v1.28.0

chore(release): document catalog update
fix(deps): update serve zone catalog
2026-05-24 10:19:43 +00:00 · 2026-05-24 10:19:29 +00:00 · 2026-05-24 10:19:17 +00:00 · 2026-05-24 10:15:56 +00:00 · 2026-05-21 20:35:07 +00:00 · 2026-05-21 20:34:36 +00:00
53 changed files with 3723 additions and 592 deletions
@@ -1,5 +1,86 @@
 # Changelog
 ## Pending
 ## 2026-05-24 - 1.28.0
 ### Features
 - add enterprise-ready App Store runtime support for declared volumes and raw published ports
  - validate app template schemas before install, fail invalid port/volume declarations early, and preserve declarations across upgrades and backups
  - preflight Docker/host published port conflicts and back up declared service volume data
  - show App Store volume mounts and raw host port exposure before deploy
 ### Fixes
 - fix Onebox dashboard system metrics rendering and traffic polling
 - update `@serve.zone/catalog` to `^2.12.5`
 - preserve an existing managed dcrouter config file instead of rewriting it on container creation
 - remove stale external gateway routes during route reconciliation
 ## 2026-05-21 - 1.27.0
 ### Features
 - group Onebox sidebar navigation into Apps, Network, and Registry sections (web)
  - add parent/subview routes for grouped app, network, and registry pages
 ## 2026-05-21 - 1.26.3
 ### Fixes
 - use `dees-table` for gateway domains and DNS records views (web)
  - replace custom row grids with catalog tables, filtering, refresh, and row actions
 - use dees-table for gateway domains and DNS records views (web)
  - replace custom row layouts with dees-table in gateway domains and DNS records views
  - add table filtering, refresh actions, and row/context actions for dcrouter management
 ## 2026-05-20 - 1.26.2
 ### Fixes
 - reload SmartProxy routes after managed startup (proxy)
  - reloads SmartProxy routes immediately after the admin API is ready during startup, avoiding an empty route table when Docker task state lags behind service readiness
 ## 2026-05-09 - 1.26.1 - fix(external-gateway)
 derive gateway client identity from the dcrouter token and make the settings UI read-only
 - Resolves external gateway ownership and domain sync to use the gateway client context returned by dcrouter instead of a locally entered client ID.
 - Falls back to stored gateway client settings only when token context is unavailable.
 - Removes editable Gateway Client ID fields from settings and shows them as diagnostic read-only values for managed and external modes.
 - Updates external gateway tests to validate token-derived gateway client IDs and admin-token behavior.
 ## 2026-05-09 - 1.26.0 - feat(dcrouter)
 add managed local dcrouter mode with status controls and gateway integration
 - Adds a ManagedDcRouterManager to provision and control a local dcrouter container with default gateway settings.
 - Updates gateway sync logic to support managed, external, and disabled dcrouter modes, including managed local route targets.
 - Exposes managed dcrouter status, start, stop, and restart operations through OpsServer typed requests.
 - Extends settings APIs and the settings UI to configure managed dcrouter ports, image, data directory, and mode selection.
 - Adjusts Onebox startup to prepare managed dcrouter settings, shift proxy ports when managed mode is active, and initialize the local gateway before route sync.
