients (log how many clients)
-      logger.debug(`CaddyLogReceiver: Broadcasting to ${this.clients.size} clients`);
+      logger.debug(`ProxyLogReceiver: Broadcasting to ${this.clients.size} clients`);
       this.broadcast(log);
     } catch (error) {
-      logger.debug(`Failed to parse Caddy log line: ${getErrorMessage(error)}`);
+      logger.debug(`Failed to parse proxy log line: ${getErrorMessage(error)}`);
     }
   }
 
@@ -317,7 +317,7 @@ export class CaddyLogReceiver {
   /**
    * Broadcast a log entry to all connected WebSocket clients
    */
-  private broadcast(log: ICaddyAccessLog): void {
+  private broadcast(log: IProxyAccessLog): void {
     const message = JSON.stringify({
       type: 'access_log',
       data: {
@@ -365,7 +365,7 @@ export class CaddyLogReceiver {
   /**
    * Check if a log entry matches a client's filter
    */
-  private matchesFilter(log: ICaddyAccessLog, filter: ILogFilter): boolean {
+  private matchesFilter(log: IProxyAccessLog, filter: ILogFilter): boolean {
     // Domain filter
     if (filter.domain) {
       const logHost = log.request.host.toLowerCase();
@@ -385,7 +385,7 @@ export class CaddyLogReceiver {
    */
   addClient(clientId: string, ws: WebSocket, filter: ILogFilter = {}): void {
     this.clients.set(clientId, { id: clientId, ws, filter });
-    logger.debug(`CaddyLogReceiver: Added client ${clientId} (${this.clients.size} total)`);
+    logger.debug(`ProxyLogReceiver: Added client ${clientId} (${this.clients.size} total)`);
 
     // Send recent logs to new client
     for (const log of this.recentLogs) {
@@ -422,7 +422,7 @@ export class CaddyLogReceiver {
    */
   removeClient(clientId: string): void {
     if (this.clients.delete(clientId)) {
-      logger.debug(`CaddyLogReceiver: Removed client ${clientId} (${this.clients.size} remaining)`);
+      logger.debug(`ProxyLogReceiver: Removed client ${clientId} (${this.clients.size} remaining)`);
     }
   }
 
@@ -433,7 +433,7 @@ export class CaddyLogReceiver {
     const client = this.clients.get(clientId);
     if (client) {
       client.filter = filter;
-      logger.debug(`CaddyLogReceiver: Updated filter for client ${clientId}`);
+      logger.debug(`ProxyLogReceiver: Updated filter for client ${clientId}`);
     }
   }
 
@@ -470,7 +470,7 @@ export class CaddyLogReceiver {
     // Clear clients
     this.clients.clear();
 
-    logger.info('CaddyLogReceiver stopped');
+    logger.info('ProxyLogReceiver stopped');
   }
 
   /**

ts/classes/registries.ts

@@ -9,6 +9,9 @@ import type { IRegistry } from '../types.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import { OneboxDatabase } from './database.ts';
+import { credentialEncryption } from './encryption.ts';
+
+const encryptedPasswordPrefix = 'enc:v1:';
 
 export class OneboxRegistriesManager {
   private oneboxRef: any; // Will be Onebox instance
@@ -22,17 +25,23 @@ export class OneboxRegistriesManager {
   /**
    * Encrypt a password (simple base64 for now, should use proper encryption)
    */
-  private encryptPassword(password: string): string {
-    // TODO: Use proper encryption with a secret key
-    // For now, using base64 encoding (NOT SECURE, just for structure)
-    return plugins.encoding.encodeBase64(new TextEncoder().encode(password));
+  private async encryptPassword(password: string): Promise<string> {
+    const encrypted = await credentialEncryption.encrypt({ password });
+    return `${encryptedPasswordPrefix}${encrypted}`;
   }
 
   /**
    * Decrypt a password
    */
-  private decryptPassword(encrypted: string): string {
-    // TODO: Use proper decryption
+  private async decryptPassword(encrypted: string): Promise<string> {
+    if (encrypted.startsWith(encryptedPasswordPrefix)) {
+      const decrypted = await credentialEncryption.decrypt<{ password: string }>(
+        encrypted.slice(encryptedPasswordPrefix.length),
+      );
+      return decrypted.password;
+    }
+
+    // Legacy compatibility for older databases that stored base64-encoded passwords.
     return new TextDecoder().decode(plugins.encoding.decodeBase64(encrypted));
   }
 
@@ -48,7 +57,7 @@ export class OneboxRegistriesManager {
       }
 
       // Encrypt password
-      const passwordEncrypted = this.encryptPassword(password);
+      const passwordEncrypted = await this.encryptPassword(password);
 
       // Create registry in database
       const registry = await this.database.createRegistry({
@@ -111,7 +120,7 @@ export class OneboxRegistriesManager {
     try {
       logger.info(`Logging into registry: ${registry.url}`);
 
-      const password = this.decryptPassword(registry.passwordEncrypted);
+      const password = await this.decryptPassword(registry.passwordEncrypted);
 
       // Use docker login command
       const command = [

ts/classes/registry.ts

@@ -2,7 +2,7 @@
  * Onebox Registry Manager
  *
  * Manages the local Docker registry using:
- * - @push.rocks/smarts3 (S3-compatible server with filesystem storage)
+ * - @push.rocks/smartstorage (S3-compatible server with filesystem storage)
  * - @push.rocks/smartregistry (OCI-compliant Docker registry)
  */
 
@@ -27,7 +27,7 @@ export class RegistryManager {
   }
 
   /**
-   * Initialize the registry (start smarts3 and smartregistry)
+   * Initialize the registry (start smartstorage and smartregistry)
    */
   async init(): Promise<void> {
     if (this.isInitialized) {
@@ -39,10 +39,10 @@ export class RegistryManager {
       const dataDir = this.options.dataDir || './.nogit/registry-data';
       const port = this.options.port || 4000;
 
-      logger.info(`Starting smarts3 server on port ${port}...`);
+      logger.info(`Starting smartstorage server on port ${port}...`);
 
-      // 1. Start smarts3 server (S3-compatible storage with filesystem backend)
-      this.s3Server = await plugins.smarts3.Smarts3.createAndStart({
+      // 1. Start smartstorage server (S3-compatible storage with filesystem backend)
+      this.s3Server = await plugins.smartstorage.SmartStorage.createAndStart({
         server: {
           port: port,
           address: '0.0.0.0',
@@ -53,16 +53,16 @@ export class RegistryManager {
         },
       });
 
-      logger.success(`smarts3 server started on port ${port}`);
+      logger.success(`smartstorage server started on port ${port}`);
 
-      // 2. Configure smartregistry to use smarts3
+      // 2. Configure smartregistry to use smartstorage
       logger.info('Initializing smartregistry...');
 
       this.registry = new plugins.smartregistry.SmartRegistry({
         storage: {
           endpoint: 'localhost',
           port: port,
-          accessKey: 'onebox', // smarts3 doesn't validate credentials
+          accessKey: 'onebox', // smartstorage doesn't validate credentials
           accessSecret: 'onebox',
           useSsl: false,
           region: 'us-east-1',
@@ -314,16 +314,26 @@ export class RegistryManager {
   }
 
   /**
-   * Stop the registry and smarts3 server
+   * Stop the registry and smartstorage server
    */
   async stop(): Promise<void> {
+    if (this.registry) {
+      try {
+        this.registry.destroy?.();
+      } catch (error) {
+        logger.error(`Error destroying smartregistry: ${getErrorMessage(error)}`);
+      }
+      this.registry = null;
+    }
+
     if (this.s3Server) {
       try {
         await this.s3Server.stop();
-        logger.info('smarts3 server stopped');
+        logger.info('smartstorage server stopped');
       } catch (error) {
-        logger.error(`Error stopping smarts3: ${getErrorMessage(error)}`);
+        logger.error(`Error stopping smartstorage: ${getErrorMessage(error)}`);
       }
+      this.s3Server = null;
     }
 
     this.isInitialized = false;

ts/classes/reverseproxy.ts

@@ -1,8 +1,8 @@
 /**
  * Reverse Proxy for Onebox
  *
- * Delegates to Caddy (running as Docker service) for production-grade reverse proxy
- * with native SNI support, HTTP/2, WebSocket proxying, and zero-downtime configuration updates.
+ * Delegates to SmartProxy (running as Docker service) for production-grade reverse proxy
+ * with TLS termination, WebSocket proxying, and zero-downtime configuration updates.
  *
  * Routes use Docker service names (e.g., onebox-hello-world:80) for container-to-container
  * communication within the Docker overlay network.
@@ -11,7 +11,7 @@
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import { OneboxDatabase } from './database.ts';
-import { CaddyManager } from './caddy.ts';
+import { SmartProxyManager } from './smartproxy.ts';
 
 interface IProxyRoute {
   domain: string;
@@ -24,7 +24,7 @@ interface IProxyRoute {
 export class OneboxReverseProxy {
   private oneboxRef: any;
   private database: OneboxDatabase;
-  private caddy: CaddyManager;
+  private smartProxy: SmartProxyManager;
   private routes: Map<string, IProxyRoute> = new Map();
   private httpPort = 8080;  // Default to dev ports (will be overridden if production)
   private httpsPort = 8443;
@@ -32,33 +32,32 @@ export class OneboxReverseProxy {
   constructor(oneboxRef: any) {
     this.oneboxRef = oneboxRef;
     this.database = oneboxRef.database;
-    this.caddy = new CaddyManager({
+    this.smartProxy = new SmartProxyManager({
       httpPort: this.httpPort,
       httpsPort: this.httpsPort,
     });
   }
 
   /**
-   * Initialize reverse proxy - Caddy runs as Docker service, no setup needed
+   * Initialize reverse proxy - SmartProxy runs as Docker service, no setup needed
    */
   async init(): Promise<void> {
-    logger.info('Reverse proxy initialized (Caddy Docker service)');
+    logger.info('Reverse proxy initialized (SmartProxy Docker service)');
   }
 
   /**
    * Start the HTTP/HTTPS reverse proxy server
-   * Caddy handles both HTTP and HTTPS on the configured ports
+   * SmartProxy handles both HTTP and HTTPS on the configured ports
    */
   async startHttp(port?: number): Promise<void> {
     if (port) {
       this.httpPort = port;
-      this.caddy.setPorts(this.httpPort, this.httpsPort);
+      this.smartProxy.setPorts(this.httpPort, this.httpsPort);
     }
 
     try {
-      // Start Caddy (handles both HTTP and HTTPS)
-      await this.caddy.start();
-      logger.success(`Reverse proxy started on port ${this.httpPort} (Caddy Docker service)`);
+      await this.smartProxy.start();
+      logger.success(`Reverse proxy started on port ${this.httpPort} (SmartProxy Docker service)`);
     } catch (error) {
       logger.error(`Failed to start reverse proxy: ${getErrorMessage(error)}`);
       throw error;
@@ -66,21 +65,19 @@ export class OneboxReverseProxy {
   }
 
   /**
-   * Start HTTPS - Caddy already handles HTTPS when started
+   * Start HTTPS - SmartProxy already handles HTTPS when started
    * This method exists for interface compatibility
    */
   async startHttps(port?: number): Promise<void> {
     if (port) {
       this.httpsPort = port;
-      this.caddy.setPorts(this.httpPort, this.httpsPort);
+      this.smartProxy.setPorts(this.httpPort, this.httpsPort);
     }
-    // Caddy handles both HTTP and HTTPS together
-    // If already running, just log and optionally reload with new port
-    const status = this.caddy.getStatus();
+    const status = this.smartProxy.getStatus();
     if (status.running) {
-      logger.info(`HTTPS already running on port ${this.httpsPort} via Caddy`);
+      logger.info(`HTTPS already running on port ${this.httpsPort} via SmartProxy`);
     } else {
-      await this.caddy.start();
+      await this.smartProxy.start();
     }
   }
 
@@ -88,13 +85,13 @@ export class OneboxReverseProxy {
    * Stop the reverse proxy
    */
   async stop(): Promise<void> {
-    await this.caddy.stop();
+    await this.smartProxy.stop();
     logger.info('Reverse proxy stopped');
   }
 
   /**
    * Add a route for a service
-   * Uses Docker service name for upstream (Caddy runs in same Docker network)
+   * Uses Docker service name for upstream (SmartProxy runs in same Docker network)
    */
   async addRoute(serviceId: number, domain: string, targetPort: number): Promise<void> {
     try {
@@ -105,7 +102,7 @@ export class OneboxReverseProxy {
       }
 
       // Use Docker service name as upstream target
-      // Caddy runs on the same Docker network, so it can resolve service names directly
+      // SmartProxy runs on the same Docker network, so it can resolve service names directly
       const serviceName = `onebox-${service.name}`;
       const targetHost = serviceName;
 
@@ -119,9 +116,9 @@ export class OneboxReverseProxy {
 
       this.routes.set(domain, route);
 
-      // Add route to Caddy using Docker service name
+      // Add route to SmartProxy using Docker service name
       const upstream = `${targetHost}:${targetPort}`;
-      await this.caddy.addRoute(domain, upstream);
+      await this.smartProxy.addRoute(domain, upstream);
 
       logger.success(`Added proxy route: ${domain} -> ${upstream}`);
     } catch (error) {
@@ -133,12 +130,9 @@ export class OneboxReverseProxy {
   /**
    * Remove a route
    */
-  removeRoute(domain: string): void {
+  async removeRoute(domain: string): Promise<void> {
     if (this.routes.delete(domain)) {
-      // Remove from Caddy (async but we don't wait)
-      this.caddy.removeRoute(domain).catch((error) => {
-        logger.error(`Failed to remove Caddy route for ${domain}: ${getErrorMessage(error)}`);
-      });
+      await this.smartProxy.removeRoute(domain);
       logger.success(`Removed proxy route: ${domain}`);
     } else {
       logger.warn(`Route not found: ${domain}`);
@@ -159,9 +153,9 @@ export class OneboxReverseProxy {
     try {
       logger.info('Reloading proxy routes...');
 
-      // Clear local and Caddy routes
+      // Clear local and SmartProxy routes
       this.routes.clear();
-      this.caddy.clear();
+      this.smartProxy.clear();
 
       const services = this.database.getAllServices();
 
@@ -181,7 +175,7 @@ export class OneboxReverseProxy {
 
   /**
    * Add TLS certificate for a domain
-   * Sends PEM content to Caddy via Admin API
+   * Sends PEM content to SmartProxy via Admin API
    */
   async addCertificate(domain: string, certPem: string, keyPem: string): Promise<void> {
     if (!certPem || !keyPem) {
@@ -189,14 +183,14 @@ export class OneboxReverseProxy {
       return;
     }
 
-    await this.caddy.addCertificate(domain, certPem, keyPem);
+    await this.smartProxy.addCertificate(domain, certPem, keyPem);
   }
 
   /**
    * Remove TLS certificate for a domain
    */
   removeCertificate(domain: string): void {
-    this.caddy.removeCertificate(domain).catch((error) => {
+    this.smartProxy.removeCertificate(domain).catch((error) => {
       logger.error(`Failed to remove certificate for ${domain}: ${getErrorMessage(error)}`);
     });
   }
@@ -213,13 +207,13 @@ export class OneboxReverseProxy {
       for (const cert of certificates) {
         // Use fullchainPem for the cert (includes intermediates) and keyPem for the key
         if (cert.domain && cert.fullchainPem && cert.keyPem) {
-          await this.caddy.addCertificate(cert.domain, cert.fullchainPem, cert.keyPem);
+          await this.smartProxy.addCertificate(cert.domain, cert.fullchainPem, cert.keyPem);
         } else {
           logger.warn(`Skipping certificate for ${cert.domain}: missing PEM content`);
         }
       }
 
-      logger.success(`Loaded ${this.caddy.getCertificates().length} TLS certificates`);
+      logger.success(`Loaded ${this.smartProxy.getCertificates().length} TLS certificates`);
     } catch (error) {
       logger.error(`Failed to reload certificates: ${getErrorMessage(error)}`);
       throw error;
@@ -230,19 +224,19 @@ export class OneboxReverseProxy {
    * Get status of reverse proxy
    */
   getStatus() {
-    const caddyStatus = this.caddy.getStatus();
+    const smartProxyStatus = this.smartProxy.getStatus();
     return {
       http: {
-        running: caddyStatus.running,
-        port: caddyStatus.httpPort,
+        running: smartProxyStatus.running,
+        port: smartProxyStatus.httpPort,
       },
       https: {
-        running: caddyStatus.running,
-        port: caddyStatus.httpsPort,
-        certificates: caddyStatus.certificates,
+        running: smartProxyStatus.running,
+        port: smartProxyStatus.httpsPort,
+        certificates: smartProxyStatus.certificates,
       },
-      routes: caddyStatus.routes,
-      backend: 'caddy-docker',
+      routes: smartProxyStatus.routes,
+      backend: 'smartproxy-docker',
     };
   }
 }

ts/classes/services.ts

@@ -15,6 +15,7 @@ export class OneboxServicesManager {
   private oneboxRef: any; // Will be Onebox instance
   private database: OneboxDatabase;
   private docker: OneboxDockerManager;
+  private autoUpdateIntervalId: number | null = null;
 
   constructor(oneboxRef: any) {
     this.oneboxRef = oneboxRef;
@@ -22,6 +23,35 @@ export class OneboxServicesManager {
     this.docker = oneboxRef.docker;
   }
 
+  private async broadcastServiceUpdate(
+    serviceName: string,
+    action: 'created' | 'updated' | 'deleted' | 'started' | 'stopped',
+  ): Promise<void> {
+    await this.oneboxRef.opsServer.broadcastServiceUpdate(
+      serviceName,
+      action,
+      this.database.getServiceByName(serviceName),
+    );
+  }
+
+  private async syncExternalGatewayRoute(service: IService): Promise<void> {
+    if (!this.oneboxRef.externalGateway) return;
+    try {
+      await this.oneboxRef.externalGateway.syncServiceRoute(service);
+    } catch (error) {
+      logger.warn(`Failed to sync external gateway route for ${service.domain}: ${getErrorMessage(error)}`);
+    }
+  }
+
+  private async deleteExternalGatewayRoute(service: Pick<IService, 'id' | 'name' | 'domain'>): Promise<void> {
+    if (!this.oneboxRef.externalGateway) return;
+    try {
+      await this.oneboxRef.externalGateway.deleteServiceRoute(service);
+    } catch (error) {
+      logger.warn(`Failed to delete external gateway route for ${service.domain}: ${getErrorMessage(error)}`);
+    }
+  }
+
   /**
    * Deploy a new service (full workflow)
    */
@@ -49,11 +79,13 @@ export class OneboxServicesManager {
 
       // Build platform requirements
       const platformRequirements: IPlatformRequirements | undefined =
-        (options.enableMongoDB || options.enableS3 || options.enableClickHouse)
+        (options.enableMongoDB || options.enableS3 || options.enableClickHouse || options.enableRedis || options.enableMariaDB)
           ? {
               mongodb: options.enableMongoDB,
               s3: options.enableS3,
               clickhouse: options.enableClickHouse,
+              redis: options.enableRedis,
+              mariadb: options.enableMariaDB,
             }
           : undefined;
 
@@ -75,6 +107,9 @@ export class OneboxServicesManager {
         autoUpdateOnPush: options.autoUpdateOnPush,
         // Platform requirements
         platformRequirements,
+        // App Store template tracking
+        appTemplateId: options.appTemplateId,
+        appTemplateVersion: options.appTemplateVersion,
       });
 
       // Provision platform resources if needed
@@ -95,9 +130,15 @@ export class OneboxServicesManager {
 
       // Merge platform env vars with user-specified env vars (user vars take precedence)
       const mergedEnvVars = { ...platformEnvVars, ...(options.envVars || {}) };
+      this.resolveEnvVarTemplates(mergedEnvVars, {
+        ...platformEnvVars,
+        SERVICE_NAME: options.name,
+        SERVICE_DOMAIN: options.domain || '',
+        SERVICE_PORT: String(options.port),
+      });
 
-      // Update service with merged env vars
-      if (Object.keys(platformEnvVars).length > 0) {
+      // Update service with merged and resolved env vars.
+      if (Object.keys(mergedEnvVars).length > 0) {
         this.database.updateService(service.id!, { envVars: mergedEnvVars });
       }
 
@@ -187,11 +228,15 @@ export class OneboxServicesManager {
 
         // Note: SSL certificates are now handled automatically by CertRequirementManager
         // which processes pending requirements created above. No direct obtainCertificate call needed.
+
+        await this.syncExternalGatewayRoute(this.database.getServiceByName(options.name)!);
       }
 
       logger.success(`Service deployed successfully: ${options.name}`);
 
-      return this.database.getServiceByName(options.name)!;
+      const deployedService = this.database.getServiceByName(options.name)!;
+      await this.broadcastServiceUpdate(options.name, 'created');
+      return deployedService;
     } catch (error) {
       logger.error(`Failed to deploy service ${options.name}: ${getErrorMessage(error)}`);
       throw error;
@@ -227,15 +272,19 @@ export class OneboxServicesManager {
         } catch (routeError) {
           logger.warn(`Failed to add proxy route for ${service.domain}: ${getErrorMessage(routeError)}`);
         }
+
+        await this.syncExternalGatewayRoute(this.database.getServiceByName(name)!);
       }
 
       logger.success(`Service started: ${name}`);
+      await this.broadcastServiceUpdate(name, 'started');
     } catch (error) {
       logger.error(`Failed to start service ${name}: ${getErrorMessage(error)}`);
       this.database.updateService(
         this.database.getServiceByName(name)?.id!,
         { status: 'failed' }
       );
+      await this.broadcastServiceUpdate(name, 'updated');
       throw error;
     }
   }
@@ -264,10 +313,12 @@ export class OneboxServicesManager {
 