 ## 2026-05-09 - 1.25.0 - feat(external-gateway)
 add gateway client domain and DNS record support for dcrouter integration
 - switch dcrouter route syncing to gateway-client APIs with fallback to legacy workHoster endpoints
 - add admin endpoints and frontend views for browsing gateway domains and DNS records
 - introduce dcrouterGatewayClientId settings support while preserving compatibility with the legacy workHoster ID
 ## 2026-05-08 - 1.24.7 - fix(web-ui)
 align Delegate Routing settings with the Dees catalog control and theme conventions
 - replace raw Delegate Routing inputs and save button with `dees-input-text` and `dees-button`
 - style the Delegate Routing card with explicit `cssManager.bdTheme(...)` colors
 ## 2026-05-08 - 1.24.6 - fix(auth)
 avoid bcrypt worker crashes in compiled binaries during login and password creation
 - replace bcrypt password hashing with a Web Crypto PBKDF2 hash format
 - remove legacy password-hash fallbacks; existing deployments need their admin user hash updated
 ## 2026-05-08 - 1.24.5 - fix(opsserver)
 start the OpsServer with typedserver custom routes registered through the UtilityWebsiteServer hook
@@ -1,6 +1,6 @@
 {
  "name": "@serve.zone/onebox",
-  "version": "1.24.5",
+  "version": "1.28.0",
  "exports": "./mod.ts",
  "tasks": {
    "test": "deno test --allow-all test/",
@@ -1,6 +1,6 @@
 {
  "name": "@serve.zone/onebox",
-  "version": "1.24.5",
+  "version": "1.28.0",
  "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
  "main": "mod.ts",
  "type": "module",
@@ -58,12 +58,12 @@
    "@api.global/typedsocket": "^4.1.3",
    "@design.estate/dees-catalog": "^3.81.0",
    "@design.estate/dees-element": "^2.2.4",
-    "@serve.zone/catalog": "^2.12.4"
+    "@serve.zone/catalog": "^2.12.5"
  },
  "devDependencies": {
-    "@git.zone/tsbundle": "^2.10.1",
+    "@git.zone/tsbundle": "^2.10.4",
-    "@git.zone/tsdeno": "^1.3.1",
+    "@git.zone/tsdeno": "^1.3.2",
-    "@git.zone/tswatch": "^3.3.3"
+    "@git.zone/tswatch": "^3.3.5"
  },
  "private": true,
  "pnpm": {
@@ -0,0 +1,113 @@
 import { assertEquals, assertThrows } from '@std/assert';
 import { AppStoreManager } from '../ts/classes/appstore.ts';
 import { OneboxDockerManager } from '../ts/classes/docker.ts';
 import type { IAppVersionConfig } from '../ts/classes/appstore-types.ts';
 import type { IService } from '../ts/types.ts';
 const createAppStore = () => new AppStoreManager({} as any);
 const baseConfig: IAppVersionConfig = {
  image: 'example/app:1.0.0',
  port: 3000,
  envVars: [
    {
      key: 'APP_PORT',
      value: '3000',
      description: 'Application port',
      required: true,
    },
  ],
 };
 const baseService: IService = {
  id: 1,
  name: 'test-service',
  image: 'example/app:1.0.0',
  envVars: {},
  port: 3000,
  status: 'stopped',
  createdAt: Date.now(),
  updatedAt: Date.now(),
 };
 Deno.test('appstore normalizes and validates app template runtime fields', () => {
  const appStore = createAppStore();
  const normalizedVolumes = appStore.normalizeVolumes([
    '/data/app',
    { mountPath: '/config', readOnly: true },
  ]);
  assertEquals(normalizedVolumes, [
    { mountPath: '/data/app' },
    { mountPath: '/config', readOnly: true },
  ]);
  appStore.validateAppVersionConfig({
    ...baseConfig,
    volumes: normalizedVolumes,
    publishedPorts: [
      { targetPort: 3000, publishedPort: 3000, protocol: 'tcp' },
      { targetPort: 20000, targetPortEnd: 20002, publishedPort: 20000, publishedPortEnd: 20002, protocol: 'udp' },
    ],
  });
 });
 Deno.test('appstore rejects invalid template ports and volumes', () => {
  const appStore = createAppStore();
  assertThrows(
    () => appStore.validateAppVersionConfig({ ...baseConfig, port: 70000 }),
    Error,
    'Invalid app config port',
  );
  assertThrows(
    () => appStore.normalizeVolumes([{ mountPath: 'relative/path' }]),
    Error,
    'mountPath must be an absolute path',
  );
  assertThrows(
    () => appStore.validateAppVersionConfig({
      ...baseConfig,
      publishedPorts: [
        { targetPort: 3000, targetPortEnd: 3002, publishedPort: 3000, publishedPortEnd: 3001, protocol: 'tcp' },
      ],
    }),
    Error,
    'ranges must have the same size',
  );
 });
 Deno.test('docker service spec validation rejects unsafe volume and port declarations', () => {
  const dockerManager = new OneboxDockerManager();
  dockerManager.validateServiceSpec({
    ...baseService,
    volumes: [{ mountPath: '/data/app' }],
    publishedPorts: [{ targetPort: 3000, publishedPort: 3000, protocol: 'tcp' }],
  });
  assertThrows(
    () => dockerManager.validateServiceSpec({
      ...baseService,
      volumes: [{ mountPath: 'relative/path' }],
    }),
    Error,
    'must be an absolute path',
  );
  assertThrows(
    () => dockerManager.validateServiceSpec({
      ...baseService,
      publishedPorts: [
        { targetPort: 3001, publishedPort: 3000, hostIp: '127.0.0.1', protocol: 'tcp' },
        { targetPort: 3000, publishedPort: 3000, protocol: 'tcp' },
      ],
    }),
    Error,
    'Duplicate published port',
  );
 });
@@ -5,8 +5,7 @@ import type { IUser as IDatabaseUser } from '../ts/types.ts';
 import { AdminHandler } from '../ts/opsserver/handlers/admin.handler.ts';
 import {
  hashPassword,
-  isBcryptHash,
+  isPbkdf2Hash,
  needsPasswordUpgrade,
  verifyPassword,
 } from '../ts/utils/auth.ts';
@@ -45,18 +44,14 @@ async function createAdminHandler(users: IDatabaseUser[]): Promise<AdminHandler>
  return adminHandler;
 }
-Deno.test('password helpers support bcrypt and legacy password hashes', async () => {
+Deno.test('password helpers support PBKDF2 password hashes', async () => {
  const password = 'correct horse battery staple';
-  const bcryptHash = await hashPassword(password);
+  const passwordHash = await hashPassword(password);
-  assert(isBcryptHash(bcryptHash));
+  assert(isPbkdf2Hash(passwordHash));
-  assert(await verifyPassword(password, bcryptHash));
+  assert(await verifyPassword(password, passwordHash));
-  assert(!(await verifyPassword('wrong password', bcryptHash)));
+  assert(!(await verifyPassword('wrong password', passwordHash)));
-  assert(!needsPasswordUpgrade(bcryptHash));
+  assert(!(await verifyPassword(password, btoa(password))));
  const legacyHash = btoa(password);
  assert(await verifyPassword(password, legacyHash));
  assert(needsPasswordUpgrade(legacyHash));
 });
 Deno.test('verified identity is derived from the signed JWT and database, not client fields', async () => {
@@ -7,6 +7,7 @@ class FakeDatabase {
  public settings = new Map<string, string>();
  public secretSettings = new Map<string, string>();
  public domains: IDomain[] = [];
  public services: IService[] = [];
  public certificates = new Map<string, ISslCertificate>();
  private nextDomainId = 1;
@@ -42,6 +43,10 @@ class FakeDatabase {
    return this.domains.filter((entry) => entry.dnsProvider === provider);
  }
  getAllServices(): IService[] {
    return this.services;
  }
  getSSLCertificate(domain: string): ISslCertificate | null {
    return this.certificates.get(domain) ?? null;
  }
@@ -62,7 +67,6 @@ class FakeDatabase {
 const makeOneboxRef = () => {
  const database = new FakeDatabase();
  database.settings.set('dcrouterGatewayUrl', 'https://edge.example.com');
  database.settings.set('dcrouterWorkHosterId', 'onebox-1');
  database.secretSettings.set('dcrouterGatewayApiToken', 'dcr-token');
  let reloadCount = 0;
@@ -92,8 +96,12 @@ Deno.test('ExternalGatewayManager syncs dcrouter domains into Onebox domains', a
  });
  const manager = new ExternalGatewayManager(oneboxRef as any);
-  (manager as any).fireDcRouterRequest = async (method: string) => {
+  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
-    assertEquals(method, 'getWorkHosterDomains');
+    if (method === 'getGatewayClientContext') {
      return { context: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-token' } } };
    }
    assertEquals(method, 'getGatewayClientDomains');
    assertEquals(requestData.gatewayClientId, 'onebox-token');
    return {
      domains: [
        {