       // Remove reverse proxy route if service has a domain
       if (service.domain) {
-        this.oneboxRef.reverseProxy.removeRoute(service.domain);
+        await this.oneboxRef.reverseProxy.removeRoute(service.domain);
+        await this.deleteExternalGatewayRoute(service);
       }
 
       logger.success(`Service stopped: ${name}`);
+      await this.broadcastServiceUpdate(name, 'stopped');
     } catch (error) {
       logger.error(`Failed to stop service ${name}: ${getErrorMessage(error)}`);
       throw error;
@@ -295,6 +346,7 @@ export class OneboxServicesManager {
       this.database.updateService(service.id!, { status: 'running' });
 
       logger.success(`Service restarted: ${name}`);
+      await this.broadcastServiceUpdate(name, 'updated');
     } catch (error) {
       logger.error(`Failed to restart service ${name}: ${getErrorMessage(error)}`);
       throw error;
@@ -325,11 +377,13 @@ export class OneboxServicesManager {
       // Remove reverse proxy route
       if (service.domain) {
         try {
-          this.oneboxRef.reverseProxy.removeRoute(service.domain);
+          await this.oneboxRef.reverseProxy.removeRoute(service.domain);
         } catch (error) {
           logger.warn(`Failed to remove reverse proxy route: ${getErrorMessage(error)}`);
         }
 
+        await this.deleteExternalGatewayRoute(service);
+
         // Note: We don't remove DNS records or SSL certs automatically
         // as they might be used by other services or need manual cleanup
       }
@@ -351,6 +405,7 @@ export class OneboxServicesManager {
       this.database.deleteService(service.id!);
 
       logger.success(`Service removed: ${name}`);
+      await this.oneboxRef.opsServer.broadcastServiceUpdate(name, 'deleted');
     } catch (error) {
       logger.error(`Failed to remove service ${name}: ${getErrorMessage(error)}`);
       throw error;
@@ -587,10 +642,12 @@ export class OneboxServicesManager {
         // Remove old route if it existed
         if (oldDomain) {
           try {
-            this.oneboxRef.reverseProxy.removeRoute(oldDomain);
+            await this.oneboxRef.reverseProxy.removeRoute(oldDomain);
           } catch (error) {
             logger.warn(`Failed to remove old reverse proxy route: ${getErrorMessage(error)}`);
           }
+
+          await this.deleteExternalGatewayRoute({ ...service, domain: oldDomain });
         }
 
         // Add new route if domain specified
@@ -619,7 +676,12 @@ export class OneboxServicesManager {
         logger.success(`Service ${name} updated (not started)`);
       }
 
-      return this.database.getServiceByName(name)!;
+      const refreshedService = this.database.getServiceByName(name)!;
+      if (refreshedService.domain && refreshedService.status === 'running') {
+        await this.syncExternalGatewayRoute(refreshedService);
+      }
+      await this.broadcastServiceUpdate(name, 'updated');
+      return refreshedService;
     } catch (error) {
       logger.error(`Failed to update service ${name}: ${getErrorMessage(error)}`);
       throw error;
@@ -653,11 +715,7 @@ export class OneboxServicesManager {
       // Only update and broadcast if status changed
       if (service.status !== ourStatus) {
         this.database.updateService(service.id!, { status: ourStatus });
-
-        // Broadcast status change via WebSocket
-        if (this.oneboxRef.httpServer) {
-          this.oneboxRef.httpServer.broadcastServiceStatus(name, ourStatus);
-        }
+        await this.broadcastServiceUpdate(name, 'updated');
       }
     } catch (error) {
       logger.debug(`Failed to sync status for service ${name}: ${getErrorMessage(error)}`);
@@ -675,13 +733,36 @@ export class OneboxServicesManager {
     }
   }
 
+  private resolveEnvVarTemplates(
+    envVarsArg: Record<string, string>,
+    valuesArg: Record<string, string>,
+  ): void {
+    for (const [key, value] of Object.entries(envVarsArg)) {
+      const missingValues = new Set<string>();
+      const resolvedValue = value.replace(/\$\{([A-Z0-9_]+)\}/g, (match, placeholderName) => {
+        const replacement = valuesArg[placeholderName];
+        if (replacement === undefined || replacement === '') {
+          missingValues.add(placeholderName);
+          return match;
+        }
+        return replacement;
+      });
+      if (missingValues.size > 0) {
+        throw new Error(
+          `Missing template value(s) for ${key}: ${Array.from(missingValues).join(', ')}`,
+        );
+      }
+      envVarsArg[key] = resolvedValue;
+    }
+  }
+
   /**
    * Start auto-update monitoring for registry services
    * Polls every 30 seconds for digest changes and restarts services if needed
    */
   startAutoUpdateMonitoring(): void {
     // Check every 30 seconds
-    setInterval(async () => {
+    this.autoUpdateIntervalId = setInterval(async () => {
       try {
         await this.checkForRegistryUpdates();
       } catch (error) {
@@ -692,6 +773,17 @@ export class OneboxServicesManager {
     logger.info('Auto-update monitoring started (30s interval)');
   }
 
+  /**
+   * Stop auto-update monitoring
+   */
+  stopAutoUpdateMonitoring(): void {
+    if (this.autoUpdateIntervalId !== null) {
+      clearInterval(this.autoUpdateIntervalId);
+      this.autoUpdateIntervalId = null;
+      logger.debug('Auto-update monitoring stopped');
+    }
+  }
+
   /**
    * Check all services using onebox registry for updates
    */
@@ -739,12 +831,6 @@ export class OneboxServicesManager {
           // Restart service
           logger.info(`Auto-restarting service: ${service.name}`);
           await this.restartService(service.name);
-
-          // Broadcast update via WebSocket
-          this.oneboxRef.httpServer.broadcastServiceUpdate({
-            action: 'updated',
-            service: this.database.getServiceByName(service.name)!,
-          });
         } else if (!service.imageDigest) {
           // First time - just store the digest
           this.database.updateService(service.id!, {

ts/classes/smartproxy.ts

@@ -0,0 +1,467 @@
+/**
+ * SmartProxy Manager for Onebox
+ *
+ * Manages SmartProxy as a Docker Swarm service so it can route to services on
+ * the Onebox overlay network.
+ */
+
+import * as plugins from '../plugins.ts';
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+
+const SMARTPROXY_SERVICE_NAME = 'onebox-smartproxy';
+const LEGACY_CADDY_SERVICE_NAME = 'onebox-caddy';
+const SMARTPROXY_IMAGE = 'code.foss.global/host.today/ht-docker-smartproxy:latest';
+const SMARTPROXY_ADMIN_CONTAINER_PORT = 3000;
+const SMARTPROXY_HTTP_CONTAINER_PORT = 80;
+const SMARTPROXY_HTTPS_CONTAINER_PORT = 443;
+
+export interface ISmartProxyRoute {
+  domain: string;
+  upstream: string;
+}
+
+export interface ISmartProxyCertificate {
+  domain: string;
+  certPem: string;
+  keyPem: string;
+}
+
+interface ISmartProxyRouteConfig {
+  name: string;
+  match: {
+    ports: number;
+    domains: string;
+    protocol?: 'http' | 'tcp' | 'udp' | 'quic' | 'http3';
+  };
+  action: {
+    type: 'forward';
+    targets: Array<{ host: string; port: number }>;
+    tls?: {
+      mode: 'terminate';
+      certificate: {
+        key: string;
+        cert: string;
+      };
+    };
+    websocket?: {
+      enabled: boolean;
+    };
+  };
+  priority?: number;
+}
+
+export class SmartProxyManager {
+  private dockerClient: InstanceType<typeof plugins.docker.Docker> | null = null;
+  private certsDir: string;
+  private adminUrl: string;
+  private adminPort: number;
+  private httpPort: number;
+  private httpsPort: number;
+  private routes: Map<string, ISmartProxyRoute> = new Map();
+  private certificates: Map<string, ISmartProxyCertificate> = new Map();
+  private networkName = 'onebox-network';
+  private serviceRunning = false;
+
+  constructor(options?: {
+    certsDir?: string;
+    adminPort?: number;
+    httpPort?: number;
+    httpsPort?: number;
+  }) {
+    this.certsDir = options?.certsDir || './.nogit/certs';
+    this.adminPort = options?.adminPort || 2019;
+    this.adminUrl = `http://localhost:${this.adminPort}`;
+    this.httpPort = options?.httpPort || 8080;
+    this.httpsPort = options?.httpsPort || 8443;
+  }
+
+  private async ensureDockerClient(): Promise<void> {
+    if (!this.dockerClient) {
+      this.dockerClient = new plugins.docker.Docker({
+        socketPath: 'unix:///var/run/docker.sock',
+      });
+      await this.dockerClient.start();
+    }
+  }
+
+  setPorts(httpPort: number, httpsPort: number): void {
+    this.httpPort = httpPort;
+    this.httpsPort = httpsPort;
+  }
+
+  async start(): Promise<void> {
+    if (this.serviceRunning) {
+      logger.warn('SmartProxy service is already running');
+      return;
+    }
+
+    try {
+      await this.ensureDockerClient();
+      await Deno.mkdir(this.certsDir, { recursive: true });
+
+      logger.info('Starting SmartProxy Docker service...');
+
+      const legacyService = await this.getExistingService(LEGACY_CADDY_SERVICE_NAME);
+      if (legacyService) {
+        logger.info('Legacy Caddy service exists, removing it before SmartProxy startup...');
+        await this.removeService(LEGACY_CADDY_SERVICE_NAME);
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+      }
+
+      const existingService = await this.getExistingService();
+      if (existingService) {
+        logger.info('SmartProxy service exists, removing old service...');
+        await this.removeService();
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+      }
+
+      const networkId = await this.getNetworkId();
+
+      const response = await this.dockerClient!.request('POST', '/services/create', {
+        Name: SMARTPROXY_SERVICE_NAME,
+        Labels: {
+          'managed-by': 'onebox',
+          'onebox-type': 'smartproxy',
+        },
+        TaskTemplate: {
+          ContainerSpec: {
+            Image: SMARTPROXY_IMAGE,
+            Env: [
+              'SMARTPROXY_ADMIN_HOST=0.0.0.0',
+              `SMARTPROXY_ADMIN_PORT=${SMARTPROXY_ADMIN_CONTAINER_PORT}`,
+            ],
+          },
+          Networks: [
+            {
+              Target: networkId,
+            },
+          ],
+          RestartPolicy: {
+            Condition: 'any',
+            MaxAttempts: 0,
+          },
+        },
+        Mode: {
+          Replicated: {
+            Replicas: 1,
+          },
+        },
+        EndpointSpec: {
+          Ports: [
+            {
+              Protocol: 'tcp',
+              TargetPort: SMARTPROXY_HTTP_CONTAINER_PORT,
+              PublishedPort: this.httpPort,
+              PublishMode: 'host',
+            },
+            {
+              Protocol: 'tcp',
+              TargetPort: SMARTPROXY_HTTPS_CONTAINER_PORT,
+              PublishedPort: this.httpsPort,
+              PublishMode: 'host',
+            },
+            {
+              Protocol: 'tcp',
+              TargetPort: SMARTPROXY_ADMIN_CONTAINER_PORT,
+              PublishedPort: this.adminPort,
+              PublishMode: 'host',
+            },
+          ],
+        },
+      });
+
+      if (response.statusCode >= 300) {
+        throw new Error(`Failed to create SmartProxy service: HTTP ${response.statusCode} - ${JSON.stringify(response.body)}`);
+      }
+
+      logger.info(`SmartProxy service created: ${response.body.ID}`);
+
+      await this.waitForReady();
+      this.serviceRunning = true;
+      await this.reloadConfig();
+
+      logger.success(`SmartProxy started (HTTP: ${this.httpPort}, HTTPS: ${this.httpsPort}, Admin: ${this.adminUrl})`);
+    } catch (error) {
+      logger.error(`Failed to start SmartProxy: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  private async getExistingService(serviceNameArg = SMARTPROXY_SERVICE_NAME): Promise<any | null> {
+    try {
+      const response = await this.dockerClient!.request('GET', `/services/${serviceNameArg}`, {});
+      if (response.statusCode === 200) {
+        return response.body;
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+
+  private async removeService(serviceNameArg = SMARTPROXY_SERVICE_NAME): Promise<void> {
+    try {
+      await this.dockerClient!.request('DELETE', `/services/${serviceNameArg}`, {});
+    } catch {
+      // Service may not exist.
+    }
+  }
+
+  private async getNetworkId(): Promise<string> {
+    const networks = await this.dockerClient!.listNetworks();
+    const network = networks.find((n: any) => n.Name === this.networkName);
+    if (!network) {
+      throw new Error(`Network not found: ${this.networkName}`);
+    }
+    return network.Id;
+  }
+
+  private async waitForReady(maxAttempts = 120, intervalMs = 1000): Promise<void> {
+    for (let i = 0; i < maxAttempts; i++) {
+      try {
+        const response = await fetch(`${this.adminUrl}/ready`);
+        if (response.ok) {
+          return;
+        }
+      } catch {
+        // Not ready yet.
+      }
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+    throw new Error('SmartProxy service failed to start within timeout');
+  }
+
+  async stop(): Promise<void> {
+    if (!this.serviceRunning && !(await this.getExistingService())) {
+      return;
+    }
+
+    try {
+      await this.ensureDockerClient();
+
+      logger.info('Stopping SmartProxy service...');
+      await this.removeService();
+
+      this.serviceRunning = false;
+      logger.info('SmartProxy service stopped');
+    } catch (error) {
+      logger.error(`Failed to stop SmartProxy: ${getErrorMessage(error)}`);
+    }
+  }
+
+  async isHealthy(): Promise<boolean> {
+    try {
+      const response = await fetch(`${this.adminUrl}/health`);
+      return response.ok;
+    } catch {
+      return false;
+    }
+  }
+
+  async isRunning(): Promise<boolean> {
+    try {
+      await this.ensureDockerClient();
+      const service = await this.getExistingService();
+      if (!service) return false;
+
+      const tasksResponse = await this.dockerClient!.request(
+        'GET',
+        `/tasks?filters=${encodeURIComponent(JSON.stringify({ service: [SMARTPROXY_SERVICE_NAME] }))}`,
+        {},
+      );
+
+      if (tasksResponse.statusCode !== 200) return false;
+
+      const tasks = tasksResponse.body;
+      return tasks.some((task: any) => task.Status?.State === 'running');
+    } catch {
+      return false;
+    }
+  }
+
+  private routeName(prefixArg: string, domainArg: string): string {
+    return `${prefixArg}-${domainArg.replace(/[^a-zA-Z0-9]+/g, '-').replace(/^-|-$/g, '')}`;
+  }
+
+  private parseUpstream(upstreamArg: string): { host: string; port: number } {
+    const separatorIndex = upstreamArg.lastIndexOf(':');
+    if (separatorIndex <= 0 || separatorIndex === upstreamArg.length - 1) {
+      throw new Error(`Invalid upstream target: ${upstreamArg}`);
+    }
+
+    const host = upstreamArg.slice(0, separatorIndex);
+    const port = Number(upstreamArg.slice(separatorIndex + 1));
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+      throw new Error(`Invalid upstream port in target: ${upstreamArg}`);
+    }
+
+    return { host, port };
+  }
+
+  private buildRoutes(): ISmartProxyRouteConfig[] {
+    const routeConfigs: ISmartProxyRouteConfig[] = [];
+
+    for (const [domain, route] of this.routes) {
+      const target = this.parseUpstream(route.upstream);
+      const baseAction = {
+        type: 'forward' as const,
+        targets: [target],
+        websocket: {
+          enabled: true,
+        },
+      };
+
+      routeConfigs.push({
+        name: this.routeName('http', domain),
+        match: {
+          ports: SMARTPROXY_HTTP_CONTAINER_PORT,
+          domains: domain,
+          protocol: 'http',
+        },
+        action: baseAction,
+        priority: 10,
+      });
+
+      const certificate = this.certificates.get(domain);
+      if (certificate) {
+        routeConfigs.push({
+          name: this.routeName('https', domain),
+          match: {
+            ports: SMARTPROXY_HTTPS_CONTAINER_PORT,
+            domains: domain,
+            protocol: 'http',
+          },
+          action: {
+            ...baseAction,
+            tls: {
+              mode: 'terminate',
+              certificate: {
+                key: certificate.keyPem,
+                cert: certificate.certPem,
+              },
+            },
+          },
+          priority: 20,
+        });
+      }
+    }
+
+    return routeConfigs;
+  }
+
+  async reloadConfig(): Promise<void> {
+    const isRunning = await this.isRunning();
+    if (!isRunning) {
+      logger.warn('SmartProxy not running, cannot reload config');
+      return;
+    }
+
+    const routes = this.buildRoutes();
+
+    try {
+      const response = await fetch(`${this.adminUrl}/routes`, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ routes }),
+      });
+
+      if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Failed to reload SmartProxy routes: ${response.status} ${text}`);
+      }
+
+      logger.debug('SmartProxy routes reloaded');
+    } catch (error) {
+      logger.error(`Failed to reload SmartProxy routes: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  async addRoute(domain: string, upstream: string): Promise<void> {
+    this.routes.set(domain, { domain, upstream });
+
+    if (await this.isRunning()) {
+      await this.reloadConfig();
+    }
+
+    logger.success(`Added SmartProxy route: ${domain} -> ${upstream}`);
+  }
+
+  async removeRoute(domain: string): Promise<void> {
+    if (this.routes.delete(domain)) {
+      if (await this.isRunning()) {
+        await this.reloadConfig();
+      }
+      logger.success(`Removed SmartProxy route: ${domain}`);
+    }
+  }
+
+  async addCertificate(domain: string, certPem: string, keyPem: string): Promise<void> {
+    this.certificates.set(domain, {
+      domain,
+      certPem,
+      keyPem,
+    });
+
+    try {
+      await Deno.mkdir(this.certsDir, { recursive: true });
+      await Deno.writeTextFile(`${this.certsDir}/${domain}.crt`, certPem);
+      await Deno.writeTextFile(`${this.certsDir}/${domain}.key`, keyPem);
+    } catch (error) {
+      logger.warn(`Failed to write certificate backup for ${domain}: ${getErrorMessage(error)}`);
+    }
+
+    if (await this.isRunning()) {
+      await this.reloadConfig();
+    }
+
+    logger.success(`Added TLS certificate for ${domain}`);
+  }
+
+  async removeCertificate(domain: string): Promise<void> {
+    if (this.certificates.delete(domain)) {
+      try {
+        await Deno.remove(`${this.certsDir}/${domain}.crt`);
+        await Deno.remove(`${this.certsDir}/${domain}.key`);
+      } catch {
+        // Files may not exist.
+      }
+
+      if (await this.isRunning()) {
+        await this.reloadConfig();
+      }
+
+      logger.success(`Removed TLS certificate for ${domain}`);
+    }
+  }
+
+  getRoutes(): ISmartProxyRoute[] {
+    return Array.from(this.routes.values());
+  }
+
+  getCertificates(): ISmartProxyCertificate[] {
+    return Array.from(this.certificates.values());
+  }
+
+  clear(): void {
+    this.routes.clear();
+    this.certificates.clear();
+  }
+
+  getStatus(): {
+    running: boolean;
+    httpPort: number;
+    httpsPort: number;
+    routes: number;
+    certificates: number;
+  } {
+    return {
+      running: this.serviceRunning,
+      httpPort: this.httpPort,
+      httpsPort: this.httpsPort,
+      routes: this.routes.size,
+      certificates: this.certificates.size,
+    };
+  }
+}

ts/classes/ssl.ts

@@ -39,11 +39,11 @@ export class OneboxSslManager {
       this.acmeEmail = acmeEmail;
 