@@ -117,7 +125,7 @@ Deno.test('ExternalGatewayManager syncs dcrouter domains into Onebox domains', a
  assertEquals(oneboxRef.database.getDomainByName('old.example.com')?.isObsolete, true);
 });
-Deno.test('ExternalGatewayManager syncs service routes to dcrouter WorkHoster API', async () => {
+Deno.test('ExternalGatewayManager syncs service routes to dcrouter gatewayClient API', async () => {
  const oneboxRef = makeOneboxRef();
  oneboxRef.database.settings.set('serverIP', '203.0.113.10');
  oneboxRef.database.settings.set('httpPort', '8080');
@@ -137,6 +145,9 @@ Deno.test('ExternalGatewayManager syncs service routes to dcrouter WorkHoster AP
  const requests: Array<{ method: string; requestData: Record<string, unknown> }> = [];
  const manager = new ExternalGatewayManager(oneboxRef as any);
  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
    if (method === 'getGatewayClientContext') {
      return { context: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-token' } } };
    }
    requests.push({ method, requestData });
    if (method === 'exportCertificate') {
      return { success: false };
@@ -146,14 +157,14 @@ Deno.test('ExternalGatewayManager syncs service routes to dcrouter WorkHoster AP
  await manager.syncServiceRoute(service);
-  const syncRequest = requests.find((request) => request.method === 'syncWorkAppRoute')!;
+  const syncRequest = requests.find((request) => request.method === 'syncGatewayClientRoute')!;
  const route = syncRequest.requestData.route as any;
  const ownership = syncRequest.requestData.ownership as any;
  assertEquals(ownership, {
-    workHosterType: 'onebox',
+    gatewayClientType: 'onebox',
-    workHosterId: 'onebox-1',
+    gatewayClientId: 'onebox-token',
-    workAppId: 'hello',
+    appId: 'hello',
    hostname: 'hello.example.com',
  });
  assertEquals(route.match, { ports: [443], domains: ['hello.example.com'] });
@@ -162,13 +173,62 @@ Deno.test('ExternalGatewayManager syncs service routes to dcrouter WorkHoster AP
  assertEquals(syncRequest.requestData.enabled, true);
 });
-Deno.test('ExternalGatewayManager deletes service routes through dcrouter WorkHoster API', async () => {
+Deno.test('ExternalGatewayManager uses managed dcrouter local target in managed mode', async () => {
  const oneboxRef = makeOneboxRef();
  (oneboxRef as any).managedDcRouter = {
    getMode: () => 'managed',
    getGatewayUrl: () => 'http://127.0.0.1:3300',
    getAdminToken: async () => 'dcr-managed-token',
    ensureGatewayClientId: () => 'onebox-managed',
    getRouteTarget: () => ({ host: 'onebox-smartproxy', port: 80 }),
  };
  const service: IService = {
    id: 1,
    name: 'hello',
    image: 'nginx:latest',
    envVars: {},
    port: 3000,
    domain: 'hello.example.com',
    status: 'running',
    createdAt: 1,
    updatedAt: 1,
  };
  let syncRequest: Record<string, unknown> | null = null;
  const manager = new ExternalGatewayManager(oneboxRef as any);
  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>, config: any) => {
    if (method === 'getGatewayClientContext') {
      return { context: { role: 'admin' } };
    }
    if (method === 'exportCertificate') {
      return { success: false };
    }
    assertEquals(config.url, 'http://127.0.0.1:3300');
    assertEquals(config.apiToken, 'dcr-managed-token');
    syncRequest = requestData;
    return { success: true, action: 'created', routeId: 'route-1' };
  };
  await manager.syncServiceRoute(service);
  assert(syncRequest);
  const route = (syncRequest as Record<string, unknown>).route as any;
  const ownership = (syncRequest as Record<string, unknown>).ownership as any;
  assertEquals(ownership.gatewayClientId, 'onebox-managed');
  assertEquals(route.action.targets, [{ host: 'onebox-smartproxy', port: 80 }]);
 });
 Deno.test('ExternalGatewayManager deletes service routes through dcrouter gatewayClient API', async () => {
  const oneboxRef = makeOneboxRef();
  const manager = new ExternalGatewayManager(oneboxRef as any);
  let deleteRequest: Record<string, unknown> | null = null;
  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