       // Get Cloudflare API key (reuse from DNS manager)
-      const cfApiKey = this.database.getSetting('cloudflareAPIKey');
+      const cfApiKey = await this.database.getSecretSetting('cloudflareToken');
 
       if (!cfApiKey) {
         logger.warn('Cloudflare API key not configured. SSL certificate management will be limited.');
-        logger.info('Configure with: onebox config set cloudflareAPIKey <key>');
+        logger.info('Configure with: onebox config set cloudflareToken <key>');
         return;
       }
 

ts/classes/systemd.ts

@@ -0,0 +1,243 @@
+/**
+ * Systemd Service Manager for Onebox
+ *
+ * Handles systemd unit file installation, enabling, starting, stopping,
+ * and status checking. Modeled on nupst's direct systemctl approach —
+ * no external library dependencies.
+ */
+
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+
+const SERVICE_NAME = 'onebox';
+const SERVICE_FILE_PATH = '/etc/systemd/system/onebox.service';
+
+const SERVICE_UNIT_TEMPLATE = `[Unit]
+Description=Onebox - Self-hosted container platform
+After=network-online.target docker.service
+Wants=network-online.target
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/onebox systemd start-daemon
+Restart=always
+RestartSec=10
+WorkingDirectory=/var/lib/onebox
+Environment=PATH=/usr/bin:/usr/local/bin
+Environment=HOME=/root
+Environment=DENO_DIR=/root/.cache/deno
+
+[Install]
+WantedBy=multi-user.target
+`;
+
+export class OneboxSystemd {
+  /**
+   * Install and enable the systemd service
+   */
+  async enable(): Promise<void> {
+    try {
+      // Ensure Docker is installed before writing unit file (it requires docker.service)
+      await this.ensureDocker();
+
+      // Write the unit file
+      logger.info('Writing systemd unit file...');
+      await Deno.writeTextFile(SERVICE_FILE_PATH, SERVICE_UNIT_TEMPLATE);
+      logger.info(`Unit file written to ${SERVICE_FILE_PATH}`);
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      // Enable the service
+      const result = await this.runSystemctl(['enable', `${SERVICE_NAME}.service`]);
+      if (!result.success) {
+        throw new Error(`Failed to enable service: ${result.stderr}`);
+      }
+
+      logger.success('Onebox systemd service enabled');
+      logger.info('Start with: onebox systemd start');
+    } catch (error) {
+      logger.error(`Failed to enable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop, disable, and remove the systemd service
+   */
+  async disable(): Promise<void> {
+    try {
+      // Stop the service (ignore errors if not running)
+      await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+
+      // Disable the service
+      await this.runSystemctl(['disable', `${SERVICE_NAME}.service`]);
+
+      // Remove the unit file
+      try {
+        await Deno.remove(SERVICE_FILE_PATH);
+        logger.info(`Removed ${SERVICE_FILE_PATH}`);
+      } catch {
+        // File might not exist
+      }
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      logger.success('Onebox systemd service disabled and removed');
+    } catch (error) {
+      logger.error(`Failed to disable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Start the service via systemctl
+   */
+  async start(): Promise<void> {
+    const result = await this.runSystemctl(['start', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to start service: ${result.stderr}`);
+      throw new Error(`Failed to start onebox service`);
+    }
+    logger.success('Onebox service started');
+  }
+
+  /**
+   * Stop the service via systemctl
+   */
+  async stop(): Promise<void> {
+    const result = await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to stop service: ${result.stderr}`);
+      throw new Error(`Failed to stop onebox service`);
+    }
+    logger.success('Onebox service stopped');
+  }
+
+  /**
+   * Get and display service status
+   */
+  async getStatus(): Promise<string> {
+    const result = await this.runSystemctl(['status', `${SERVICE_NAME}.service`]);
+    const output = result.stdout;
+
+    let status: string;
+    if (output.includes('active (running)')) {
+      status = 'running';
+    } else if (output.includes('inactive') || output.includes('dead')) {
+      status = 'stopped';
+    } else if (output.includes('failed')) {
+      status = 'failed';
+    } else if (!result.success && result.stderr.includes('could not be found')) {
+      status = 'not-installed';
+    } else {
+      status = 'unknown';
+    }
+
+    // Print the raw systemctl output for full details
+    if (output.trim()) {
+      console.log(output);
+    }
+
+    return status;
+  }
+
+  /**
+   * Show service logs via journalctl
+   */
+  async showLogs(): Promise<void> {
+    const cmd = new Deno.Command('journalctl', {
+      args: ['-u', `${SERVICE_NAME}.service`, '-f'],
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    await cmd.output();
+  }
+
+  /**
+   * Check if the service unit file is installed
+   */
+  async isInstalled(): Promise<boolean> {
+    try {
+      await Deno.stat(SERVICE_FILE_PATH);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Ensure Docker is installed, installing it if necessary
+   */
+  private async ensureDocker(): Promise<void> {
+    try {
+      const cmd = new Deno.Command('docker', {
+        args: ['--version'],
+        stdout: 'piped',
+        stderr: 'piped',
+      });
+      const result = await cmd.output();
+      if (result.success) {
+        const version = new TextDecoder().decode(result.stdout).trim();
+        logger.info(`Docker found: ${version}`);
+        return;
+      }
+    } catch {
+      // docker command not found
+    }
+
+    logger.info('Docker not found. Installing Docker...');
+    const installCmd = new Deno.Command('bash', {
+      args: ['-c', 'curl -fsSL https://get.docker.com | sh'],
+      stdin: 'inherit',
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    const installResult = await installCmd.output();
+    if (!installResult.success) {
+      throw new Error('Failed to install Docker. Please install it manually: curl -fsSL https://get.docker.com | sh');
+    }
+    logger.success('Docker installed successfully');
+
+    // Initialize Docker Swarm
+    logger.info('Initializing Docker Swarm...');
+    const swarmCmd = new Deno.Command('docker', {
+      args: ['swarm', 'init'],
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+    const swarmResult = await swarmCmd.output();
+    if (swarmResult.success) {
+      logger.success('Docker Swarm initialized');
+    } else {
+      const stderr = new TextDecoder().decode(swarmResult.stderr);
+      if (stderr.includes('already part of a swarm')) {
+        logger.info('Docker Swarm already initialized');
+      } else {
+        logger.warn(`Docker Swarm init warning: ${stderr.trim()}`);
+      }
+    }
+  }
+
+  /**
+   * Run a systemctl command and return results
+   */
+  private async runSystemctl(
+    args: string[]
+  ): Promise<{ success: boolean; stdout: string; stderr: string }> {
+    const cmd = new Deno.Command('systemctl', {
+      args,
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+
+    const result = await cmd.output();
+    return {
+      success: result.success,
+      stdout: new TextDecoder().decode(result.stdout),
+      stderr: new TextDecoder().decode(result.stderr),
+    };
+  }
+}

ts/cli.ts

@@ -7,16 +7,18 @@ import { projectInfo } from './info.ts';
 import { getErrorMessage } from './utils/error.ts';
 import { Onebox } from './classes/onebox.ts';
 import { OneboxDaemon } from './classes/daemon.ts';
+import { OneboxSystemd } from './classes/systemd.ts';
+import type { IAppVersionConfig } from './classes/appstore-types.ts';
 
 export async function runCli(): Promise<void> {
   const args = Deno.args;
 
-  if (args.length === 0 || args.includes('--help') || args.includes('-h')) {
+  if (args.length === 0 || (args.length === 1 && (args[0] === '--help' || args[0] === '-h'))) {
     printHelp();
     return;
   }
 
-  if (args.includes('--version') || args.includes('-v')) {
+  if (args.length === 1 && (args[0] === '--version' || args[0] === '-v')) {
     console.log(`${projectInfo.name} v${projectInfo.version}`);
     return;
   }
@@ -25,6 +27,19 @@ export async function runCli(): Promise<void> {
   const subcommand = args[1];
 
   try {
+    // === LIGHTWEIGHT COMMANDS (no init()) ===
+    if (command === 'systemd') {
+      await handleSystemdCommand(subcommand, args.slice(2));
+      return;
+    }
+
+    if (command === 'upgrade') {
+      await handleUpgradeCommand();
+      return;
+    }
+
+    // === HEAVY COMMANDS (require full init()) ===
+
     // Server command has special handling (doesn't shut down)
     if (command === 'server') {
       const onebox = new Onebox();
@@ -56,12 +71,13 @@ export async function runCli(): Promise<void> {
         await handleSslCommand(onebox, subcommand, args.slice(2));
         break;
 
-      case 'nginx':
-        await handleNginxCommand(onebox, subcommand, args.slice(2));
+      case 'appstore':
+        await handleAppStoreCommand(onebox, subcommand, args.slice(2));
         break;
 
-      case 'daemon':
-        await handleDaemonCommand(onebox, subcommand, args.slice(2));
+      case 'proxy':
+      case 'nginx':
+        await handleNginxCommand(onebox, subcommand, args.slice(2));
         break;
 
       case 'config':
@@ -94,12 +110,11 @@ async function handleServiceCommand(onebox: Onebox, subcommand: string, args: st
       const image = getArg(args, '--image');
       const domain = getArg(args, '--domain');
       const port = parseInt(getArg(args, '--port') || '80', 10);
-      const envArgs = args.filter((a) => a.startsWith('--env=')).map((a) => a.slice(6));
-      const envVars: Record<string, string> = {};
-      for (const env of envArgs) {
-        const [key, value] = env.split('=');
-        envVars[key] = value;
-      }
+      const envVars = parseEnvArgs(args);
+
+      requireValue(name, 'service name');
+      requireValue(image, '--image');
+      assertValidPort(port, '--port');
 
       await onebox.services.deployService({ name, image, port, domain, envVars });
       break;
@@ -148,6 +163,7 @@ async function handleRegistryCommand(onebox: Onebox, subcommand: string, args: s
       const url = getArg(args, '--url');
       const username = getArg(args, '--username');
       const password = getArg(args, '--password');
+      requireValue(url, '--url');
       await onebox.registries.addRegistry(url, username, password);
       break;
     }
@@ -170,6 +186,76 @@ async function handleRegistryCommand(onebox: Onebox, subcommand: string, args: s
   }
 }
 
+// App Store commands
+async function handleAppStoreCommand(onebox: Onebox, subcommand: string, args: string[]) {
+  switch (subcommand) {
+    case 'list': {
+      const apps = await onebox.appStore.getApps();
+      logger.table(
+        ['ID', 'Name', 'Category', 'Latest'],
+        apps.map((app) => [app.id, app.name, app.category, app.latestVersion])
+      );
+      break;
+    }
+
+    case 'config': {
+      const appId = args[0];
+      requireValue(appId, 'app id');
+      const appMeta = await onebox.appStore.getAppMeta(appId);
+      const version = getArg(args, '--version') || appMeta.latestVersion;
+      const config = await onebox.appStore.getAppVersionConfig(appId, version);
+      console.log(JSON.stringify({ appMeta, version, config }, null, 2));
+      break;
+    }
+
+    case 'install': {
+      const appId = args[0];
+      requireValue(appId, 'app id');
+
+      const appMeta = await onebox.appStore.getAppMeta(appId);
+      const version = getArg(args, '--version') || appMeta.latestVersion;
+      const config = await onebox.appStore.getAppVersionConfig(appId, version);
+      const serviceName = getArg(args, '--name') || appId;
+      const domain = getArg(args, '--domain');
+      const port = parseInt(getArg(args, '--port') || String(config.port), 10);
+      const envVars = getAppStoreEnvVars(config, parseEnvArgs(args));
+      const autoDNS = getBooleanArg(args, '--auto-dns', true);
+
+      requireValue(serviceName, '--name');
+      assertValidPort(port, '--port');
+      if (requiresTemplateValue(envVars, 'SERVICE_DOMAIN')) {
+        requireValue(domain, '--domain');
+      }
+
+      const service = await onebox.services.deployService({
+        name: serviceName,
+        image: config.image,
+        port,
+        domain,
+        autoDNS,
+        envVars,
+        enableMongoDB: Boolean(config.platformRequirements?.mongodb),
+        enableS3: Boolean(config.platformRequirements?.s3),
+        enableClickHouse: Boolean(config.platformRequirements?.clickhouse),
+        enableRedis: Boolean(config.platformRequirements?.redis),
+        enableMariaDB: Boolean(config.platformRequirements?.mariadb),
+        appTemplateId: appId,
+        appTemplateVersion: version,
+      });
+
+      logger.success(`Installed ${appMeta.name} ${version} as ${service.name}`);
+      if (service.domain) {
+        logger.info(`Route: https://${service.domain}`);
+      }
+      break;
+    }
+
+    default:
+      logger.error(`Unknown appstore subcommand: ${subcommand}`);
+      logger.info('Available: list, config, install');
+  }
+}
+
 // DNS commands
 async function handleDnsCommand(onebox: Onebox, subcommand: string, args: string[]) {
   switch (subcommand) {
@@ -278,7 +364,7 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
       await OneboxDaemon.ensureNoDaemon();
     } catch (error) {
       logger.error('Cannot start in ephemeral mode: Daemon is already running');
-      logger.info('Stop the daemon first: onebox daemon stop');
+      logger.info('Stop the daemon first: onebox systemd stop');
       logger.info('Or run without --ephemeral to use the existing daemon');
       Deno.exit(1);
     }
@@ -322,39 +408,49 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
   }
 }
 
-// Daemon commands
-async function handleDaemonCommand(onebox: Onebox, subcommand: string, _args: string[]) {
+// Systemd service commands (lightweight — no Onebox init)
+async function handleSystemdCommand(subcommand: string, _args: string[]) {
+  const systemd = new OneboxSystemd();
+
   switch (subcommand) {
-    case 'install':
-      await onebox.daemon.installService();
+    case 'enable':
+      await systemd.enable();
+      break;
+
+    case 'disable':
+      await systemd.disable();
       break;
 
     case 'start':
-      await onebox.startDaemon();
+      await systemd.start();
       break;
 
     case 'stop':
-      await onebox.stopDaemon();
+      await systemd.stop();
       break;
 
-    case 'logs': {
-      const command = new Deno.Command('journalctl', {
-        args: ['-u', 'smartdaemon_onebox', '-f'],
-        stdout: 'inherit',
-        stderr: 'inherit',
-      });
-      await command.output();
+    case 'status': {
+      const status = await systemd.getStatus();
+      logger.info(`Service status: ${status}`);
       break;
     }
 
-    case 'status': {
-      const status = await onebox.daemon.getServiceStatus();
-      logger.info(`Daemon status: ${status}`);
+    case 'logs':
+      await systemd.showLogs();
+      break;
+
+    case 'start-daemon': {
+      // This is what systemd's ExecStart calls — full init + daemon loop
+      const onebox = new Onebox();
+      await onebox.init();
+      await onebox.daemon.start();
+      // start() blocks (keepAlive loop) until SIGTERM/SIGINT
       break;
     }
 
     default:
-      logger.error(`Unknown daemon subcommand: ${subcommand}`);
+      logger.error(`Unknown systemd subcommand: ${subcommand}`);
+      logger.info('Available: enable, disable, start, stop, status, logs');
   }
 }
 
@@ -362,7 +458,17 @@ async function handleDaemonCommand(onebox: Onebox, subcommand: string, _args: st
 async function handleConfigCommand(onebox: Onebox, subcommand: string, args: string[]) {
   switch (subcommand) {
     case 'show': {
+      for (const secretKey of onebox.database.getCanonicalSecretSettingKeys()) {
+        await onebox.database.getSecretSetting(secretKey);
+      }
+
       const settings = onebox.database.getAllSettings();
+      for (const secretKey of onebox.database.getCanonicalSecretSettingKeys()) {
+        if (await onebox.database.hasSecretSetting(secretKey)) {
+          settings[secretKey] = '********';
+        }
+      }
+
       logger.table(
         ['Key', 'Value'],
         Object.entries(settings).map(([k, v]) => [k, v])
@@ -371,7 +477,11 @@ async function handleConfigCommand(onebox: Onebox, subcommand: string, args: str
     }
 
     case 'set':
-      onebox.database.setSetting(args[0], args[1]);
+      if (onebox.database.isSecretSettingKey(args[0])) {
+        await onebox.database.setSecretSetting(args[0], args[1]);
+      } else {
+        onebox.database.setSetting(args[0], args[1]);
+      }
       logger.success(`Setting ${args[0]} updated`);
       break;
 
@@ -386,10 +496,180 @@ async function handleStatusCommand(onebox: Onebox) {
   console.log(JSON.stringify(status, null, 2));
 }
 
+// Upgrade command - self-update onebox to latest version
+async function handleUpgradeCommand(): Promise<void> {
+  // Check if running as root
+  if (Deno.uid() !== 0) {
+    logger.error('This command must be run as root to upgrade Onebox.');
+    logger.info('Try: sudo onebox upgrade');
+    Deno.exit(1);
+  }
+
+  logger.info('Checking for updates...');
+
+  try {
+    // Get current version
+    const currentVersion = projectInfo.version;
+
+    // Fetch latest version from Gitea API
+    const apiUrl = 'https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/latest';
+    const curlCmd = new Deno.Command('curl', {
+      args: ['-sSL', apiUrl],
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+    const curlResult = await curlCmd.output();
+    const response = new TextDecoder().decode(curlResult.stdout);
+    const release = JSON.parse(response);
+    const latestVersion = release.tag_name as string; // e.g., "v1.11.0"
+
+    // Normalize versions for comparison (ensure both have "v" prefix)
+    const normalizedCurrent = currentVersion.startsWith('v')
+      ? currentVersion
+      : `v${currentVersion}`;
+    const normalizedLatest = latestVersion.startsWith('v')
+      ? latestVersion
+      : `v${latestVersion}`;
+
+    console.log(`  Current version: ${normalizedCurrent}`);
+    console.log(`  Latest version:  ${normalizedLatest}`);
+    console.log('');
+
+    // Compare normalized versions
+    if (normalizedCurrent === normalizedLatest) {
+      logger.success('Already up to date!');
+      return;
+    }
+
+    logger.info(`New version available: ${latestVersion}`);
+    logger.info('Downloading and installing...');
+    console.log('');
+
+    // Download and run the install script
+    const installUrl = 'https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh';
+    const installCmd = new Deno.Command('bash', {
+      args: ['-c', `curl -sSL ${installUrl} | bash`],
+      stdin: 'inherit',
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    const installResult = await installCmd.output();
+
+    if (!installResult.success) {
+      logger.error('Upgrade failed');
+      Deno.exit(1);
+    }
+
+    console.log('');
+    logger.success(`Upgraded to ${latestVersion}`);
+  } catch (error) {
+    logger.error(`Upgrade failed: ${getErrorMessage(error)}`);
+    Deno.exit(1);
+  }
+}
+
 // Helpers
 function getArg(args: string[], flag: string): string {
-  const arg = args.find((a) => a.startsWith(`${flag}=`));
-  return arg ? arg.split('=')[1] : '';
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith(`${flag}=`)) {
+      return arg.slice(flag.length + 1);
+    }
+    if (arg === flag) {
+      const value = args[i + 1];
+      return value && !value.startsWith('--') ? value : '';
+    }
+  }
+  return '';
+}
+
+function getRepeatedArgs(args: string[], flag: string): string[] {
+  const values: string[] = [];
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith(`${flag}=`)) {
+      values.push(arg.slice(flag.length + 1));
+      continue;
+    }
+    if (arg === flag) {
+      const value = args[i + 1];
+      if (value && !value.startsWith('--')) {
+        values.push(value);
+        i++;
+      }
+    }
+  }
+  return values;
+}
+
+function getBooleanArg(args: string[], flag: string, defaultValue: boolean): boolean {
+  if (args.includes(`--no-${flag.slice(2)}`)) {
+    return false;
+  }
+  const value = getArg(args, flag);
+  if (!value) {
+    return args.includes(flag) ? true : defaultValue;
+  }
+  return !['0', 'false', 'no', 'off'].includes(value.toLowerCase());
+}
+
+function parseEnvArgs(args: string[]): Record<string, string> {
+  const envVars: Record<string, string> = {};
+  for (const envArg of getRepeatedArgs(args, '--env')) {
+    const separatorIndex = envArg.indexOf('=');
+    if (separatorIndex === -1) {
+      throw new Error(`Invalid --env value '${envArg}'. Expected KEY=VALUE.`);
+    }
+    const key = envArg.slice(0, separatorIndex);
+    const value = envArg.slice(separatorIndex + 1);
+    requireValue(key, '--env key');
+    envVars[key] = value;
+  }
+  return envVars;
+}
+
+function getAppStoreEnvVars(
+  configArg: IAppVersionConfig,
+  overridesArg: Record<string, string>,
+): Record<string, string> {
+  const envVars: Record<string, string> = {};
+  const missingRequiredEnvVars: string[] = [];
+
+  for (const envVar of configArg.envVars || []) {
+    const value = overridesArg[envVar.key] ?? envVar.value ?? '';
+    if (envVar.required && !value) {
+      missingRequiredEnvVars.push(envVar.key);
+    }
+    envVars[envVar.key] = value;
+  }
+
+  for (const [key, value] of Object.entries(overridesArg)) {
+    envVars[key] = value;
+  }
+
+  if (missingRequiredEnvVars.length > 0) {
+    throw new Error(
+      `Missing required app env var(s): ${missingRequiredEnvVars.join(', ')}. Use --env KEY=VALUE.`
+    );
+  }
+
+  return envVars;
+}
+
+function requiresTemplateValue(envVarsArg: Record<string, string>, templateNameArg: string): boolean {
+  return Object.values(envVarsArg).some((value) => value.includes(`\${${templateNameArg}}`));
+}
+
+function requireValue(valueArg: string | undefined, labelArg: string): asserts valueArg is string {
+  if (!valueArg) {
+    throw new Error(`Missing required ${labelArg}`);
+  }
+}
+
+function assertValidPort(portArg: number, labelArg: string): void {
+  if (!Number.isInteger(portArg) || portArg <= 0 || portArg > 65535) {
+    throw new Error(`Invalid ${labelArg}: ${portArg}`);
+  }
 }
 
 function printHelp(): void {
@@ -426,21 +706,29 @@ Commands:
   ssl list
   ssl force-renew <domain>
 
-  nginx reload
-  nginx test
-  nginx status
+  appstore list
+  appstore config <app-id> [--version <version>]
+  appstore install <app-id> --name <name> [--domain <domain>] [--version <version>] [--env KEY=VALUE]
 
-  daemon install
-  daemon start
-  daemon stop
-  daemon logs
-  daemon status
+  proxy reload                  # nginx alias is still supported
+  proxy test
+  proxy status
+
+  systemd enable             Install and enable systemd service
+  systemd disable            Stop, disable, and remove systemd service
+  systemd start              Start onebox via systemctl
+  systemd stop               Stop onebox via systemctl
+  systemd status             Show systemd service status
+  systemd logs               Follow service logs (journalctl)
 
   config show
   config set <key> <value>
 
   status
 
+  upgrade
+      Upgrade Onebox to the latest version (requires root)
+
 Options:
   --help, -h     Show this help message
   --version, -v  Show version
@@ -451,15 +739,16 @@ Development Workflow:
   onebox service add ...               # In another terminal
 
 Production Workflow:
-  onebox daemon install                # Install systemd service
-  onebox daemon start                  # Start daemon
-  onebox service add ...               # CLI uses daemon
+  onebox systemd enable                # Install and enable systemd service
+  onebox systemd start                 # Start via systemctl
+  onebox service add ...               # CLI manages services
 
 Examples:
   onebox server --ephemeral            # Start dev server
   onebox service add myapp --image nginx:latest --domain app.example.com --port 80
+  onebox appstore install cloudly --name cloudly --domain cloudly.example.com --env SERVEZONE_ADMINACCOUNT=admin:password
   onebox registry add --url registry.example.com --username user --password pass
-  onebox daemon install
-  onebox daemon start
+  onebox systemd enable
+  onebox systemd start
 `);
 }

ts/database/index.ts

@@ -25,6 +25,8 @@ import type {
 import type { TBindValue } from './types.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
+import { MigrationRunner } from './migrations/index.ts';
+import { SecretSettingsManager } from './secret-settings.ts';
 
 // Import repositories
 import {
@@ -49,6 +51,7 @@ export class OneboxDatabase {
   private metricsRepo!: MetricsRepository;
   private platformRepo!: PlatformRepository;
   private backupRepo!: BackupRepository;
+  public secretSettings!: SecretSettingsManager;
 
   constructor(dbPath = './.nogit/onebox.db') {
     this.dbPath = dbPath;
@@ -71,7 +74,8 @@ export class OneboxDatabase {
       await this.createTables();
 
       // Run migrations if needed
-      await this.runMigrations();
+      const runner = new MigrationRunner(this.query.bind(this));
+      runner.run();
 
       // Initialize repositories with bound query function
       const queryFn = this.query.bind(this);
@@ -82,6 +86,7 @@ export class OneboxDatabase {
       this.metricsRepo = new MetricsRepository(queryFn);
       this.platformRepo = new PlatformRepository(queryFn);
       this.backupRepo = new BackupRepository(queryFn);
+      this.secretSettings = new SecretSettingsManager(this.authRepo);
     } catch (error) {
       logger.error(`Failed to initialize database: ${getErrorMessage(error)}`);
       throw error;
@@ -227,6 +232,14 @@ export class OneboxDatabase {
       )
     `);
 
+    this.query(`
+      CREATE TABLE IF NOT EXISTS secret_settings (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      )
+    `);
+
     // Version table for migrations
     this.query(`
       CREATE TABLE IF NOT EXISTS migrations (
@@ -241,724 +254,6 @@ export class OneboxDatabase {
   /**
    * Run database migrations
    */
-  private async runMigrations(): Promise<void> {
-    if (!this.db) throw new Error('Database not initialized');
-
-    try {
-      const currentVersion = this.getMigrationVersion();
-      logger.info(`Current database migration version: ${currentVersion}`);
-
-      // Migration 1: Initial schema
-      if (currentVersion === 0) {
-        logger.info('Setting initial migration version to 1');
-        this.setMigrationVersion(1);
-      }
-
-      // Migration 2: Convert timestamp columns from INTEGER to REAL
-      const updatedVersion = this.getMigrationVersion();
-      if (updatedVersion < 2) {
-        logger.info('Running migration 2: Converting timestamps to REAL...');
-
-        // SSL certificates
-        this.query(`
-          CREATE TABLE ssl_certificates_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            cert_path TEXT NOT NULL,
-            key_path TEXT NOT NULL,
-            full_chain_path TEXT NOT NULL,
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO ssl_certificates_new SELECT * FROM ssl_certificates`);
-        this.query(`DROP TABLE ssl_certificates`);
-        this.query(`ALTER TABLE ssl_certificates_new RENAME TO ssl_certificates`);
-
-        // Services
-        this.query(`
-          CREATE TABLE services_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            image TEXT NOT NULL,
-            registry TEXT,
-            env_vars TEXT NOT NULL,
-            port INTEGER NOT NULL,
-            domain TEXT,
-            container_id TEXT,
-            status TEXT NOT NULL DEFAULT 'stopped',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO services_new SELECT * FROM services`);
-        this.query(`DROP TABLE services`);
-        this.query(`ALTER TABLE services_new RENAME TO services`);
-
-        // Registries
-        this.query(`
-          CREATE TABLE registries_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            url TEXT NOT NULL UNIQUE,
-            username TEXT NOT NULL,
-            password_encrypted TEXT NOT NULL,
-            created_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO registries_new SELECT * FROM registries`);
-        this.query(`DROP TABLE registries`);
-        this.query(`ALTER TABLE registries_new RENAME TO registries`);
-
-        // Nginx configs
-        this.query(`
-          CREATE TABLE nginx_configs_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            domain TEXT NOT NULL,
-            port INTEGER NOT NULL,
-            ssl_enabled INTEGER NOT NULL DEFAULT 0,
-            config_template TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO nginx_configs_new SELECT * FROM nginx_configs`);
-        this.query(`DROP TABLE nginx_configs`);
-        this.query(`ALTER TABLE nginx_configs_new RENAME TO nginx_configs`);
-
-        // DNS records
-        this.query(`
-          CREATE TABLE dns_records_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            type TEXT NOT NULL,
-            value TEXT NOT NULL,
-            cloudflare_id TEXT,
-            zone_id TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO dns_records_new SELECT * FROM dns_records`);
-        this.query(`DROP TABLE dns_records`);
-        this.query(`ALTER TABLE dns_records_new RENAME TO dns_records`);
-
-        // Metrics
-        this.query(`
-          CREATE TABLE metrics_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            timestamp REAL NOT NULL,
-            cpu_percent REAL NOT NULL,
-            memory_used INTEGER NOT NULL,
-            memory_limit INTEGER NOT NULL,
-            network_rx_bytes INTEGER NOT NULL,
-            network_tx_bytes INTEGER NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO metrics_new SELECT * FROM metrics`);
-        this.query(`DROP TABLE metrics`);
-        this.query(`ALTER TABLE metrics_new RENAME TO metrics`);
-        this.query(`CREATE INDEX IF NOT EXISTS idx_metrics_service_timestamp ON metrics(service_id, timestamp DESC)`);
-
-        // Logs
-        this.query(`
-          CREATE TABLE logs_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            timestamp REAL NOT NULL,
-            message TEXT NOT NULL,
-            level TEXT NOT NULL,
-            source TEXT NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO logs_new SELECT * FROM logs`);
-        this.query(`DROP TABLE logs`);
-        this.query(`ALTER TABLE logs_new RENAME TO logs`);
-        this.query(`CREATE INDEX IF NOT EXISTS idx_logs_service_timestamp ON logs(service_id, timestamp DESC)`);
-
-        // Users
-        this.query(`
-          CREATE TABLE users_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            username TEXT NOT NULL UNIQUE,
-            password_hash TEXT NOT NULL,
-            role TEXT NOT NULL DEFAULT 'user',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO users_new SELECT * FROM users`);
-        this.query(`DROP TABLE users`);
-        this.query(`ALTER TABLE users_new RENAME TO users`);
-
-        // Settings
-        this.query(`
-          CREATE TABLE settings_new (
-            key TEXT PRIMARY KEY,
-            value TEXT NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO settings_new SELECT * FROM settings`);
-        this.query(`DROP TABLE settings`);
-        this.query(`ALTER TABLE settings_new RENAME TO settings`);
-
-        // Migrations table itself
-        this.query(`
-          CREATE TABLE migrations_new (
-            version INTEGER PRIMARY KEY,
-            applied_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO migrations_new SELECT * FROM migrations`);
-        this.query(`DROP TABLE migrations`);
-        this.query(`ALTER TABLE migrations_new RENAME TO migrations`);
-
-        this.setMigrationVersion(2);
-        logger.success('Migration 2 completed: All timestamps converted to REAL');
-      }
-
-      // Migration 3: Domain management tables
-      const version3 = this.getMigrationVersion();
-      if (version3 < 3) {
-        logger.info('Running migration 3: Creating domain management tables...');
-
-        this.query(`
-          CREATE TABLE domains (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            dns_provider TEXT,
-            cloudflare_zone_id TEXT,
-            is_obsolete INTEGER NOT NULL DEFAULT 0,
-            default_wildcard INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE certificates (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain_id INTEGER NOT NULL,
-            cert_domain TEXT NOT NULL,
-            is_wildcard INTEGER NOT NULL DEFAULT 0,
-            cert_path TEXT NOT NULL,
-            key_path TEXT NOT NULL,
-            full_chain_path TEXT NOT NULL,
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            is_valid INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE cert_requirements (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            domain_id INTEGER NOT NULL,
-            subdomain TEXT NOT NULL,
-            certificate_id INTEGER,
-            status TEXT NOT NULL DEFAULT 'pending',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE,
-            FOREIGN KEY (certificate_id) REFERENCES certificates(id) ON DELETE SET NULL
-          )
-        `);
-
-        interface OldSslCert {
-          id?: number;
-          domain?: string;
-          cert_path?: string;
-          key_path?: string;
-          full_chain_path?: string;
-          expiry_date?: number;
-          issuer?: string;
-          created_at?: number;
-          updated_at?: number;
-          [key: number]: unknown;
-        }
-        const existingCerts = this.query<OldSslCert>('SELECT * FROM ssl_certificates');
-
-        const now = Date.now();
-        const domainMap = new Map<string, number>();
-
-        for (const cert of existingCerts) {
-          const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
-          if (!domainMap.has(domain)) {
-            this.query(
-              'INSERT INTO domains (domain, dns_provider, is_obsolete, default_wildcard, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)',
-              [domain, null, 0, 1, now, now]
-            );
-            const result = this.query<{ id?: number; [key: number]: unknown }>('SELECT last_insert_rowid() as id');
-            const domainId = result[0].id ?? (result[0] as Record<number, unknown>)[0];
-            domainMap.set(domain, Number(domainId));
-          }
-        }
-
-        for (const cert of existingCerts) {
-          const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
-          const domainId = domainMap.get(domain);
-
-          this.query(
-            `INSERT INTO certificates (
-              domain_id, cert_domain, is_wildcard, cert_path, key_path, full_chain_path,
-              expiry_date, issuer, is_valid, created_at, updated_at
-            ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-            [
-              domainId,
-              domain,
-              0,
-              String(cert.cert_path ?? (cert as Record<number, unknown>)[2]),
-              String(cert.key_path ?? (cert as Record<number, unknown>)[3]),
-              String(cert.full_chain_path ?? (cert as Record<number, unknown>)[4]),
-              Number(cert.expiry_date ?? (cert as Record<number, unknown>)[5]),
-              String(cert.issuer ?? (cert as Record<number, unknown>)[6]),
-              1,
-              Number(cert.created_at ?? (cert as Record<number, unknown>)[7]),
-              Number(cert.updated_at ?? (cert as Record<number, unknown>)[8])
-            ]
-          );
-        }
-
-        this.query('DROP TABLE ssl_certificates');
-        this.query('CREATE INDEX IF NOT EXISTS idx_domains_cloudflare_zone ON domains(cloudflare_zone_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_cert_requirements_service ON cert_requirements(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_cert_requirements_domain ON cert_requirements(domain_id)');
-
-        this.setMigrationVersion(3);
-        logger.success('Migration 3 completed: Domain management tables created');
-      }
-
-      // Migration 4: Add Onebox Registry support columns
-      const version4 = this.getMigrationVersion();
-      if (version4 < 4) {
-        logger.info('Running migration 4: Adding Onebox Registry columns to services table...');
-
-        this.query(`ALTER TABLE services ADD COLUMN use_onebox_registry INTEGER DEFAULT 0`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_repository TEXT`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_token TEXT`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_image_tag TEXT DEFAULT 'latest'`);
-        this.query(`ALTER TABLE services ADD COLUMN auto_update_on_push INTEGER DEFAULT 0`);
-        this.query(`ALTER TABLE services ADD COLUMN image_digest TEXT`);
-
-        this.setMigrationVersion(4);
-        logger.success('Migration 4 completed: Onebox Registry columns added to services table');
-      }
-
-      // Migration 5: Registry tokens table
-      const version5 = this.getMigrationVersion();
-      if (version5 < 5) {
-        logger.info('Running migration 5: Creating registry_tokens table...');
-
-        this.query(`
-          CREATE TABLE registry_tokens (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL,
-            token_hash TEXT NOT NULL UNIQUE,
-            token_type TEXT NOT NULL,
-            scope TEXT NOT NULL,
-            expires_at REAL,
-            created_at REAL NOT NULL,
-            last_used_at REAL,
-            created_by TEXT NOT NULL
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_registry_tokens_type ON registry_tokens(token_type)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_registry_tokens_hash ON registry_tokens(token_hash)');
-
-        this.setMigrationVersion(5);
-        logger.success('Migration 5 completed: Registry tokens table created');
-      }
-
-      // Migration 6: Drop registry_token column from services table
-      const version6 = this.getMigrationVersion();
-      if (version6 < 6) {
-        logger.info('Running migration 6: Dropping registry_token column from services table...');
-
-        this.query(`
-          CREATE TABLE services_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            image TEXT NOT NULL,
-            registry TEXT,
-            env_vars TEXT,
-            port INTEGER NOT NULL,
-            domain TEXT,
-            container_id TEXT,
-            status TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            use_onebox_registry INTEGER DEFAULT 0,
-            registry_repository TEXT,
-            registry_image_tag TEXT DEFAULT 'latest',
-            auto_update_on_push INTEGER DEFAULT 0,
-            image_digest TEXT
-          )
-        `);
-
-        this.query(`
-          INSERT INTO services_new (
-            id, name, image, registry, env_vars, port, domain, container_id, status,
-            created_at, updated_at, use_onebox_registry, registry_repository,
-            registry_image_tag, auto_update_on_push, image_digest
-          )
-          SELECT
-            id, name, image, registry, env_vars, port, domain, container_id, status,
-            created_at, updated_at, use_onebox_registry, registry_repository,
-            registry_image_tag, auto_update_on_push, image_digest
-          FROM services
-        `);
-
-        this.query('DROP TABLE services');
-        this.query('ALTER TABLE services_new RENAME TO services');
-        this.query('CREATE INDEX IF NOT EXISTS idx_services_name ON services(name)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_services_status ON services(status)');
-
-        this.setMigrationVersion(6);
-        logger.success('Migration 6 completed: registry_token column dropped from services table');
-      }
-
-      // Migration 7: Platform services tables
-      const version7 = this.getMigrationVersion();
-      if (version7 < 7) {
-        logger.info('Running migration 7: Creating platform services tables...');
-
-        this.query(`
-          CREATE TABLE platform_services (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            type TEXT NOT NULL,
-            status TEXT NOT NULL DEFAULT 'stopped',
-            container_id TEXT,
-            config TEXT NOT NULL DEFAULT '{}',
-            admin_credentials_encrypted TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE platform_resources (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            platform_service_id INTEGER NOT NULL,
-            service_id INTEGER NOT NULL,
-            resource_type TEXT NOT NULL,
-            resource_name TEXT NOT NULL,
-            credentials_encrypted TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            FOREIGN KEY (platform_service_id) REFERENCES platform_services(id) ON DELETE CASCADE,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`ALTER TABLE services ADD COLUMN platform_requirements TEXT DEFAULT '{}'`);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_services_type ON platform_services(type)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_resources_service ON platform_resources(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_resources_platform ON platform_resources(platform_service_id)');
-
-        this.setMigrationVersion(7);
-        logger.success('Migration 7 completed: Platform services tables created');
-      }
-
-      // Migration 8: Convert certificates table to store PEM content
-      const version8 = this.getMigrationVersion();
-      if (version8 < 8) {
-        logger.info('Running migration 8: Converting certificates table to store PEM content...');
-
-        this.query(`
-          CREATE TABLE certificates_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain_id INTEGER NOT NULL,
-            cert_domain TEXT NOT NULL,
-            is_wildcard INTEGER NOT NULL DEFAULT 0,
-            cert_pem TEXT NOT NULL DEFAULT '',
-            key_pem TEXT NOT NULL DEFAULT '',
-            fullchain_pem TEXT NOT NULL DEFAULT '',
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            is_valid INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          INSERT INTO certificates_new (id, domain_id, cert_domain, is_wildcard, cert_pem, key_pem, fullchain_pem, expiry_date, issuer, is_valid, created_at, updated_at)
-          SELECT id, domain_id, cert_domain, is_wildcard, '', '', '', expiry_date, issuer, 0, created_at, updated_at FROM certificates
-        `);
-
-        this.query('DROP TABLE certificates');
-        this.query('ALTER TABLE certificates_new RENAME TO certificates');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
-
-        this.setMigrationVersion(8);
-        logger.success('Migration 8 completed: Certificates table now stores PEM content');
-      }
-
-      // Migration 9: Backup system tables
-      const version9 = this.getMigrationVersion();
-      if (version9 < 9) {
-        logger.info('Running migration 9: Creating backup system tables...');
-
-        // Add include_image_in_backup column to services table
-        this.query(`ALTER TABLE services ADD COLUMN include_image_in_backup INTEGER DEFAULT 1`);
-
-        // Create backups table
-        this.query(`
-          CREATE TABLE backups (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            filename TEXT NOT NULL,
-            size_bytes INTEGER NOT NULL,
-            created_at REAL NOT NULL,
-            includes_image INTEGER NOT NULL,
-            platform_resources TEXT NOT NULL DEFAULT '[]',
-            checksum TEXT NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
-
-        this.setMigrationVersion(9);
-        logger.success('Migration 9 completed: Backup system tables created');
-      }
-
-      // Migration 10: Backup schedules table and extend backups table
-      const version10 = this.getMigrationVersion();
-      if (version10 < 10) {
-        logger.info('Running migration 10: Creating backup schedules table...');
-
-        // Create backup_schedules table
-        this.query(`
-          CREATE TABLE backup_schedules (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            cron_expression TEXT NOT NULL,
-            retention_tier TEXT NOT NULL,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-
-        // Extend backups table with retention_tier and schedule_id columns
-        this.query('ALTER TABLE backups ADD COLUMN retention_tier TEXT');
-        this.query('ALTER TABLE backups ADD COLUMN schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL');
-
-        this.setMigrationVersion(10);
-        logger.success('Migration 10 completed: Backup schedules table created');
-      }
-
-      // Migration 11: Add scope columns for global/pattern backup schedules
-      const version11 = this.getMigrationVersion();
-      if (version11 < 11) {
-        logger.info('Running migration 11: Adding scope columns to backup_schedules...');
-
-        // Recreate backup_schedules table with nullable service_id/service_name and new scope columns
-        this.query(`
-          CREATE TABLE backup_schedules_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            scope_type TEXT NOT NULL DEFAULT 'service',
-            scope_pattern TEXT,
-            service_id INTEGER,
-            service_name TEXT,
-            cron_expression TEXT NOT NULL,
-            retention_tier TEXT NOT NULL,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        // Copy existing schedules (all are service-specific)
-        this.query(`
-          INSERT INTO backup_schedules_new (
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
-            created_at, updated_at
-          )
-          SELECT
-            id, 'service', NULL, service_id, service_name, cron_expression,
-            retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
-            created_at, updated_at
-          FROM backup_schedules
-        `);
-
-        this.query('DROP TABLE backup_schedules');
-        this.query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)');
-
-        this.setMigrationVersion(11);
-        logger.success('Migration 11 completed: Scope columns added to backup_schedules');
-      }
-
-      // Migration 12: GFS retention policy - replace retention_tier with per-tier retention counts
-      const version12 = this.getMigrationVersion();
-      if (version12 < 12) {
-        logger.info('Running migration 12: Updating backup system for GFS retention policy...');
-
-        // Recreate backup_schedules table with new retention columns
-        this.query(`
-          CREATE TABLE backup_schedules_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            scope_type TEXT NOT NULL DEFAULT 'service',
-            scope_pattern TEXT,
-            service_id INTEGER,
-            service_name TEXT,
-            cron_expression TEXT NOT NULL,
-            retention_hourly INTEGER NOT NULL DEFAULT 0,
-            retention_daily INTEGER NOT NULL DEFAULT 7,
-            retention_weekly INTEGER NOT NULL DEFAULT 4,
-            retention_monthly INTEGER NOT NULL DEFAULT 12,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        // Migrate existing data - convert old retention_tier to new format
-        // daily -> D:7, weekly -> W:4, monthly -> M:12, yearly -> M:12 (yearly becomes long monthly retention)
-        this.query(`
-          INSERT INTO backup_schedules_new (
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            retention_hourly, retention_daily, retention_weekly, retention_monthly,
-            enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
-          )
-          SELECT
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            0, -- retention_hourly
-            CASE WHEN retention_tier = 'daily' THEN 7 ELSE 0 END,
-            CASE WHEN retention_tier IN ('daily', 'weekly') THEN 4 ELSE 0 END,
-            CASE WHEN retention_tier IN ('daily', 'weekly', 'monthly') THEN 12
-                 WHEN retention_tier = 'yearly' THEN 24 ELSE 12 END,
-            enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
-          FROM backup_schedules
-        `);
-
-        this.query('DROP TABLE backup_schedules');
-        this.query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)');
-
-        // Recreate backups table without retention_tier column
-        this.query(`
-          CREATE TABLE backups_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            filename TEXT NOT NULL,
-            size_bytes INTEGER NOT NULL,
-            created_at REAL NOT NULL,
-            includes_image INTEGER NOT NULL,
-            platform_resources TEXT NOT NULL DEFAULT '[]',
-            checksum TEXT NOT NULL,
-            schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          INSERT INTO backups_new (
-            id, service_id, service_name, filename, size_bytes, created_at,
-            includes_image, platform_resources, checksum, schedule_id
-          )
-          SELECT
-            id, service_id, service_name, filename, size_bytes, created_at,
-            includes_image, platform_resources, checksum, schedule_id
-          FROM backups
-        `);
-
-        this.query('DROP TABLE backups');
-        this.query('ALTER TABLE backups_new RENAME TO backups');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_schedule ON backups(schedule_id)');
-
-        this.setMigrationVersion(12);
-        logger.success('Migration 12 completed: GFS retention policy schema updated');
-      }
-    } catch (error) {
-      logger.error(`Migration failed: ${getErrorMessage(error)}`);
-      if (error instanceof Error && error.stack) {
-        logger.error(`Stack: ${error.stack}`);
-      }
-      throw error;
-    }
-  }
-
-  /**
-   * Get current migration version
-   */
-  private getMigrationVersion(): number {
-    if (!this.db) throw new Error('Database not initialized');
-
-    try {
-      const result = this.query<{ version?: number | null; [key: number]: unknown }>('SELECT MAX(version) as version FROM migrations');
-      if (result.length === 0) return 0;
-
-      const versionValue = result[0].version ?? (result[0] as Record<number, unknown>)[0];
-      return versionValue !== null && versionValue !== undefined ? Number(versionValue) : 0;
-    } catch (error) {
-      logger.warn(`Error getting migration version: ${getErrorMessage(error)}, defaulting to 0`);
-      return 0;
-    }
-  }
-
-  /**
-   * Set migration version
-   */
-  private setMigrationVersion(version: number): void {
-    if (!this.db) throw new Error('Database not initialized');
-
-    this.query('INSERT INTO migrations (version, applied_at) VALUES (?, ?)', [
-      version,
-      Date.now(),
-    ]);
-    logger.debug(`Migration version set to ${version}`);
-  }
-
   /**
    * Close database connection
    */
@@ -1049,10 +344,34 @@ export class OneboxDatabase {
     this.authRepo.setSetting(key, value);
   }
 
+  deleteSetting(key: string): void {
+    this.authRepo.deleteSetting(key);
+  }
+
   getAllSettings(): Record<string, string> {
     return this.authRepo.getAllSettings();
   }
 