-    assertEquals(method, 'syncWorkAppRoute');
+    if (method === 'getGatewayClientContext') {
      return { context: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-token' } } };
    }
    assertEquals(method, 'syncGatewayClientRoute');
    deleteRequest = requestData;
    return { success: true, action: 'deleted', routeId: 'route-1' };
  };
@@ -182,13 +242,93 @@ Deno.test('ExternalGatewayManager deletes service routes through dcrouter WorkHo
  assert(deleteRequest);
  const capturedDeleteRequest = deleteRequest as Record<string, unknown>;
  assertEquals(capturedDeleteRequest.delete, true);
  assertEquals((capturedDeleteRequest.ownership as any).gatewayClientId, 'onebox-token');
  assertEquals((capturedDeleteRequest.ownership as any).hostname, 'hello.example.com');
 });
 Deno.test('ExternalGatewayManager removes stale gateway routes during reconciliation', async () => {
  const oneboxRef = makeOneboxRef();
  oneboxRef.database.settings.set('serverIP', '203.0.113.10');
  oneboxRef.database.services.push({
    id: 1,
    name: 'active',
    image: 'nginx:latest',
    envVars: {},
    port: 3000,
    domain: 'active.example.com',
    status: 'running',
    createdAt: 1,
    updatedAt: 1,
  });
  const deletes: Record<string, unknown>[] = [];
  const manager = new ExternalGatewayManager(oneboxRef as any);
  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
    if (method === 'getGatewayClientContext') {
      return { context: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-token' } } };
    }
    if (method === 'syncGatewayClientRoute') {
      if (requestData.delete) {
        deletes.push(requestData);
        return { success: true, action: 'deleted' };
      }
      return { success: true, action: 'updated', routeId: 'active-route' };
    }
    if (method === 'exportCertificate') {
      return { success: false };
    }
    if (method === 'getGatewayClientDnsRecords') {
      return {
        records: [
          {
            id: 'active-record',
            domainId: 'domain-1',
            name: 'active',
            type: 'A',
            value: '203.0.113.10',
            ttl: 300,
            source: 'route',
            status: 'active',
            gatewayClientType: 'onebox',
            gatewayClientId: 'onebox-token',
            appId: 'active',
            hostname: 'active.example.com',
            routeId: 'active-route',
          },
          {
            id: 'stale-record',
            domainId: 'domain-1',
            name: 'stale',
            type: 'A',
            value: '203.0.113.10',
            ttl: 300,
            source: 'route',
            status: 'active',
            gatewayClientType: 'onebox',
            gatewayClientId: 'onebox-token',
            appId: 'stale',
            hostname: 'stale.example.com',
            routeId: 'stale-route',
          },
        ],
      };
    }
    throw new Error(`Unexpected method: ${method}`);
  };
  await manager.syncServiceRoutes();
  assertEquals(deletes.length, 1);
  assertEquals((deletes[0].ownership as any).hostname, 'stale.example.com');
 });
 Deno.test('ExternalGatewayManager imports exported dcrouter certificates into Onebox', async () => {
  const oneboxRef = makeOneboxRef();
  const manager = new ExternalGatewayManager(oneboxRef as any);
  (manager as any).fireDcRouterRequest = async (method: string, requestData: Record<string, unknown>) => {
    if (method === 'getGatewayClientContext') {
      return { context: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-token' } } };
    }
    assertEquals(method, 'exportCertificate');
    assertEquals(requestData.domain, 'hello.example.com');
    return {
@@ -0,0 +1,54 @@
 import { assert, assertEquals } from '@std/assert';
 import { ManagedDcRouterManager } from '../ts/classes/managed-dcrouter.ts';
 class FakeDatabase {
  public settings = new Map<string, string>();
  public secretSettings = new Map<string, string>();
  getSetting(key: string): string | null {
    return this.settings.get(key) ?? null;
  }