+  async getSecretSetting(key: string): Promise<string | null> {
+    return await this.secretSettings.get(key);
+  }
+
+  async setSecretSetting(key: string, value: string | null): Promise<void> {
+    await this.secretSettings.set(key, value);
+  }
+
+  async hasSecretSetting(key: string): Promise<boolean> {
+    return await this.secretSettings.has(key);
+  }
+
+  isSecretSettingKey(key: string): boolean {
+    return this.secretSettings.isSecretKey(key);
+  }
+
+  getCanonicalSecretSettingKeys(): string[] {
+    return this.secretSettings.getCanonicalKeys();
+  }
+
   // ============ Users CRUD (delegated to repository) ============
 
   async createUser(user: Omit<IUser, 'id'>): Promise<IUser> {
@@ -1135,7 +454,7 @@ export class OneboxDatabase {
     return this.certificateRepo.getAllDomains();
   }
 
-  getDomainsByProvider(provider: 'cloudflare' | 'manual'): IDomain[] {
+  getDomainsByProvider(provider: NonNullable<IDomain['dnsProvider']>): IDomain[] {
     return this.certificateRepo.getDomainsByProvider(provider);
   }
 
@@ -1323,6 +642,10 @@ export class OneboxDatabase {
     return this.backupRepo.getBySchedule(scheduleId);
   }
 
+  getBackupBySnapshotId(snapshotId: string): IBackup | null {
+    return this.backupRepo.getBySnapshotId(snapshotId);
+  }
+
   // ============ Backup Schedules (delegated to repository) ============
 
   createBackupSchedule(schedule: Omit<IBackupSchedule, 'id'>): IBackupSchedule {

ts/database/migrations/base-migration.ts

@@ -0,0 +1,22 @@
+/**
+ * Abstract base class for database migrations.
+ * All migrations must extend this class and implement the abstract members.
+ */
+
+import type { TQueryFunction } from '../types.ts';
+
+export abstract class BaseMigration {
+  /** The migration version number (must be unique and sequential) */
+  abstract readonly version: number;
+
+  /** A short description of what this migration does */
+  abstract readonly description: string;
+
+  /** Execute the migration's SQL statements */
+  abstract up(query: TQueryFunction): void;
+
+  /** Returns a human-readable name for logging */
+  getName(): string {
+    return `Migration ${this.version}: ${this.description}`;
+  }
+}

ts/database/migrations/index.ts

@@ -0,0 +1,2 @@
+export { BaseMigration } from './base-migration.ts';
+export { MigrationRunner } from './migration-runner.ts';

ts/database/migrations/migration-001-initial.ts

@@ -0,0 +1,12 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration001Initial extends BaseMigration {
+  readonly version = 1;
+  readonly description = 'Initial schema';
+
+  up(_query: TQueryFunction): void {
+    // Initial schema is created by createTables() in the database class.
+    // This migration just marks the initial version.
+  }
+}

ts/database/migrations/migration-002-timestamps-to-real.ts

@@ -0,0 +1,170 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration002TimestampsToReal extends BaseMigration {
+  readonly version = 2;
+  readonly description = 'Convert timestamp columns from INTEGER to REAL';
+
+  up(query: TQueryFunction): void {
+    // SSL certificates
+    query(`
+      CREATE TABLE ssl_certificates_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        cert_path TEXT NOT NULL,
+        key_path TEXT NOT NULL,
+        full_chain_path TEXT NOT NULL,
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO ssl_certificates_new SELECT * FROM ssl_certificates`);
+    query(`DROP TABLE ssl_certificates`);
+    query(`ALTER TABLE ssl_certificates_new RENAME TO ssl_certificates`);
+
+    // Services
+    query(`
+      CREATE TABLE services_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        image TEXT NOT NULL,
+        registry TEXT,
+        env_vars TEXT NOT NULL,
+        port INTEGER NOT NULL,
+        domain TEXT,
+        container_id TEXT,
+        status TEXT NOT NULL DEFAULT 'stopped',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO services_new SELECT * FROM services`);
+    query(`DROP TABLE services`);
+    query(`ALTER TABLE services_new RENAME TO services`);
+
+    // Registries
+    query(`
+      CREATE TABLE registries_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        url TEXT NOT NULL UNIQUE,
+        username TEXT NOT NULL,
+        password_encrypted TEXT NOT NULL,
+        created_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO registries_new SELECT * FROM registries`);
+    query(`DROP TABLE registries`);
+    query(`ALTER TABLE registries_new RENAME TO registries`);
+
+    // Nginx configs
+    query(`
+      CREATE TABLE nginx_configs_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        domain TEXT NOT NULL,
+        port INTEGER NOT NULL,
+        ssl_enabled INTEGER NOT NULL DEFAULT 0,
+        config_template TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO nginx_configs_new SELECT * FROM nginx_configs`);
+    query(`DROP TABLE nginx_configs`);
+    query(`ALTER TABLE nginx_configs_new RENAME TO nginx_configs`);
+
+    // DNS records
+    query(`
+      CREATE TABLE dns_records_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        type TEXT NOT NULL,
+        value TEXT NOT NULL,
+        cloudflare_id TEXT,
+        zone_id TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO dns_records_new SELECT * FROM dns_records`);
+    query(`DROP TABLE dns_records`);
+    query(`ALTER TABLE dns_records_new RENAME TO dns_records`);
+
+    // Metrics
+    query(`
+      CREATE TABLE metrics_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        timestamp REAL NOT NULL,
+        cpu_percent REAL NOT NULL,
+        memory_used INTEGER NOT NULL,
+        memory_limit INTEGER NOT NULL,
+        network_rx_bytes INTEGER NOT NULL,
+        network_tx_bytes INTEGER NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO metrics_new SELECT * FROM metrics`);
+    query(`DROP TABLE metrics`);
+    query(`ALTER TABLE metrics_new RENAME TO metrics`);
+    query(`CREATE INDEX IF NOT EXISTS idx_metrics_service_timestamp ON metrics(service_id, timestamp DESC)`);
+
+    // Logs
+    query(`
+      CREATE TABLE logs_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        timestamp REAL NOT NULL,
+        message TEXT NOT NULL,
+        level TEXT NOT NULL,
+        source TEXT NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO logs_new SELECT * FROM logs`);
+    query(`DROP TABLE logs`);
+    query(`ALTER TABLE logs_new RENAME TO logs`);
+    query(`CREATE INDEX IF NOT EXISTS idx_logs_service_timestamp ON logs(service_id, timestamp DESC)`);
+
+    // Users
+    query(`
+      CREATE TABLE users_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        username TEXT NOT NULL UNIQUE,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'user',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO users_new SELECT * FROM users`);
+    query(`DROP TABLE users`);
+    query(`ALTER TABLE users_new RENAME TO users`);
+
+    // Settings
+    query(`
+      CREATE TABLE settings_new (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO settings_new SELECT * FROM settings`);
+    query(`DROP TABLE settings`);
+    query(`ALTER TABLE settings_new RENAME TO settings`);
+
+    // Migrations table itself
+    query(`
+      CREATE TABLE migrations_new (
+        version INTEGER PRIMARY KEY,
+        applied_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO migrations_new SELECT * FROM migrations`);
+    query(`DROP TABLE migrations`);
+    query(`ALTER TABLE migrations_new RENAME TO migrations`);
+  }
+}

ts/database/migrations/migration-003-domain-management.ts

@@ -0,0 +1,125 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration003DomainManagement extends BaseMigration {
+  readonly version = 3;
+  readonly description = 'Domain management tables';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE domains (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        dns_provider TEXT,
+        cloudflare_zone_id TEXT,
+        is_obsolete INTEGER NOT NULL DEFAULT 0,
+        default_wildcard INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+
+    query(`
+      CREATE TABLE certificates (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain_id INTEGER NOT NULL,
+        cert_domain TEXT NOT NULL,
+        is_wildcard INTEGER NOT NULL DEFAULT 0,
+        cert_path TEXT NOT NULL,
+        key_path TEXT NOT NULL,
+        full_chain_path TEXT NOT NULL,
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        is_valid INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      CREATE TABLE cert_requirements (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        domain_id INTEGER NOT NULL,
+        subdomain TEXT NOT NULL,
+        certificate_id INTEGER,
+        status TEXT NOT NULL DEFAULT 'pending',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE,
+        FOREIGN KEY (certificate_id) REFERENCES certificates(id) ON DELETE SET NULL
+      )
+    `);
+
+    // Migrate data from old ssl_certificates table
+    interface OldSslCert {
+      id?: number;
+      domain?: string;
+      cert_path?: string;
+      key_path?: string;
+      full_chain_path?: string;
+      expiry_date?: number;
+      issuer?: string;
+      created_at?: number;
+      updated_at?: number;
+      [key: number]: unknown;
+    }
+    const existingCerts = query<OldSslCert>('SELECT * FROM ssl_certificates');
+
+    const now = Date.now();
+    const domainMap = new Map<string, number>();
+
+    for (const cert of existingCerts) {
+      const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
+      if (!domainMap.has(domain)) {
+        query(
+          'INSERT INTO domains (domain, dns_provider, is_obsolete, default_wildcard, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)',
+          [domain, null, 0, 1, now, now],
+        );
+        const result = query<{ id?: number; [key: number]: unknown }>(
+          'SELECT last_insert_rowid() as id',
+        );
+        const domainId = result[0].id ?? (result[0] as Record<number, unknown>)[0];
+        domainMap.set(domain, Number(domainId));
+      }
+    }
+
+    for (const cert of existingCerts) {
+      const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
+      const domainId = domainMap.get(domain);
+
+      query(
+        `INSERT INTO certificates (
+          domain_id, cert_domain, is_wildcard, cert_path, key_path, full_chain_path,
+          expiry_date, issuer, is_valid, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        [
+          domainId,
+          domain,
+          0,
+          String(cert.cert_path ?? (cert as Record<number, unknown>)[2]),
+          String(cert.key_path ?? (cert as Record<number, unknown>)[3]),
+          String(cert.full_chain_path ?? (cert as Record<number, unknown>)[4]),
+          Number(cert.expiry_date ?? (cert as Record<number, unknown>)[5]),
+          String(cert.issuer ?? (cert as Record<number, unknown>)[6]),
+          1,
+          Number(cert.created_at ?? (cert as Record<number, unknown>)[7]),
+          Number(cert.updated_at ?? (cert as Record<number, unknown>)[8]),
+        ],
+      );
+    }
+
+    query('DROP TABLE ssl_certificates');
+    query('CREATE INDEX IF NOT EXISTS idx_domains_cloudflare_zone ON domains(cloudflare_zone_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_cert_requirements_service ON cert_requirements(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_cert_requirements_domain ON cert_requirements(domain_id)',
+    );
+  }
+}

ts/database/migrations/migration-004-registry-columns.ts

@@ -0,0 +1,16 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration004RegistryColumns extends BaseMigration {
+  readonly version = 4;
+  readonly description = 'Add Onebox Registry columns to services table';
+
+  up(query: TQueryFunction): void {
+    query(`ALTER TABLE services ADD COLUMN use_onebox_registry INTEGER DEFAULT 0`);
+    query(`ALTER TABLE services ADD COLUMN registry_repository TEXT`);
+    query(`ALTER TABLE services ADD COLUMN registry_token TEXT`);
+    query(`ALTER TABLE services ADD COLUMN registry_image_tag TEXT DEFAULT 'latest'`);
+    query(`ALTER TABLE services ADD COLUMN auto_update_on_push INTEGER DEFAULT 0`);
+    query(`ALTER TABLE services ADD COLUMN image_digest TEXT`);
+  }
+}

ts/database/migrations/migration-005-registry-tokens.ts

@@ -0,0 +1,30 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration005RegistryTokens extends BaseMigration {
+  readonly version = 5;
+  readonly description = 'Registry tokens table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE registry_tokens (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL,
+        token_hash TEXT NOT NULL UNIQUE,
+        token_type TEXT NOT NULL,
+        scope TEXT NOT NULL,
+        expires_at REAL,
+        created_at REAL NOT NULL,
+        last_used_at REAL,
+        created_by TEXT NOT NULL
+      )
+    `);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_registry_tokens_type ON registry_tokens(token_type)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_registry_tokens_hash ON registry_tokens(token_hash)',
+    );
+  }
+}

ts/database/migrations/migration-006-drop-registry-token.ts

@@ -0,0 +1,48 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration006DropRegistryToken extends BaseMigration {
+  readonly version = 6;
+  readonly description = 'Drop registry_token column from services table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE services_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        image TEXT NOT NULL,
+        registry TEXT,
+        env_vars TEXT,
+        port INTEGER NOT NULL,
+        domain TEXT,
+        container_id TEXT,
+        status TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        use_onebox_registry INTEGER DEFAULT 0,
+        registry_repository TEXT,
+        registry_image_tag TEXT DEFAULT 'latest',
+        auto_update_on_push INTEGER DEFAULT 0,
+        image_digest TEXT
+      )
+    `);
+
+    query(`
+      INSERT INTO services_new (
+        id, name, image, registry, env_vars, port, domain, container_id, status,
+        created_at, updated_at, use_onebox_registry, registry_repository,
+        registry_image_tag, auto_update_on_push, image_digest
+      )
+      SELECT
+        id, name, image, registry, env_vars, port, domain, container_id, status,
+        created_at, updated_at, use_onebox_registry, registry_repository,
+        registry_image_tag, auto_update_on_push, image_digest
+      FROM services
+    `);
+
+    query('DROP TABLE services');
+    query('ALTER TABLE services_new RENAME TO services');
+    query('CREATE INDEX IF NOT EXISTS idx_services_name ON services(name)');
+    query('CREATE INDEX IF NOT EXISTS idx_services_status ON services(status)');
+  }
+}

ts/database/migrations/migration-007-platform-services.ts

@@ -0,0 +1,49 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration007PlatformServices extends BaseMigration {
+  readonly version = 7;
+  readonly description = 'Platform services tables';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE platform_services (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        type TEXT NOT NULL,
+        status TEXT NOT NULL DEFAULT 'stopped',
+        container_id TEXT,
+        config TEXT NOT NULL DEFAULT '{}',
+        admin_credentials_encrypted TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+
+    query(`
+      CREATE TABLE platform_resources (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        platform_service_id INTEGER NOT NULL,
+        service_id INTEGER NOT NULL,
+        resource_type TEXT NOT NULL,
+        resource_name TEXT NOT NULL,
+        credentials_encrypted TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        FOREIGN KEY (platform_service_id) REFERENCES platform_services(id) ON DELETE CASCADE,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`ALTER TABLE services ADD COLUMN platform_requirements TEXT DEFAULT '{}'`);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_services_type ON platform_services(type)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_resources_service ON platform_resources(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_resources_platform ON platform_resources(platform_service_id)',
+    );
+  }
+}

ts/database/migrations/migration-008-cert-pem-content.ts

@@ -0,0 +1,41 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration008CertPemContent extends BaseMigration {
+  readonly version = 8;
+  readonly description = 'Convert certificates table to store PEM content';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE certificates_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain_id INTEGER NOT NULL,
+        cert_domain TEXT NOT NULL,
+        is_wildcard INTEGER NOT NULL DEFAULT 0,
+        cert_pem TEXT NOT NULL DEFAULT '',
+        key_pem TEXT NOT NULL DEFAULT '',
+        fullchain_pem TEXT NOT NULL DEFAULT '',
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        is_valid INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO certificates_new (id, domain_id, cert_domain, is_wildcard, cert_pem, key_pem, fullchain_pem, expiry_date, issuer, is_valid, created_at, updated_at)
+      SELECT id, domain_id, cert_domain, is_wildcard, '', '', '', expiry_date, issuer, 0, created_at, updated_at FROM certificates
+    `);
+
+    query('DROP TABLE certificates');
+    query('ALTER TABLE certificates_new RENAME TO certificates');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)',
+    );
+  }
+}

ts/database/migrations/migration-009-backup-system.ts

@@ -0,0 +1,29 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration009BackupSystem extends BaseMigration {
+  readonly version = 9;
+  readonly description = 'Backup system tables';
+
+  up(query: TQueryFunction): void {
+    query(`ALTER TABLE services ADD COLUMN include_image_in_backup INTEGER DEFAULT 1`);
+
+    query(`
+      CREATE TABLE backups (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        filename TEXT NOT NULL,
+        size_bytes INTEGER NOT NULL,
+        created_at REAL NOT NULL,
+        includes_image INTEGER NOT NULL,
+        platform_resources TEXT NOT NULL DEFAULT '[]',
+        checksum TEXT NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
+  }
+}

ts/database/migrations/migration-010-backup-schedules.ts

@@ -0,0 +1,39 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration010BackupSchedules extends BaseMigration {
+  readonly version = 10;
+  readonly description = 'Backup schedules table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE backup_schedules (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        cron_expression TEXT NOT NULL,
+        retention_tier TEXT NOT NULL,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+
+    query('ALTER TABLE backups ADD COLUMN retention_tier TEXT');
+    query(
+      'ALTER TABLE backups ADD COLUMN schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL',
+    );
+  }
+}

ts/database/migrations/migration-011-scope-columns.ts

@@ -0,0 +1,54 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration011ScopeColumns extends BaseMigration {
+  readonly version = 11;
+  readonly description = 'Add scope columns to backup_schedules';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE backup_schedules_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        scope_type TEXT NOT NULL DEFAULT 'service',
+        scope_pattern TEXT,
+        service_id INTEGER,
+        service_name TEXT,
+        cron_expression TEXT NOT NULL,
+        retention_tier TEXT NOT NULL,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO backup_schedules_new (
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
+        created_at, updated_at
+      )
+      SELECT
+        id, 'service', NULL, service_id, service_name, cron_expression,
+        retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
+        created_at, updated_at
+      FROM backup_schedules
+    `);
+
+    query('DROP TABLE backup_schedules');
+    query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)',
+    );
+  }
+}

ts/database/migrations/migration-012-gfs-retention.ts

@@ -0,0 +1,97 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration012GfsRetention extends BaseMigration {
+  readonly version = 12;
+  readonly description = 'GFS retention policy schema';
+
+  up(query: TQueryFunction): void {
+    // Recreate backup_schedules with GFS retention columns
+    query(`
+      CREATE TABLE backup_schedules_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        scope_type TEXT NOT NULL DEFAULT 'service',
+        scope_pattern TEXT,
+        service_id INTEGER,
+        service_name TEXT,
+        cron_expression TEXT NOT NULL,
+        retention_hourly INTEGER NOT NULL DEFAULT 0,
+        retention_daily INTEGER NOT NULL DEFAULT 7,
+        retention_weekly INTEGER NOT NULL DEFAULT 4,
+        retention_monthly INTEGER NOT NULL DEFAULT 12,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    // Migrate existing data - convert old retention_tier to new format
+    query(`
+      INSERT INTO backup_schedules_new (
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        retention_hourly, retention_daily, retention_weekly, retention_monthly,
+        enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
+      )
+      SELECT
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        0,
+        CASE WHEN retention_tier = 'daily' THEN 7 ELSE 0 END,
+        CASE WHEN retention_tier IN ('daily', 'weekly') THEN 4 ELSE 0 END,
+        CASE WHEN retention_tier IN ('daily', 'weekly', 'monthly') THEN 12
+             WHEN retention_tier = 'yearly' THEN 24 ELSE 12 END,
+        enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
+      FROM backup_schedules
+    `);
+
+    query('DROP TABLE backup_schedules');
+    query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)',
+    );
+
+    // Recreate backups table without retention_tier column
+    query(`
+      CREATE TABLE backups_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        filename TEXT NOT NULL,
+        size_bytes INTEGER NOT NULL,
+        created_at REAL NOT NULL,
+        includes_image INTEGER NOT NULL,
+        platform_resources TEXT NOT NULL DEFAULT '[]',
+        checksum TEXT NOT NULL,
+        schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO backups_new (
+        id, service_id, service_name, filename, size_bytes, created_at,
+        includes_image, platform_resources, checksum, schedule_id
+      )
+      SELECT
+        id, service_id, service_name, filename, size_bytes, created_at,
+        includes_image, platform_resources, checksum, schedule_id
+      FROM backups
+    `);
+
+    query('DROP TABLE backups');
+    query('ALTER TABLE backups_new RENAME TO backups');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_schedule ON backups(schedule_id)');
+  }
+}

ts/database/migrations/migration-013-app-template-version.ts

@@ -0,0 +1,12 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration013AppTemplateVersion extends BaseMigration {
+  readonly version = 13;
+  readonly description = 'Add app template tracking columns to services';
+
+  up(query: TQueryFunction): void {
+    query('ALTER TABLE services ADD COLUMN app_template_id TEXT');
+    query('ALTER TABLE services ADD COLUMN app_template_version TEXT');
+  }
+}

ts/database/migrations/migration-014-containerarchive.ts

@@ -0,0 +1,13 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration014ContainerArchive extends BaseMigration {
+  readonly version = 14;
+  readonly description = 'Add containerarchive snapshot tracking to backups';
+
+  up(query: TQueryFunction): void {
+    query('ALTER TABLE backups ADD COLUMN snapshot_id TEXT');
+    query('ALTER TABLE backups ADD COLUMN stored_size_bytes INTEGER DEFAULT 0');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_snapshot ON backups(snapshot_id)');
+  }
+}

ts/database/migrations/migration-015-smartproxy-platform-service.ts

@@ -0,0 +1,31 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration015SmartProxyPlatformService extends BaseMigration {
+  readonly version = 15;
+  readonly description = 'Rename Caddy platform service to SmartProxy';
+
+  up(query: TQueryFunction): void {
+    query(
+      `UPDATE platform_services
+       SET name = 'onebox-smartproxy',
+           type = 'smartproxy',
+           container_id = CASE
+             WHEN container_id = 'onebox-caddy' THEN 'onebox-smartproxy'
+             ELSE container_id
+           END,
+           config = ?,
+           updated_at = ?
+       WHERE type = 'caddy'`,
+      [
+        JSON.stringify({
+          image: 'code.foss.global/host.today/ht-docker-smartproxy:latest',
+          port: 80,
+          volumes: [],
+          environment: {},
+        }),
+        Date.now(),
+      ],
+    );
+  }
+}

ts/database/migrations/migration-runner.ts

@@ -0,0 +1,106 @@
+/**
+ * Migration runner - discovers, orders, and executes database migrations.
+ * Mirrors the pattern from @serve.zone/nupst.
+ */
+
+import type { TQueryFunction } from '../types.ts';
+import { logger } from '../../logging.ts';
+import { getErrorMessage } from '../../utils/error.ts';
+
+import { Migration001Initial } from './migration-001-initial.ts';
+import { Migration002TimestampsToReal } from './migration-002-timestamps-to-real.ts';
+import { Migration003DomainManagement } from './migration-003-domain-management.ts';
+import { Migration004RegistryColumns } from './migration-004-registry-columns.ts';
+import { Migration005RegistryTokens } from './migration-005-registry-tokens.ts';
+import { Migration006DropRegistryToken } from './migration-006-drop-registry-token.ts';
+import { Migration007PlatformServices } from './migration-007-platform-services.ts';
+import { Migration008CertPemContent } from './migration-008-cert-pem-content.ts';
+import { Migration009BackupSystem } from './migration-009-backup-system.ts';
+import { Migration010BackupSchedules } from './migration-010-backup-schedules.ts';
+import { Migration011ScopeColumns } from './migration-011-scope-columns.ts';
+import { Migration012GfsRetention } from './migration-012-gfs-retention.ts';
+import { Migration013AppTemplateVersion } from './migration-013-app-template-version.ts';
+import { Migration014ContainerArchive } from './migration-014-containerarchive.ts';
+import { Migration015SmartProxyPlatformService } from './migration-015-smartproxy-platform-service.ts';
+import type { BaseMigration } from './base-migration.ts';
+
+export class MigrationRunner {
+  private query: TQueryFunction;
+  private migrations: BaseMigration[];
+
+  constructor(query: TQueryFunction) {
+    this.query = query;
+
+    // Register all migrations in order
+    this.migrations = [
+      new Migration001Initial(),
+      new Migration002TimestampsToReal(),
+      new Migration003DomainManagement(),
+      new Migration004RegistryColumns(),
+      new Migration005RegistryTokens(),
+      new Migration006DropRegistryToken(),
+      new Migration007PlatformServices(),
+      new Migration008CertPemContent(),
+      new Migration009BackupSystem(),
+      new Migration010BackupSchedules(),
+      new Migration011ScopeColumns(),
+      new Migration012GfsRetention(),
+      new Migration013AppTemplateVersion(),
+      new Migration014ContainerArchive(),
+      new Migration015SmartProxyPlatformService(),
+    ].sort((a, b) => a.version - b.version);
+  }
+
+  /** Run all pending migrations */
+  run(): void {
+    try {
+      const currentVersion = this.getMigrationVersion();
+      logger.info(`Current database migration version: ${currentVersion}`);
+
+      let applied = 0;
+      for (const migration of this.migrations) {
+        if (migration.version <= currentVersion) continue;
+
+        logger.info(`Running ${migration.getName()}...`);
+        migration.up(this.query);
+        this.setMigrationVersion(migration.version);
+        logger.success(`${migration.getName()} completed`);
+        applied++;
+      }
+
+      if (applied > 0) {
+        logger.success(`Applied ${applied} migration(s)`);
+      }
+    } catch (error) {
+      logger.error(`Migration failed: ${getErrorMessage(error)}`);
+      if (error instanceof Error && error.stack) {
+        logger.error(`Stack: ${error.stack}`);
+      }
+      throw error;
+    }
+  }
+
+  /** Get current migration version from the migrations table */
+  private getMigrationVersion(): number {
+    try {
+      const result = this.query<{ version?: number | null; [key: number]: unknown }>(
+        'SELECT MAX(version) as version FROM migrations',
+      );
+      if (result.length === 0) return 0;
+
+      const versionValue = result[0].version ?? (result[0] as Record<number, unknown>)[0];
+      return versionValue !== null && versionValue !== undefined ? Number(versionValue) : 0;
+    } catch {
+      // Table might not exist yet on fresh databases
+      return 0;
+    }
+  }
+
+  /** Record a migration version as applied */
+  private setMigrationVersion(version: number): void {
+    this.query('INSERT INTO migrations (version, applied_at) VALUES (?, ?)', [
+      version,
+      Date.now(),
+    ]);
+  }
+}

ts/database/repositories/auth.repository.ts

@@ -70,6 +70,10 @@ export class AuthRepository extends BaseRepository {
     );
   }
 
+  deleteSetting(key: string): void {
+    this.query('DELETE FROM settings WHERE key = ?', [key]);
+  }
+
   getAllSettings(): Record<string, string> {
     const rows = this.query('SELECT key, value FROM settings');
     const settings: Record<string, string> = {};
@@ -80,4 +84,24 @@ export class AuthRepository extends BaseRepository {
     }
     return settings;
   }
+
+  getSecretSetting(key: string): string | null {
+    const rows = this.query('SELECT value FROM secret_settings WHERE key = ?', [key]);
+    if (rows.length === 0) return null;
+
+    const value = (rows[0] as any).value || rows[0][0];
+    return value ? String(value) : null;
+  }
+
+  setSecretSetting(key: string, value: string): void {
+    const now = Date.now();
+    this.query(
+      'INSERT OR REPLACE INTO secret_settings (key, value, updated_at) VALUES (?, ?, ?)',
+      [key, value, now],
+    );
+  }
+
+  deleteSecretSetting(key: string): void {
+    this.query('DELETE FROM secret_settings WHERE key = ?', [key]);
+  }
 }

ts/database/repositories/backup.repository.ts

@@ -20,8 +20,9 @@ export class BackupRepository extends BaseRepository {
     this.query(
       `INSERT INTO backups (
         service_id, service_name, filename, size_bytes, created_at,
-        includes_image, platform_resources, checksum, schedule_id
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        includes_image, platform_resources, checksum, schedule_id,
+        snapshot_id, stored_size_bytes
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       [
         backup.serviceId,
         backup.serviceName,
@@ -32,6 +33,8 @@ export class BackupRepository extends BaseRepository {
         JSON.stringify(backup.platformResources),
         backup.checksum,
         backup.scheduleId ?? null,
+        backup.snapshotId ?? null,
+        backup.storedSizeBytes ?? 0,
       ]
     );
 
@@ -78,6 +81,14 @@ export class BackupRepository extends BaseRepository {
     return rows.map((row) => this.rowToBackup(row));
   }
 
+  getBySnapshotId(snapshotId: string): IBackup | null {
+    const rows = this.query(
+      'SELECT * FROM backups WHERE snapshot_id = ?',
+      [snapshotId]
+    );
+    return rows.length > 0 ? this.rowToBackup(rows[0]) : null;
+  }
+
   private rowToBackup(row: any): IBackup {
     let platformResources: TPlatformServiceType[] = [];
     const platformResourcesRaw = row.platform_resources;
@@ -94,7 +105,9 @@ export class BackupRepository extends BaseRepository {
       serviceId: Number(row.service_id),
       serviceName: String(row.service_name),
       filename: String(row.filename),
+      snapshotId: row.snapshot_id ? String(row.snapshot_id) : undefined,
       sizeBytes: Number(row.size_bytes),
+      storedSizeBytes: row.stored_size_bytes ? Number(row.stored_size_bytes) : undefined,
       createdAt: Number(row.created_at),
       includesImage: Boolean(row.includes_image),
       platformResources,

ts/database/repositories/certificate.repository.ts

@@ -43,7 +43,7 @@ export class CertificateRepository extends BaseRepository {
     return rows.map((row) => this.rowToDomain(row));
   }
 
-  getDomainsByProvider(provider: 'cloudflare' | 'manual'): IDomain[] {
+  getDomainsByProvider(provider: NonNullable<IDomain['dnsProvider']>): IDomain[] {
     const rows = this.query('SELECT * FROM domains WHERE dns_provider = ? ORDER BY domain ASC', [provider]);
     return rows.map((row) => this.rowToDomain(row));
   }

ts/database/repositories/service.repository.ts

@@ -17,8 +17,9 @@ export class ServiceRepository extends BaseRepository {
         name, image, registry, env_vars, port, domain, container_id, status,
         created_at, updated_at,
         use_onebox_registry, registry_repository, registry_image_tag,
-        auto_update_on_push, image_digest, platform_requirements
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        auto_update_on_push, image_digest, platform_requirements,
+        app_template_id, app_template_version
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       [
         service.name,
         service.image,
@@ -36,6 +37,8 @@ export class ServiceRepository extends BaseRepository {
         service.autoUpdateOnPush ? 1 : 0,
         service.imageDigest || null,
         JSON.stringify(service.platformRequirements || {}),
+        service.appTemplateId || null,
+        service.appTemplateVersion || null,
       ]
     );
 
@@ -123,6 +126,14 @@ export class ServiceRepository extends BaseRepository {
       fields.push('include_image_in_backup = ?');
       values.push(updates.includeImageInBackup ? 1 : 0);
     }
+    if (updates.appTemplateId !== undefined) {
+      fields.push('app_template_id = ?');
+      values.push(updates.appTemplateId);
+    }
+    if (updates.appTemplateVersion !== undefined) {
+      fields.push('app_template_version = ?');
+      values.push(updates.appTemplateVersion);
+    }
 
     fields.push('updated_at = ?');
     values.push(Date.now());
@@ -179,6 +190,8 @@ export class ServiceRepository extends BaseRepository {
       includeImageInBackup: row.include_image_in_backup !== undefined
         ? Boolean(row.include_image_in_backup)
         : true, // Default to true
+      appTemplateId: row.app_template_id ? String(row.app_template_id) : undefined,
+      appTemplateVersion: row.app_template_version ? String(row.app_template_version) : undefined,
     };
   }
 }

ts/database/secret-settings.ts

@@ -0,0 +1,142 @@
+import { credentialEncryption } from '../classes/encryption.ts';
+import type { AuthRepository } from './repositories/auth.repository.ts';
+
+const encryptedSecretPrefix = 'enc:v1:';
+
+const secretSettingAliases = {
+  backupPassword: ['backup_encryption_password'],
+  cloudflareToken: ['cloudflareAPIKey'],
+  dcrouterGatewayApiToken: ['externalGatewayApiToken'],
+} as const;
+
+type TCanonicalSecretSettingKey = keyof typeof secretSettingAliases;
+
+export class SecretSettingsManager {
+  constructor(private authRepo: AuthRepository) {}
+
+  public isSecretKey(key: string): boolean {
+    return this.resolveCanonicalKey(key) !== null;
+  }
+
+  public getCanonicalKeys(): TCanonicalSecretSettingKey[] {
+    return Object.keys(secretSettingAliases) as TCanonicalSecretSettingKey[];
+  }
+
+  public async get(key: string): Promise<string | null> {
+    const canonicalKey = this.resolveCanonicalKey(key);
+    if (!canonicalKey) {
+      return null;
+    }
+
+    for (const candidateKey of this.getCandidateKeys(canonicalKey)) {
+      const secretValue = this.authRepo.getSecretSetting(candidateKey);
+      if (secretValue !== null) {
+        const decryptedValue = await this.decodeStoredValue(secretValue);
+        await this.normalizeStoredSecret(canonicalKey, candidateKey, secretValue, decryptedValue);
+        return decryptedValue;
+      }
+
+      const legacyValue = this.authRepo.getSetting(candidateKey);
+      if (legacyValue !== null) {
+        await this.set(canonicalKey, legacyValue);
+        if (candidateKey !== canonicalKey) {
+          this.authRepo.deleteSetting(candidateKey);
+        }
+        this.authRepo.deleteSetting(canonicalKey);
+        return legacyValue;
+      }
+    }
+
+    return null;
+  }
+
+  public async set(key: string, value: string | null): Promise<void> {
+    const canonicalKey = this.resolveCanonicalKey(key);
+    if (!canonicalKey) {
+      throw new Error(`Unsupported secret setting key: ${key}`);
+    }
+
+    if (!value) {
+      this.clear(canonicalKey);
+      return;
+    }
+
+    const encryptedValue = await credentialEncryption.encrypt({ value });
+    this.authRepo.setSecretSetting(canonicalKey, `${encryptedSecretPrefix}${encryptedValue}`);
+
+    for (const aliasKey of secretSettingAliases[canonicalKey]) {
+      this.authRepo.deleteSecretSetting(aliasKey);
+      this.authRepo.deleteSetting(aliasKey);
+    }
+
+    this.authRepo.deleteSetting(canonicalKey);
+  }
+
+  public async has(key: string): Promise<boolean> {
+    return (await this.get(key)) !== null;
+  }
+
+  public clear(key: string): void {
+    const canonicalKey = this.resolveCanonicalKey(key);
+    if (!canonicalKey) {
+      return;
+    }
+
+    this.authRepo.deleteSecretSetting(canonicalKey);
+    this.authRepo.deleteSetting(canonicalKey);
+
+    for (const aliasKey of secretSettingAliases[canonicalKey]) {
+      this.authRepo.deleteSecretSetting(aliasKey);
+      this.authRepo.deleteSetting(aliasKey);
+    }
+  }
+
+  private resolveCanonicalKey(key: string): TCanonicalSecretSettingKey | null {
+    if (key in secretSettingAliases) {
+      return key as TCanonicalSecretSettingKey;
+    }
+
+    for (const [canonicalKey, aliases] of Object.entries(secretSettingAliases)) {
+      if ((aliases as readonly string[]).includes(key)) {
+        return canonicalKey as TCanonicalSecretSettingKey;
+      }
+    }
+
+    return null;
+  }
+
+  private getCandidateKeys(canonicalKey: TCanonicalSecretSettingKey): string[] {
+    return [canonicalKey, ...secretSettingAliases[canonicalKey]];
+  }
+
+  private async decodeStoredValue(value: string): Promise<string> {
+    if (value.startsWith(encryptedSecretPrefix)) {
+      const decrypted = await credentialEncryption.decrypt<{ value: string }>(
+        value.slice(encryptedSecretPrefix.length),
+      );
+      return decrypted.value;
+    }
+
+    // Compatibility for any earlier secret_settings rows stored without encryption.
+    return value;
+  }
+
+  private async normalizeStoredSecret(
+    canonicalKey: TCanonicalSecretSettingKey,
+    sourceKey: string,
+    storedValue: string,
+    decryptedValue: string,
+  ): Promise<void> {
+    if (sourceKey !== canonicalKey || !storedValue.startsWith(encryptedSecretPrefix)) {
+      await this.set(canonicalKey, decryptedValue);
+      if (sourceKey !== canonicalKey) {
+        this.authRepo.deleteSecretSetting(sourceKey);
+      }
+    }
+
+    this.authRepo.deleteSetting(canonicalKey);
+    for (const aliasKey of secretSettingAliases[canonicalKey]) {
+      this.authRepo.deleteSetting(aliasKey);
+    }
+  }
+}

ts/index.ts

@@ -12,8 +12,7 @@ export { OneboxReverseProxy } from './classes/reverseproxy.ts';
 export { OneboxDnsManager } from './classes/dns.ts';
 export { OneboxSslManager } from './classes/ssl.ts';
 export { OneboxDaemon } from './classes/daemon.ts';
-export { OneboxHttpServer } from './classes/httpserver.ts';
-export { OneboxApiClient } from './classes/apiclient.ts';
+export { OneboxSystemd } from './classes/systemd.ts';
 
 // Types
 export * from './types.ts';

ts/opsserver/classes.opsserver.ts

@@ -1,6 +1,7 @@
 import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
 import type { Onebox } from '../classes/onebox.ts';
+import * as interfaces from '../../ts_interfaces/index.ts';
 import * as handlers from './handlers/index.ts';
 import { files as bundledFiles } from '../../ts_bundled/bundle.ts';
 
@@ -23,6 +24,8 @@ export class OpsServer {
   public schedulesHandler!: handlers.SchedulesHandler;
   public settingsHandler!: handlers.SettingsHandler;
   public logsHandler!: handlers.LogsHandler;
+  public workspaceHandler!: handlers.WorkspaceHandler;
+  public appStoreHandler!: handlers.AppStoreHandler;
 
   constructor(oneboxRef: Onebox) {
     this.oneboxRef = oneboxRef;
@@ -40,6 +43,7 @@ export class OpsServer {
 
     // Set up all handlers
     await this.setupHandlers();
+    this.registerCustomRoutes();
 
     await this.server.start(port);
     logger.success(`OpsServer started on http://localhost:${port}`);
@@ -63,14 +67,112 @@ export class OpsServer {
     this.schedulesHandler = new handlers.SchedulesHandler(this);
     this.settingsHandler = new handlers.SettingsHandler(this);
     this.logsHandler = new handlers.LogsHandler(this);
+    this.workspaceHandler = new handlers.WorkspaceHandler(this);
+    this.appStoreHandler = new handlers.AppStoreHandler(this);
 
     logger.success('OpsServer TypedRequest handlers initialized');
   }
 
+  private registerCustomRoutes(): void {
+    this.server.typedserver.addRoute(
+      '/backups/:backupId/download',
+      'GET',
+      async (ctx) => {
+        const jwt = ctx.query.jwt;
+        if (!jwt) {
+          return new Response('Missing JWT', { status: 401 });
+        }
+
+        try {
+          await this.adminHandler.getVerifiedAdminIdentity({
+            jwt,
+            userId: '',
+            username: '',
+            expiresAt: 0,
+            role: 'user',
+          });
+        } catch {
+          return new Response('Unauthorized', { status: 401 });
+        }
+
+        const backupId = Number(ctx.params.backupId);
+        if (!Number.isInteger(backupId) || backupId < 1) {
+          return new Response('Invalid backup id', { status: 400 });
+        }
+
+        const backup = this.oneboxRef.database.getBackupById(backupId);
+        if (!backup) {
+          return new Response('Backup not found', { status: 404 });
+        }
+
+        const filename = this.sanitizeDownloadFilename(
+          backup.filename || `${backup.serviceName}-${backup.createdAt}.tar.enc`,
+        );
+
+        let filePath = this.oneboxRef.backupManager.getBackupFilePath(backupId);
+        let shouldCleanup = false;
+
+        if (!filePath) {
+          filePath = await this.oneboxRef.backupManager.getBackupExportPath(backupId);
+          shouldCleanup = !!filePath;
+        }
+
+        if (!filePath) {
+          return new Response('Backup export unavailable', { status: 404 });
+        }
+
+        try {
+          const fileData = await Deno.readFile(filePath);
+          return new Response(fileData, {
+            status: 200,
+            headers: {
+              'content-type': 'application/octet-stream',
+              'content-disposition': `attachment; filename="${filename}"`,
+              'content-length': String(fileData.byteLength),
+              'cache-control': 'no-store',
+            },
+          });
+        } finally {
+          if (shouldCleanup) {
+            await Deno.remove(filePath).catch(() => {});
+          }
+        }
+      },
+    );
+  }
+
+  private sanitizeDownloadFilename(filename: string): string {
+    return filename.replace(/["\\\r\n]/g, '_');
+  }
+
   public async stop() {
     if (this.server) {
       await this.server.stop();
       logger.success('OpsServer stopped');
     }
   }
+
+  public async pushDashboardEvent(method: string, payload: unknown): Promise<void> {
+    const typedsocket = (this.server as any)?.typedserver?.typedsocket;
+    if (!typedsocket) {
+      return;
+    }
+
+    const connections = await typedsocket.findAllTargetConnectionsByTag('role', 'ops_dashboard');
+    await Promise.allSettled(
+      connections.map((connection: any) => typedsocket.createTypedRequest(method, connection).fire(payload)),
+    );
+  }
+
+  public async broadcastServiceUpdate(
+    serviceName: string,
+    action: interfaces.requests.IReq_PushServiceUpdate['request']['action'],
+    service?: interfaces.data.IService | null,
+  ): Promise<void> {
+    await this.pushDashboardEvent('pushServiceUpdate', {
+      action,
+      serviceName,
+      service: service || undefined,
+    });
+  }
 }

ts/opsserver/handlers/admin.handler.ts

@@ -2,9 +2,12 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
+import { hashPassword, needsPasswordUpgrade, verifyPassword } from '../../utils/auth.ts';
 
 export interface IJwtData {
   userId: string;
+  username: string;
+  role: 'admin' | 'user';
   status: 'loggedIn' | 'loggedOut';
   expiresAt: number;
 }
@@ -18,12 +21,80 @@ export class AdminHandler {
   }
 
   public async initialize(): Promise<void> {
-    this.smartjwtInstance = new plugins.smartjwt.SmartJwt();
+    this.smartjwtInstance = new plugins.smartjwt.SmartJwt<IJwtData>();
     await this.smartjwtInstance.init();
-    await this.smartjwtInstance.createNewKeyPair();
     this.registerHandlers();
   }
 
+  private async createIdentityForUser(
+    user: interfaces.data.IUser & { id?: number },
+    expiresAt: number,
+  ): Promise<interfaces.data.IIdentity> {
+    const userId = String(user.id || user.username);
+    const jwt = await this.smartjwtInstance.createJWT({
+      userId,
+      username: user.username,
+      role: user.role,
+      status: 'loggedIn',
+      expiresAt,
+    });
+
+    return {
+      jwt,
+      userId,
+      username: user.username,
+      expiresAt,
+      role: user.role,
+    };
+  }
+
+  public async getVerifiedIdentity(
+    identityArg: interfaces.data.IIdentity | null | undefined,
+  ): Promise<interfaces.data.IIdentity> {
+    if (!identityArg?.jwt) {
+      throw new plugins.typedrequest.TypedResponseError('No identity provided');
+    }
+
+    let jwtData: IJwtData;
+    try {
+      jwtData = await this.smartjwtInstance.verifyJWTAndGetData(identityArg.jwt);
+    } catch {
+      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+    }
+
+    if (jwtData.expiresAt < Date.now() || jwtData.status !== 'loggedIn') {
+      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+    }
+
+    const user = this.opsServerRef.oneboxRef.database.getUserByUsername(jwtData.username);
+    if (!user) {
+      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+    }
+
+    const userId = String(user.id || user.username);
+    if (jwtData.userId !== userId) {
+      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+    }
+
+    return {
+      jwt: identityArg.jwt,
+      userId,
+      username: user.username,
+      expiresAt: jwtData.expiresAt,
+      role: user.role,
+    };
+  }
+
+  public async getVerifiedAdminIdentity(
+    identityArg: interfaces.data.IIdentity | null | undefined,
+  ): Promise<interfaces.data.IIdentity> {
+    const identity = await this.getVerifiedIdentity(identityArg);
+    if (identity.role !== 'admin') {
+      throw new plugins.typedrequest.TypedResponseError('Admin access required');
+    }
+    return identity;
+  }
+
   private registerHandlers(): void {
     // Login
     this.typedrouter.addTypedHandler(
@@ -36,30 +107,24 @@ export class AdminHandler {
               throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
             }
 