  setSetting(key: string, value: string): void {
    this.settings.set(key, value);
  }
  async getSecretSetting(key: string): Promise<string | null> {
    return this.secretSettings.get(key) ?? null;
  }
  async setSecretSetting(key: string, value: string): Promise<void> {
    this.secretSettings.set(key, value);
  }
 }
 Deno.test('ManagedDcRouterManager persists default managed gateway settings', async () => {
  const database = new FakeDatabase();
  const manager = new ManagedDcRouterManager({ database } as any);
  assertEquals(manager.getMode(), 'managed');
  await manager.prepareGatewaySettings();
  assertEquals(database.getSetting('dcrouterMode'), 'managed');
  assertEquals(manager.getMode(), 'managed');
  assertEquals(database.getSetting('dcrouterGatewayUrl'), 'http://127.0.0.1:3300');
  assertEquals(database.getSetting('dcrouterTargetHost'), 'onebox-smartproxy');
  assertEquals(database.getSetting('dcrouterTargetPort'), '80');
  assert(database.getSetting('dcrouterGatewayClientId')?.startsWith('onebox-'));
  assert((await database.getSecretSetting('dcrouterManagedAdminApiToken'))?.startsWith('dcr_'));
 });
 Deno.test('ManagedDcRouterManager keeps existing external gateway default external', async () => {
  const database = new FakeDatabase();
  database.setSetting('dcrouterGatewayUrl', 'https://edge.example.com');
  const manager = new ManagedDcRouterManager({ database } as any);
  assertEquals(manager.getMode(), 'external');
  await manager.prepareGatewaySettings();
  assertEquals(database.getSetting('dcrouterMode'), null);
  assertEquals(database.getSetting('dcrouterTargetHost'), null);
 });
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/onebox',
-  version: '1.24.2',
+  version: '1.28.0',
  description: 'Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers'
 }
@@ -19,6 +19,27 @@ export interface ICatalogApp {
  tags?: string[];
 }
 export interface IAppCatalogVolume {
  name?: string;
  source?: string;
  mountPath: string;
  driver?: string;
  readOnly?: boolean;
  backup?: boolean;
  options?: Record<string, string>;
 }
 export type TAppCatalogVolumeSpec = string | IAppCatalogVolume;
 export interface IAppCatalogPublishedPort {
  targetPort: number;
  targetPortEnd?: number;
  publishedPort?: number;
  publishedPortEnd?: number;
  protocol?: 'tcp' | 'udp';
  hostIp?: string;
 }
 export interface IAppMeta {
  id: string;
  name: string;
@@ -35,7 +56,8 @@ export interface IAppVersionConfig {
  image: string;
  port: number;
  envVars?: Array<{ key: string; value: string; description: string; required?: boolean }>;
-  volumes?: string[];
+  volumes?: TAppCatalogVolumeSpec[];
  publishedPorts?: IAppCatalogPublishedPort[];
  platformRequirements?: {
    mongodb?: boolean;
    s3?: boolean;
@@ -46,6 +68,17 @@ export interface IAppVersionConfig {
  minOneboxVersion?: string;
 }
 export interface IAppInstallOptions {
  appId: string;
  version?: string;
  serviceName: string;
  domain?: string;
  port?: number;
  publishedPorts?: IAppCatalogPublishedPort[];
  envVars?: Record<string, string>;
  autoDNS?: boolean;
 }
 export interface IMigrationContext {
  service: {
    name: string;
@@ -61,6 +94,9 @@ export interface IMigrationResult {
  success: boolean;
  envVars?: Record<string, string>;
  image?: string;
  port?: number;
  volumes?: IAppCatalogVolume[];
  publishedPorts?: IAppCatalogPublishedPort[];
  warnings: string[];
 }
@@ -8,6 +8,8 @@ import type {
  ICatalog,
  ICatalogApp,
  IAppMeta,
  IAppCatalogVolume,
  IAppInstallOptions,
  IAppVersionConfig,
  IMigrationContext,
  IMigrationResult,
@@ -16,7 +18,8 @@ import type {
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import type { Onebox } from './onebox.ts';
-import type { IService } from '../types.ts';
+import type { IService, IServiceVolume } from '../types.ts';
 import { projectInfo } from '../info.ts';
 export class AppStoreManager {
  private oneboxRef: Onebox;
@@ -90,12 +93,50 @@ export class AppStoreManager {
   */
  async getAppVersionConfig(appId: string, version: string): Promise<IAppVersionConfig> {
    try {