-            // Verify password (base64 comparison to match existing DB scheme)
-            const passwordHash = btoa(dataArg.password);
-            if (passwordHash !== user.passwordHash) {
+            const passwordMatches = await verifyPassword(dataArg.password, user.passwordHash);
+            if (!passwordMatches) {
               throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
             }
 
+            if (needsPasswordUpgrade(user.passwordHash)) {
+              const upgradedHash = await hashPassword(dataArg.password);
+              this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, upgradedHash);
+            }
+
             const expiresAt = Date.now() + 24 * 3600 * 1000;
-            const userId = String(user.id || user.username);
-            const jwt = await this.smartjwtInstance.createJWT({
-              userId,
-              status: 'loggedIn',
-              expiresAt,
-            });
+            const freshUser = this.opsServerRef.oneboxRef.database.getUserByUsername(user.username) || user;
+            const identity = await this.createIdentityForUser(freshUser, expiresAt);
 
             logger.info(`User logged in: ${user.username}`);
 
             return {
-              identity: {
-                jwt,
-                userId,
-                username: user.username,
-                expiresAt,
-                role: user.role,
-              },
+              identity,
             };
           } catch (error) {
             if (error instanceof plugins.typedrequest.TypedResponseError) throw error;
@@ -84,22 +149,11 @@ export class AdminHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_VerifyIdentity>(
         'verifyIdentity',
         async (dataArg) => {
-          if (!dataArg.identity?.jwt) {
-            return { valid: false };
-          }
           try {
-            const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
-            if (jwtData.expiresAt < Date.now()) return { valid: false };
-            if (jwtData.status !== 'loggedIn') return { valid: false };
+            const identity = await this.getVerifiedIdentity(dataArg.identity);
             return {
               valid: true,
-              identity: {
-                jwt: dataArg.identity.jwt,
-                userId: jwtData.userId,
-                username: dataArg.identity.username,
-                expiresAt: jwtData.expiresAt,
-                role: dataArg.identity.role,
-              },
+              identity,
             };
           } catch {
             return { valid: false };
@@ -110,21 +164,21 @@ export class AdminHandler {
 
     // Change Password
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ChangePassword>(
-        'changePassword',
-        async (dataArg) => {
-          await this.requireValidIdentity(dataArg);
-          const user = this.opsServerRef.oneboxRef.database.getUserByUsername(dataArg.identity.username);
+        new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ChangePassword>(
+          'changePassword',
+          async (dataArg) => {
+          const identity = await this.getVerifiedIdentity(dataArg.identity);
+          const user = this.opsServerRef.oneboxRef.database.getUserByUsername(identity.username);
           if (!user) {
             throw new plugins.typedrequest.TypedResponseError('User not found');
           }
 
-          const currentHash = btoa(dataArg.currentPassword);
-          if (currentHash !== user.passwordHash) {
+          const currentPasswordMatches = await verifyPassword(dataArg.currentPassword, user.passwordHash);
+          if (!currentPasswordMatches) {
             throw new plugins.typedrequest.TypedResponseError('Current password is incorrect');
           }
 
-          const newHash = btoa(dataArg.newPassword);
+          const newHash = await hashPassword(dataArg.newPassword);
           this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, newHash);
           logger.info(`Password changed for user: ${user.username}`);
 
@@ -134,25 +188,13 @@ export class AdminHandler {
     );
   }
 
-  private async requireValidIdentity(dataArg: { identity: interfaces.data.IIdentity }): Promise<void> {
-    const passed = await this.validIdentityGuard.exec({ identity: dataArg.identity });
-    if (!passed) {
-      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
-    }
-  }
-
   // Guard for valid identity
   public validIdentityGuard = new plugins.smartguard.Guard<{
     identity: interfaces.data.IIdentity;
   }>(
     async (dataArg) => {
-      if (!dataArg.identity?.jwt) return false;
       try {
-        const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
-        if (jwtData.expiresAt < Date.now()) return false;
-        if (jwtData.status !== 'loggedIn') return false;
-        if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
-        if (dataArg.identity.userId !== jwtData.userId) return false;
+        await this.getVerifiedIdentity(dataArg.identity);
         return true;
       } catch {
         return false;
@@ -166,9 +208,12 @@ export class AdminHandler {
     identity: interfaces.data.IIdentity;
   }>(
     async (dataArg) => {
-      const isValid = await this.validIdentityGuard.exec(dataArg);
-      if (!isValid) return false;
-      return dataArg.identity.role === 'admin';
+      try {
+        const identity = await this.getVerifiedIdentity(dataArg.identity);
+        return identity.role === 'admin';
+      } catch {
+        return false;
+      }
     },
     { failedHint: 'user is not admin', name: 'adminIdentityGuard' },
   );

ts/opsserver/handlers/appstore.handler.ts

@@ -0,0 +1,104 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
+
+export class AppStoreHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Get app templates (catalog)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAppTemplates>(
+        'getAppTemplates',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const apps = await this.opsServerRef.oneboxRef.appStore.getApps();
+          return { apps };
+        },
+      ),
+    );
+
+    // Get app config for a specific version
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAppConfig>(
+        'getAppConfig',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = await this.opsServerRef.oneboxRef.appStore.getAppVersionConfig(
+            dataArg.appId,
+            dataArg.version,
+          );
+          const appMeta = await this.opsServerRef.oneboxRef.appStore.getAppMeta(dataArg.appId);
+          return { config, appMeta };
+        },
+      ),
+    );
+
+    // Get services with available upgrades
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetUpgradeableServices>(
+        'getUpgradeableServices',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const services = await this.opsServerRef.oneboxRef.appStore.getUpgradeableServices();
+          return { services };
+        },
+      ),
+    );
+
+    // Upgrade a service to a new template version
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpgradeService>(
+        'upgradeService',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+
+          const existingService = this.opsServerRef.oneboxRef.database.getServiceByName(dataArg.serviceName);
+          if (!existingService) {
+            throw new plugins.typedrequest.TypedResponseError(`Service not found: ${dataArg.serviceName}`);
+          }
+          if (!existingService.appTemplateId) {
+            throw new plugins.typedrequest.TypedResponseError('Service was not deployed from an app template');
+          }
+          if (!existingService.appTemplateVersion) {
+            throw new plugins.typedrequest.TypedResponseError('Service has no tracked template version');
+          }
+
+          logger.info(`Upgrading service '${dataArg.serviceName}' from v${existingService.appTemplateVersion} to v${dataArg.targetVersion}`);
+
+          // Execute migration
+          const migrationResult = await this.opsServerRef.oneboxRef.appStore.executeMigration(
+            existingService,
+            existingService.appTemplateVersion,
+            dataArg.targetVersion,
+          );
+
+          if (!migrationResult.success) {
+            throw new plugins.typedrequest.TypedResponseError(
+              `Migration failed: ${migrationResult.warnings.join('; ')}`,
+            );
+          }
+
+          // Apply the upgrade
+          const updatedService = await this.opsServerRef.oneboxRef.appStore.applyUpgrade(
+            dataArg.serviceName,
+            migrationResult,
+            dataArg.targetVersion,
+          );
+
+          return {
+            service: updatedService,
+            warnings: migrationResult.warnings,
+          };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/backups.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class BackupsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -16,7 +16,7 @@ export class BackupsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackups>(
         'getBackups',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const backups = this.opsServerRef.oneboxRef.backupManager.listBackups();
           return { backups };
         },
@@ -27,7 +27,7 @@ export class BackupsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackup>(
         'getBackup',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const backup = this.opsServerRef.oneboxRef.database.getBackupById(dataArg.backupId);
           if (!backup) {
             throw new plugins.typedrequest.TypedResponseError('Backup not found');
@@ -41,7 +41,7 @@ export class BackupsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBackup>(
         'deleteBackup',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.backupManager.deleteBackup(dataArg.backupId);
           return { ok: true };
         },
@@ -52,13 +52,9 @@ export class BackupsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RestoreBackup>(
         'restoreBackup',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const backupPath = this.opsServerRef.oneboxRef.backupManager.getBackupFilePath(dataArg.backupId);
-          if (!backupPath) {
-            throw new plugins.typedrequest.TypedResponseError('Backup file not found');
-          }
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const rawResult = await this.opsServerRef.oneboxRef.backupManager.restoreBackup(
-            backupPath,
+            dataArg.backupId,
             dataArg.options,
           );
           return {
@@ -79,19 +75,16 @@ export class BackupsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DownloadBackup>(
         'downloadBackup',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const backup = this.opsServerRef.oneboxRef.database.getBackupById(dataArg.backupId);
           if (!backup) {
             throw new plugins.typedrequest.TypedResponseError('Backup not found');
           }
-          const filePath = this.opsServerRef.oneboxRef.backupManager.getBackupFilePath(dataArg.backupId);
-          if (!filePath) {
-            throw new plugins.typedrequest.TypedResponseError('Backup file not found');
-          }
           // Return a download URL that the client can fetch directly
+          const filename = backup.filename || `${backup.serviceName}-${backup.createdAt}.tar.enc`;
           return {
-            downloadUrl: `/api/backups/${dataArg.backupId}/download`,
-            filename: backup.filename,
+            downloadUrl: `/backups/${dataArg.backupId}/download?jwt=${encodeURIComponent(dataArg.identity.jwt)}`,
+            filename,
           };
         },
       ),

ts/opsserver/handlers/dns.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class DnsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -16,7 +16,7 @@ export class DnsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsRecords>(
         'getDnsRecords',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const records = this.opsServerRef.oneboxRef.dns.listDNSRecords();
           return { records };
         },
@@ -27,7 +27,7 @@ export class DnsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDnsRecord>(
         'createDnsRecord',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.dns.addDNSRecord(dataArg.domain, dataArg.value);
           const records = this.opsServerRef.oneboxRef.dns.listDNSRecords();
           const record = records.find((r: any) => r.domain === dataArg.domain);
@@ -40,7 +40,7 @@ export class DnsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteDnsRecord>(
         'deleteDnsRecord',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.dns.removeDNSRecord(dataArg.domain);
           return { ok: true };
         },
@@ -51,7 +51,7 @@ export class DnsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncDns>(
         'syncDns',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           if (!this.opsServerRef.oneboxRef.dns.isConfigured()) {
             throw new plugins.typedrequest.TypedResponseError('DNS manager not configured');
           }

ts/opsserver/handlers/domains.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class DomainsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -57,7 +57,7 @@ export class DomainsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomains>(
         'getDomains',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const domains = this.buildDomainViews();
           return { domains };
         },
@@ -68,7 +68,7 @@ export class DomainsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomain>(
         'getDomain',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const domain = this.opsServerRef.oneboxRef.database.getDomainByName(dataArg.domainName);
           if (!domain) {
             throw new plugins.typedrequest.TypedResponseError('Domain not found');
@@ -87,7 +87,7 @@ export class DomainsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncDomains>(
         'syncDomains',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           if (!this.opsServerRef.oneboxRef.cloudflareDomainSync) {
             throw new plugins.typedrequest.TypedResponseError('Cloudflare domain sync not configured');
           }

ts/opsserver/handlers/index.ts

@@ -11,3 +11,5 @@ export * from './backups.handler.ts';
 export * from './schedules.handler.ts';
 export * from './settings.handler.ts';
 export * from './logs.handler.ts';
+export * from './workspace.handler.ts';
+export * from './appstore.handler.ts';

ts/opsserver/handlers/logs.handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class LogsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,7 +18,7 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceLogStream>(
         'getServiceLogStream',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
 
           const service = this.opsServerRef.oneboxRef.database.getServiceByName(dataArg.serviceName);
           if (!service) {
@@ -99,7 +99,7 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServiceLogStream>(
         'getPlatformServiceLogStream',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
 
           const platformService = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(
             dataArg.serviceType,
@@ -160,26 +160,26 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkLogStream>(
         'getNetworkLogStream',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
 
           const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
           const encoder = new TextEncoder();
           const clientId = crypto.randomUUID();
 
-          // Create a mock WebSocket-like object for the CaddyLogReceiver
+          // Create a mock WebSocket-like object for the proxy log receiver.
           const mockSocket = {
             readyState: 1, // WebSocket.OPEN
             send: (data: string) => {
               try {
                 virtualStream.sendData(encoder.encode(data));
               } catch {
-                this.opsServerRef.oneboxRef.caddyLogReceiver.removeClient(clientId);
+                this.opsServerRef.oneboxRef.proxyLogReceiver.removeClient(clientId);
               }
             },
           };
 
           const filter = dataArg.filter || {};
-          this.opsServerRef.oneboxRef.caddyLogReceiver.addClient(
+          this.opsServerRef.oneboxRef.proxyLogReceiver.addClient(
             clientId,
             mockSocket as any,
             filter,
@@ -195,7 +195,7 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEventStream>(
         'getEventStream',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
 
           const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
           const encoder = new TextEncoder();

ts/opsserver/handlers/network.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 import type { TPlatformServiceType } from '../../types.ts';
 
 export class NetworkHandler {
@@ -19,8 +19,9 @@ export class NetworkHandler {
       redis: 6379,
       postgresql: 5432,
       rabbitmq: 5672,
-      caddy: 80,
+      smartproxy: 80,
       clickhouse: 8123,
+      mariadb: 3306,
     };
     return ports[type] || 0;
   }
@@ -30,7 +31,7 @@ export class NetworkHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargets>(
         'getNetworkTargets',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const targets: interfaces.data.INetworkTarget[] = [];
 
           // Services
@@ -82,9 +83,9 @@ export class NetworkHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkStats>(
         'getNetworkStats',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
-          const logReceiverStats = this.opsServerRef.oneboxRef.caddyLogReceiver.getStats();
+          const logReceiverStats = this.opsServerRef.oneboxRef.proxyLogReceiver.getStats();
 
           return {
             stats: {
@@ -113,8 +114,8 @@ export class NetworkHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTrafficStats>(
         'getTrafficStats',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const trafficStats = this.opsServerRef.oneboxRef.caddyLogReceiver.getTrafficStats(60);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const trafficStats = this.opsServerRef.oneboxRef.proxyLogReceiver.getTrafficStats(60);
           return { stats: trafficStats };
         },
       ),

ts/opsserver/handlers/platform.handler.ts

@@ -2,14 +2,106 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class PlatformHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
+  private activeLogStreams = new Map<string, boolean>();
 
   constructor(private opsServerRef: OpsServer) {
     this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
+    this.startLogStreaming();
+  }
+
+  /**
+   * Start streaming logs from all running containers (platform + user services)
+   * and push new entries to connected dashboard clients via TypedSocket
+   */
+  private async startLogStreaming(): Promise<void> {
+    const checkAndStream = async () => {
+      // Stream platform service containers
+      const platformServices = this.opsServerRef.oneboxRef.database.getAllPlatformServices();
+      for (const service of platformServices) {
+        if (service.status !== 'running' || !service.containerId) continue;
+        const key = `platform:${service.type}`;
+        if (this.activeLogStreams.has(key)) continue;
+
+        this.activeLogStreams.set(key, true);
+        logger.info(`Starting log stream for platform service: ${service.type}`);
+
+        try {
+          await this.opsServerRef.oneboxRef.docker.streamContainerLogs(
+            service.containerId,
+            (line: string, isError: boolean) => {
+              this.pushPlatformLogToClients(service.type as interfaces.data.TPlatformServiceType, line, isError);
+            }
+          );
+        } catch (err) {
+          logger.warn(`Log stream failed for ${service.type}: ${(err as Error).message}`);
+          this.activeLogStreams.delete(key);
+        }
+      }
+
+      // Stream user service containers
+      const userServices = this.opsServerRef.oneboxRef.services.listServices();
+      for (const service of userServices) {
+        if (service.status !== 'running' || !service.containerID) continue;
+        const key = `service:${service.name}`;
+        if (this.activeLogStreams.has(key)) continue;
+
+        this.activeLogStreams.set(key, true);
+        logger.info(`Starting log stream for user service: ${service.name}`);
+
+        try {
+          await this.opsServerRef.oneboxRef.docker.streamContainerLogs(
+            service.containerID,
+            (line: string, isError: boolean) => {
+              this.pushServiceLogToClients(service.name, line, isError);
+            }
+          );
+        } catch (err) {
+          logger.warn(`Log stream failed for ${service.name}: ${(err as Error).message}`);
+          this.activeLogStreams.delete(key);
+        }
+      }
+    };
+
+    // Initial check after a short delay (let services start first)
+    setTimeout(() => checkAndStream(), 5000);
+    // Re-check periodically for newly started services
+    setInterval(() => checkAndStream(), 15000);
+  }
+
+  private parseLogLine(line: string, isError: boolean): { timestamp: string; level: string; message: string } {
+    const tsMatch = line.match(/^(\d{4}-\d{2}-\d{2}T[\d:.]+Z?)\s+(.*)/);
+    const timestamp = tsMatch ? tsMatch[1] : new Date().toISOString();
+    const message = tsMatch ? tsMatch[2] : line;
+    const msgLower = message.toLowerCase();
+    const level = isError || msgLower.includes('error') || msgLower.includes('fatal')
+      ? 'error'
+      : msgLower.includes('warn')
+        ? 'warn'
+        : 'info';
+    return { timestamp, level, message };
+  }
+
+  private pushPlatformLogToClients(
+    serviceType: interfaces.data.TPlatformServiceType,
+    line: string,
+    isError: boolean,
+  ): void {
+    const entry = this.parseLogLine(line, isError);
+    void this.opsServerRef.pushDashboardEvent('pushPlatformServiceLog', { serviceType, entry });
+  }
+
+  private pushServiceLogToClients(
+    serviceName: string,
+    line: string,
+    isError: boolean,
+  ): void {
+    const entry = this.parseLogLine(line, isError);
+    void this.opsServerRef.pushDashboardEvent('pushServiceLog', { serviceName, entry });
   }
 
   private registerHandlers(): void {
@@ -18,7 +110,7 @@ export class PlatformHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServices>(
         'getPlatformServices',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const platformServices = this.opsServerRef.oneboxRef.platformServices.getAllPlatformServices();
           const providers = this.opsServerRef.oneboxRef.platformServices.getAllProviders();
 
@@ -27,7 +119,7 @@ export class PlatformHandler {
             const isCore = 'isCore' in provider && (provider as any).isCore === true;
 
             let status: string = service?.status || 'not-deployed';
-            if (provider.type === 'caddy') {
+            if (provider.type === 'smartproxy') {
               const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
               status = (proxyStatus.running ?? proxyStatus.http?.running) ? 'running' : 'stopped';
             }
@@ -54,7 +146,7 @@ export class PlatformHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformService>(
         'getPlatformService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
           if (!provider) {
             throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
@@ -64,7 +156,7 @@ export class PlatformHandler {
           const isCore = 'isCore' in provider && (provider as any).isCore === true;
 
           let rawStatus: string = service?.status || 'not-deployed';
-          if (dataArg.serviceType === 'caddy') {
+          if (dataArg.serviceType === 'smartproxy') {
             const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
             rawStatus = (proxyStatus.running ?? proxyStatus.http?.running) ? 'running' : 'stopped';
           }
@@ -90,7 +182,7 @@ export class PlatformHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StartPlatformService>(
         'startPlatformService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
           if (!provider) {
             throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
@@ -117,7 +209,7 @@ export class PlatformHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StopPlatformService>(
         'stopPlatformService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
           if (!provider) {
             throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
@@ -150,7 +242,7 @@ export class PlatformHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServiceStats>(
         'getPlatformServiceStats',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(dataArg.serviceType);
           if (!service || !service.containerId) {
             throw new plugins.typedrequest.TypedResponseError('Platform service has no container');
@@ -165,5 +257,47 @@ export class PlatformHandler {
         },
       ),
     );
+
+    // Get platform service logs
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServiceLogs>(
+        'getPlatformServiceLogs',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(dataArg.serviceType);
+          if (!service || !service.containerId) {
+            throw new plugins.typedrequest.TypedResponseError('Platform service has no container');
+          }
+
+          const tail = dataArg.tail || 100;
+          const rawLogs = await this.opsServerRef.oneboxRef.docker.getContainerLogs(service.containerId, tail);
+
+          // Parse raw log output into structured entries
+          const logLines = (rawLogs.stdout + rawLogs.stderr)
+            .split('\n')
+            .filter((line: string) => line.trim());
+
+          const logs = logLines.map((line: string, index: number) => {
+            // Try to parse Docker timestamp from beginning of line
+            const tsMatch = line.match(/^(\d{4}-\d{2}-\d{2}T[\d:.]+Z?)\s+(.*)/);
+            const timestamp = tsMatch ? new Date(tsMatch[1]).getTime() : Date.now();
+            const message = tsMatch ? tsMatch[2] : line;
+            const msgLower = message.toLowerCase();
+            const isError = msgLower.includes('error') || msgLower.includes('fatal');
+            const isWarn = msgLower.includes('warn');
+            return {
+              id: index,
+              serviceId: 0,
+              timestamp,
+              message,
+              level: (isError ? 'error' : isWarn ? 'warn' : 'info') as 'info' | 'warn' | 'error' | 'debug',
+              source: 'stdout' as const,
+            };
+          });
+
+          return { logs };
+        },
+      ),
+    );
   }
 }

ts/opsserver/handlers/registry.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class RegistryHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -17,7 +17,7 @@ export class RegistryHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRegistryTags>(
         'getRegistryTags',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const tags = await this.opsServerRef.oneboxRef.registry.getImageTags(dataArg.serviceName);
           return { tags };
         },
@@ -29,7 +29,7 @@ export class RegistryHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRegistryTokens>(
         'getRegistryTokens',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const rawTokens = this.opsServerRef.oneboxRef.database.getAllRegistryTokens();
           const now = Date.now();
 
@@ -68,7 +68,7 @@ export class RegistryHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRegistryToken>(
         'createRegistryToken',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const identity = await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const config = dataArg.tokenConfig;
 
           // Calculate expiration
@@ -95,7 +95,7 @@ export class RegistryHandler {
             expiresAt,
             createdAt: now,
             lastUsedAt: null,
-            createdBy: dataArg.identity.username,
+            createdBy: identity.username,
           });
 
           let scopeDisplay: string;
@@ -133,7 +133,7 @@ export class RegistryHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRegistryToken>(
         'deleteRegistryToken',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const token = this.opsServerRef.oneboxRef.database.getRegistryTokenById(dataArg.tokenId);
           if (!token) {
             throw new plugins.typedrequest.TypedResponseError('Token not found');

ts/opsserver/handlers/schedules.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class SchedulesHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -16,7 +16,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupSchedules>(
         'getBackupSchedules',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const schedules = this.opsServerRef.oneboxRef.backupScheduler.getAllSchedules();
           return { schedules };
         },
@@ -27,7 +27,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateBackupSchedule>(
         'createBackupSchedule',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const schedule = await this.opsServerRef.oneboxRef.backupScheduler.createSchedule(
             dataArg.scheduleConfig,
           );
@@ -40,7 +40,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupSchedule>(
         'getBackupSchedule',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const schedule = this.opsServerRef.oneboxRef.backupScheduler.getScheduleById(dataArg.scheduleId);
           if (!schedule) {
             throw new plugins.typedrequest.TypedResponseError('Schedule not found');
@@ -54,7 +54,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateBackupSchedule>(
         'updateBackupSchedule',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const schedule = await this.opsServerRef.oneboxRef.backupScheduler.updateSchedule(
             dataArg.scheduleId,
             dataArg.updates,
@@ -68,7 +68,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBackupSchedule>(
         'deleteBackupSchedule',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.backupScheduler.deleteSchedule(dataArg.scheduleId);
           return { ok: true };
         },
@@ -79,7 +79,7 @@ export class SchedulesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TriggerBackupSchedule>(
         'triggerBackupSchedule',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.backupScheduler.triggerBackup(dataArg.scheduleId);
           // triggerBackup is void; the backup is created async by the scheduler
           // Return the most recent backup for the schedule

ts/opsserver/handlers/services.handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class ServicesHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,7 +18,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServices>(
         'getServices',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const services = this.opsServerRef.oneboxRef.services.listServices();
           return { services };
         },
@@ -30,7 +30,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetService>(
         'getService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           if (!service) {
             throw new plugins.typedrequest.TypedResponseError('Service not found');
@@ -45,7 +45,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateService>(
         'createService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = await this.opsServerRef.oneboxRef.services.deployService(dataArg.serviceConfig);
           return { service };
         },
@@ -57,7 +57,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateService>(
         'updateService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = await this.opsServerRef.oneboxRef.services.updateService(
             dataArg.serviceName,
             dataArg.updates,
@@ -72,7 +72,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteService>(
         'deleteService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.services.removeService(dataArg.serviceName);
           return { ok: true };
         },
@@ -84,7 +84,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StartService>(
         'startService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.services.startService(dataArg.serviceName);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           return { service: service! };
@@ -97,7 +97,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StopService>(
         'stopService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.services.stopService(dataArg.serviceName);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           return { service: service! };
@@ -110,7 +110,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RestartService>(
         'restartService',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.services.restartService(dataArg.serviceName);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           return { service: service! };
@@ -123,7 +123,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceLogs>(
         'getServiceLogs',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const logs = await this.opsServerRef.oneboxRef.services.getServiceLogs(dataArg.serviceName);
           return { logs: String(logs) };
         },
@@ -135,7 +135,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceStats>(
         'getServiceStats',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           if (!service || !service.containerID) {
             throw new plugins.typedrequest.TypedResponseError('Service has no container');
@@ -154,7 +154,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceMetrics>(
         'getServiceMetrics',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           if (!service || !service.id) {
             throw new plugins.typedrequest.TypedResponseError('Service not found');
@@ -170,7 +170,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServicePlatformResources>(
         'getServicePlatformResources',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const rawResources = await this.opsServerRef.oneboxRef.services.getServicePlatformResources(
             dataArg.serviceName,
           );
@@ -204,7 +204,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceBackups>(
         'getServiceBackups',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const backups = this.opsServerRef.oneboxRef.backupManager.listBackups(dataArg.serviceName);
           return { backups };
         },
@@ -216,7 +216,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateServiceBackup>(
         'createServiceBackup',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const result = await this.opsServerRef.oneboxRef.backupManager.createBackup(dataArg.serviceName);
           return { backup: result.backup };
         },
@@ -228,7 +228,7 @@ export class ServicesHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceBackupSchedules>(
         'getServiceBackupSchedules',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
           if (!service) {
             throw new plugins.typedrequest.TypedResponseError('Service not found');

ts/opsserver/handlers/settings.handler.ts

@@ -1,7 +1,9 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
+import { logger } from '../../logging.ts';
+import { getErrorMessage } from '../../utils/error.ts';
 
 export class SettingsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -11,13 +13,20 @@ export class SettingsHandler {
     this.registerHandlers();
   }
 
-  private getSettingsObject(): interfaces.data.ISettings {
+  private async getSettingsObject(): Promise<interfaces.data.ISettings> {
     const db = this.opsServerRef.oneboxRef.database;
-    const settingsMap = db.getAllSettings(); // Returns Record<string, string>
+    const cloudflareToken = await db.getSecretSetting('cloudflareToken');
+    const dcrouterGatewayApiToken = await db.getSecretSetting('dcrouterGatewayApiToken');
+    const settingsMap = db.getAllSettings();
 
     return {
-      cloudflareToken: settingsMap['cloudflareToken'] || '',
+      cloudflareToken: cloudflareToken || '',
       cloudflareZoneId: settingsMap['cloudflareZoneId'] || '',
+      dcrouterGatewayUrl: settingsMap['dcrouterGatewayUrl'] || '',
+      dcrouterGatewayApiToken: dcrouterGatewayApiToken || '',
+      dcrouterWorkHosterId: settingsMap['dcrouterWorkHosterId'] || '',
+      dcrouterTargetHost: settingsMap['dcrouterTargetHost'] || '',
+      dcrouterTargetPort: parseInt(settingsMap['dcrouterTargetPort'] || '0', 10),
       autoRenewCerts: settingsMap['autoRenewCerts'] === 'true',
       renewalThreshold: parseInt(settingsMap['renewalThreshold'] || '30', 10),
       acmeEmail: settingsMap['acmeEmail'] || '',
@@ -32,8 +41,8 @@ export class SettingsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSettings>(
         'getSettings',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const settings = this.getSettingsObject();
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const settings = await this.getSettingsObject();
           return { settings };
         },
       ),
@@ -43,18 +52,28 @@ export class SettingsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSettings>(
         'updateSettings',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const db = this.opsServerRef.oneboxRef.database;
           const updates = dataArg.settings;
 
           // Store each setting as key-value pair
           for (const [key, value] of Object.entries(updates)) {
             if (value !== undefined) {
-              db.setSetting(key, String(value));
+              if (db.isSecretSettingKey(key)) {
+                await db.setSecretSetting(key, String(value));
+              } else {
+                db.setSetting(key, String(value));
+              }
             }
           }
 
-          const settings = this.getSettingsObject();
+          if (this.hasExternalGatewaySetting(updates)) {
+            this.refreshExternalGateway().catch((error) => {
+              logger.warn(`External gateway settings refresh failed: ${getErrorMessage(error)}`);
+            });
+          }
+
+          const settings = await this.getSettingsObject();
           return { settings };
         },
       ),
@@ -64,8 +83,8 @@ export class SettingsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetBackupPassword>(
         'setBackupPassword',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          this.opsServerRef.oneboxRef.database.setSetting('backupPassword', dataArg.password);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.database.setSecretSetting('backupPassword', dataArg.password);
           return { ok: true };
         },
       ),
@@ -75,12 +94,35 @@ export class SettingsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupPasswordStatus>(
         'getBackupPasswordStatus',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const backupPassword = this.opsServerRef.oneboxRef.database.getSetting('backupPassword');
-          const isConfigured = !!backupPassword;
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const isConfigured = await this.opsServerRef.oneboxRef.database.hasSecretSetting('backupPassword');
           return { status: { isConfigured } };
         },
       ),
     );
   }
+
+  private hasExternalGatewaySetting(settings: Partial<interfaces.data.ISettings>): boolean {
+    return [
+      'dcrouterGatewayUrl',
+      'dcrouterGatewayApiToken',
+      'dcrouterWorkHosterId',
+      'dcrouterTargetHost',
+      'dcrouterTargetPort',
+    ].some((key) => Object.prototype.hasOwnProperty.call(settings, key));
+  }
+
+  private async refreshExternalGateway(): Promise<void> {
+    const onebox = this.opsServerRef.oneboxRef;
+    await onebox.externalGateway.syncDomains();
+
+    const services = onebox.database.getAllServices().filter((service) => service.domain);
+    await Promise.all(services.map(async (service) => {
+      try {
+        await onebox.externalGateway.syncServiceRoute(service);
+      } catch (error) {
+        logger.warn(`Failed to sync external gateway route for ${service.domain}: ${getErrorMessage(error)}`);
+      }
+    }));
+  }
 }

ts/opsserver/handlers/ssl.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class SslHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -16,7 +16,7 @@ export class SslHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ObtainCertificate>(
         'obtainCertificate',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.ssl.obtainCertificate(dataArg.domain, false);
           const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
           return { certificate: certificate as unknown as interfaces.data.ICertificate };
@@ -28,7 +28,7 @@ export class SslHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListCertificates>(
         'listCertificates',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const certificates = this.opsServerRef.oneboxRef.ssl.listCertificates();
           return { certificates: certificates as unknown as interfaces.data.ICertificate[] };
         },
@@ -39,7 +39,7 @@ export class SslHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificate>(
         'getCertificate',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
           if (!certificate) {
             throw new plugins.typedrequest.TypedResponseError('Certificate not found');
@@ -53,7 +53,7 @@ export class SslHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RenewCertificate>(
         'renewCertificate',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           await this.opsServerRef.oneboxRef.ssl.renewCertificate(dataArg.domain);
           const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
           return { certificate: certificate as unknown as interfaces.data.ICertificate };

ts/opsserver/handlers/status.handler.ts

@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
 
 export class StatusHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -16,7 +16,7 @@ export class StatusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSystemStatus>(
         'getSystemStatus',
         async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
           const status = await this.opsServerRef.oneboxRef.getSystemStatus();
           return { status: status as unknown as interfaces.data.ISystemStatus };
         },

ts/opsserver/handlers/workspace.handler.ts

@@ -0,0 +1,181 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireAdminIdentity } from '../helpers/guards.ts';
+import { getErrorMessage } from '../../utils/error.ts';
+
+export class WorkspaceHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  /**
+   * Resolve a service name to a container ID (handling Swarm service IDs)
+   */
+  private async resolveContainerId(serviceName: string): Promise<string> {
+    const service = this.opsServerRef.oneboxRef.services.getService(serviceName);
+    if (!service || !service.containerID) {
+      throw new plugins.typedrequest.TypedResponseError(`Service not found or has no container: ${serviceName}`);
+    }
+    return service.containerID;
+  }
+
+  private registerHandlers(): void {
+    // Read file from container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceReadFile>(
+        'workspaceReadFile',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            ['cat', dataArg.path],
+          );
+          if (result.exitCode !== 0) {
+            throw new plugins.typedrequest.TypedResponseError(`Failed to read file: ${result.stderr || 'File not found'}`);
+          }
+          return { content: result.stdout };
+        },
+      ),
+    );
+
+    // Write file to container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceWriteFile>(
+        'workspaceWriteFile',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          // Use sh -c with printf to write content (handles special characters)
+          const escaped = dataArg.content.replace(/'/g, "'\\''");
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            ['sh', '-c', `printf '%s' '${escaped}' > ${dataArg.path}`],
+          );
+          if (result.exitCode !== 0) {
+            throw new plugins.typedrequest.TypedResponseError(`Failed to write file: ${result.stderr}`);
+          }
+          return {};
+        },
+      ),
+    );
+
+    // Read directory from container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceReadDir>(
+        'workspaceReadDir',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          // Use ls with -1 -F to get entries with type indicators (/ for dirs)
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            ['ls', '-1', '-F', dataArg.path],
+          );
+          if (result.exitCode !== 0) {
+            throw new plugins.typedrequest.TypedResponseError(`Failed to read directory: ${result.stderr}`);
+          }
+          const entries = result.stdout
+            .split('\n')
+            .filter((line) => line.trim())
+            .map((line) => {
+              const isDir = line.endsWith('/');
+              const name = isDir ? line.slice(0, -1) : line.replace(/[*@=|]$/, '');
+              const basePath = dataArg.path.endsWith('/') ? dataArg.path : dataArg.path + '/';
+              return {
+                type: (isDir ? 'directory' : 'file') as 'file' | 'directory',
+                name,
+                path: basePath + name,
+              };
+            });
+          return { entries };
+        },
+      ),
+    );
+
+    // Create directory in container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceMkdir>(
+        'workspaceMkdir',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            ['mkdir', '-p', dataArg.path],
+          );
+          if (result.exitCode !== 0) {
+            throw new plugins.typedrequest.TypedResponseError(`Failed to create directory: ${result.stderr}`);
+          }
+          return {};
+        },
+      ),
+    );
+
+    // Remove file/directory from container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceRm>(
+        'workspaceRm',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          const args = dataArg.recursive ? ['rm', '-rf', dataArg.path] : ['rm', '-f', dataArg.path];
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            args,
+          );
+          if (result.exitCode !== 0) {
+            throw new plugins.typedrequest.TypedResponseError(`Failed to remove: ${result.stderr}`);
+          }
+          return {};
+        },
+      ),
+    );
+
+    // Check if path exists in container
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceExists>(
+        'workspaceExists',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            ['test', '-e', dataArg.path],
+          );
+          return { exists: result.exitCode === 0 };
+        },
+      ),
+    );
+
+    // Execute a command in the container (non-interactive)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_WorkspaceExec>(
+        'workspaceExec',
+        async (dataArg) => {
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const containerId = await this.resolveContainerId(dataArg.serviceName);
+          const cmd = dataArg.args
+            ? [dataArg.command, ...dataArg.args]
+            : [dataArg.command];
+          const result = await this.opsServerRef.oneboxRef.docker.execInContainer(
+            containerId,
+            cmd,
+          );
+          return {
+            stdout: result.stdout,
+            stderr: result.stderr,
+            exitCode: result.exitCode,
+          };
+        },
+      ),
+    );
+
+    logger.info('Workspace handler registered');
+  }
+}

ts/opsserver/helpers/guards.ts

@@ -5,25 +5,13 @@ import * as interfaces from '../../../ts_interfaces/index.ts';
 export async function requireValidIdentity<T extends { identity?: interfaces.data.IIdentity }>(
   adminHandler: AdminHandler,
   dataArg: T,
-): Promise<void> {
-  if (!dataArg.identity) {
-    throw new plugins.typedrequest.TypedResponseError('No identity provided');
-  }
-  const passed = await adminHandler.validIdentityGuard.exec({ identity: dataArg.identity });
-  if (!passed) {
-    throw new plugins.typedrequest.TypedResponseError('Valid identity required');
-  }
+): Promise<interfaces.data.IIdentity> {
+  return await adminHandler.getVerifiedIdentity(dataArg.identity);
 }
 
 export async function requireAdminIdentity<T extends { identity?: interfaces.data.IIdentity }>(
   adminHandler: AdminHandler,
   dataArg: T,
-): Promise<void> {
-  if (!dataArg.identity) {
-    throw new plugins.typedrequest.TypedResponseError('No identity provided');
-  }
-  const passed = await adminHandler.adminIdentityGuard.exec({ identity: dataArg.identity });
-  if (!passed) {
-    throw new plugins.typedrequest.TypedResponseError('Admin access required');
-  }
+): Promise<interfaces.data.IIdentity> {
+  return await adminHandler.getVerifiedAdminIdentity(dataArg.identity);
 }

ts/plugins.ts

@@ -17,10 +17,6 @@ export { path, fs, http, encoding };
 import { Database } from '@db/sqlite';
 export const sqlite = { DB: Database };
 
-// Systemd Daemon Integration
-import * as smartdaemon from '@push.rocks/smartdaemon';
-export { smartdaemon };
-
 // Docker API Client
 import { DockerHost } from '@apiclient.xyz/docker';
 export const docker = { Docker: DockerHost };
@@ -38,8 +34,22 @@ import * as smartregistry from '@push.rocks/smartregistry';
 export { smartregistry };
 
 // S3-compatible storage server
-import * as smarts3 from '@push.rocks/smarts3';
-export { smarts3 };
+import * as smartstorage from '@push.rocks/smartstorage';
+export { smartstorage };
+
+// AWS S3 client for S3-compatible object operations
+import {
+  S3Client,
+  ListObjectsV2Command,
+  GetObjectCommand,
+  PutObjectCommand,
+} from 'npm:@aws-sdk/client-s3@3.1009.0';
+export const awsS3 = {
+  S3Client,
+  ListObjectsV2Command,
+  GetObjectCommand,
+  PutObjectCommand,
+};
 
 // Task scheduling and cron jobs
 import * as taskbuffer from '@push.rocks/taskbuffer';
@@ -71,3 +81,12 @@ export { typedrequest, typedserver };
 import * as smartguard from '@push.rocks/smartguard';
 import * as smartjwt from '@push.rocks/smartjwt';
 export { smartguard, smartjwt };
+
+// Backup archive (content-addressed dedup storage)
+import { ContainerArchive } from '@serve.zone/containerarchive';
+export { ContainerArchive };
+
+// Node.js compat for streaming
+import * as nodeFs from 'node:fs';
+import * as nodeStream from 'node:stream';
+export { nodeFs, nodeStream };

ts/types.ts

@@ -25,6 +25,9 @@ export interface IService {
   platformRequirements?: IPlatformRequirements;
   // Backup settings
   includeImageInBackup?: boolean;
+  // App Store template tracking
+  appTemplateId?: string;
+  appTemplateVersion?: string;
 }
 
 // Registry types
@@ -75,7 +78,7 @@ export interface ITokenCreatedResponse {
 }
 
 // Platform service types
-export type TPlatformServiceType = 'mongodb' | 'minio' | 'redis' | 'postgresql' | 'rabbitmq' | 'caddy' | 'clickhouse';
+export type TPlatformServiceType = 'mongodb' | 'minio' | 'redis' | 'postgresql' | 'rabbitmq' | 'smartproxy' | 'clickhouse' | 'mariadb';
 export type TPlatformResourceType = 'database' | 'bucket' | 'cache' | 'queue';
 export type TPlatformServiceStatus = 'stopped' | 'starting' | 'running' | 'stopping' | 'failed';
 
@@ -113,6 +116,8 @@ export interface IPlatformRequirements {
   mongodb?: boolean;
   s3?: boolean;
   clickhouse?: boolean;
+  redis?: boolean;
+  mariadb?: boolean;
 }
 
 export interface IProvisionedResource {
@@ -143,7 +148,7 @@ export interface INginxConfig {
 export interface IDomain {
   id?: number;
   domain: string;
-  dnsProvider: 'cloudflare' | 'manual' | null;
+  dnsProvider: 'cloudflare' | 'manual' | 'dcrouter' | null;
   cloudflareZoneId?: string;
   isObsolete: boolean;
   defaultWildcard: boolean;
@@ -252,14 +257,21 @@ export interface ISetting {
 // Application settings
 export interface IAppSettings {
   serverIP?: string;
-  cloudflareAPIKey?: string;
-  cloudflareEmail?: string;
-  cloudflareZoneID?: string;
+  cloudflareToken?: string;
+  cloudflareZoneId?: string;
+  dcrouterGatewayUrl?: string;
+  dcrouterGatewayApiToken?: string;
+  dcrouterWorkHosterId?: string;
+  dcrouterTargetHost?: string;
+  dcrouterTargetPort?: number;
   acmeEmail?: string;
-  nginxConfigDir?: string;
   dataDir?: string;
   httpPort?: number;
+  httpsPort?: number;
   metricsInterval?: number;
+  autoRenewCerts?: boolean;
+  renewalThreshold?: number;
+  forceHttps?: boolean;
   logRetentionDays?: number;
 }
 
@@ -291,6 +303,11 @@ export interface IServiceDeployOptions {
   enableMongoDB?: boolean;
   enableS3?: boolean;
   enableClickHouse?: boolean;
+  enableRedis?: boolean;
+  enableMariaDB?: boolean;
+  // App Store template tracking
+  appTemplateId?: string;
+  appTemplateVersion?: string;
 }
 
 // HTTP API request/response types
@@ -346,7 +363,9 @@ export interface IBackup {
   serviceId: number;
   serviceName: string;  // Denormalized for display
   filename: string;
+  snapshotId?: string;  // ContainerArchive snapshot ID (new backups)
   sizeBytes: number;
+  storedSizeBytes?: number;  // Actual stored size after dedup+compression
   createdAt: number;
   includesImage: boolean;
   platformResources: TPlatformServiceType[];  // Which platform types were backed up
@@ -389,7 +408,8 @@ export interface IBackupPlatformResource {
 
 export interface IBackupResult {
   backup: IBackup;
-  filePath: string;
+  filePath?: string;  // Legacy file-based backups only
+  snapshotId?: string;  // ContainerArchive snapshot ID
 }
 
 export interface IRestoreOptions {

ts/utils/auth.ts

@@ -0,0 +1,28 @@
+import * as plugins from '../plugins.ts';
+
+const bcryptHashPattern = /^\$2[abxy]\$\d\d\$/;
+
+export function isBcryptHash(passwordHash: string): boolean {
+  return bcryptHashPattern.test(passwordHash);
+}
+
+export function needsPasswordUpgrade(passwordHash: string): boolean {
+  return !isBcryptHash(passwordHash);
+}
+
+export async function hashPassword(password: string): Promise<string> {
+  return await plugins.bcrypt.hash(password);
+}
+
+export async function verifyPassword(password: string, passwordHash: string): Promise<boolean> {
+  if (!passwordHash) {
+    return false;
+  }
+
+  if (isBcryptHash(passwordHash)) {
+    return await plugins.bcrypt.compare(password, passwordHash);
+  }
+
+  // Legacy compatibility for older databases that stored base64-encoded passwords.
+  return passwordHash === btoa(password);
+}