-      return await this.fetchJson(`apps/${appId}/versions/${version}/config.json`) as IAppVersionConfig;
+      const config = await this.fetchJson(`apps/${appId}/versions/${version}/config.json`) as IAppVersionConfig;
      this.validateAppVersionConfig(config, `${appId}@${version}`);
      return config;
    } catch (error) {
      throw new Error(`Failed to fetch config for ${appId}@${version}: ${getErrorMessage(error)}`);
    }
  }
  async installApp(optionsArg: IAppInstallOptions): Promise<IService> {
    this.validateInstallOptions(optionsArg);
    const appMeta = await this.getAppMeta(optionsArg.appId);
    const version = optionsArg.version || appMeta.latestVersion;
    const config = await this.getAppVersionConfig(optionsArg.appId, version);
    this.assertRuntimeCompatibility(config);
    const servicePort = optionsArg.port || config.port;
    this.assertValidPort(servicePort, 'install service port');
    const volumes = this.normalizeVolumes(config.volumes);
    const publishedPorts = optionsArg.publishedPorts || config.publishedPorts || [];
    this.validatePublishedPorts(publishedPorts, `${optionsArg.appId}@${version}`);
    const envVars = this.getAppStoreEnvVars(config, optionsArg.envVars || {});
    if (this.requiresTemplateValue(envVars, 'SERVICE_DOMAIN') && !optionsArg.domain) {
      throw new Error('A domain is required because the app template uses ${SERVICE_DOMAIN}');
    }
    return await this.oneboxRef.services.deployService({
      name: optionsArg.serviceName,
      image: config.image,
      port: servicePort,
      domain: optionsArg.domain,
      autoDNS: optionsArg.autoDNS,
      envVars,
      volumes,
      publishedPorts,
      enableMongoDB: Boolean(config.platformRequirements?.mongodb),
      enableS3: Boolean(config.platformRequirements?.s3),
      enableClickHouse: Boolean(config.platformRequirements?.clickhouse),
      enableRedis: Boolean(config.platformRequirements?.redis),
      enableMariaDB: Boolean(config.platformRequirements?.mariadb),
      appTemplateId: optionsArg.appId,
      appTemplateVersion: version,
    });
  }
  /**
   * Compare deployed services against catalog to find those with available upgrades
   */
@@ -165,6 +206,9 @@ export class AppStoreManager {
      return {
        success: true,
        image: config.image,
        port: config.port,
        volumes: this.normalizeVolumes(config.volumes),
        publishedPorts: config.publishedPorts,
        envVars: undefined, // Keep existing env vars
        warnings: [],
      };
@@ -265,6 +309,18 @@ export class AppStoreManager {
      updates.image = migrationResult.image;
    }
    if (migrationResult.port) {
      updates.port = migrationResult.port;
    }
    if (migrationResult.volumes) {
      updates.volumes = migrationResult.volumes;
    }
    if (migrationResult.publishedPorts) {
      updates.publishedPorts = migrationResult.publishedPorts;
    }
    if (migrationResult.envVars) {
      // Merge: migration result provides base, user overrides preserved
      const mergedEnvVars = { ...migrationResult.envVars };
@@ -332,4 +388,171 @@ export class AppStoreManager {
    }
    return response.text();
  }
  public normalizeVolumes(volumesArg: IAppVersionConfig['volumes'] = []): IServiceVolume[] {
    return volumesArg.map((volumeArg, indexArg): IAppCatalogVolume => {
      if (typeof volumeArg === 'string') {
        return { mountPath: volumeArg };
      }
      return volumeArg;
    }).map((volumeArg, indexArg) => {
      this.validateVolume(volumeArg, `volume ${indexArg + 1}`);
      return volumeArg;
    });
  }
  public validateAppVersionConfig(configArg: IAppVersionConfig, labelArg = 'app config'): void {
    if (!configArg || typeof configArg !== 'object') {
      throw new Error(`Invalid ${labelArg}: config must be an object`);
    }
    if (!configArg.image || typeof configArg.image !== 'string') {
      throw new Error(`Invalid ${labelArg}: image is required`);
    }
    if (configArg.image.endsWith(':latest')) {
      logger.warn(`App template ${labelArg} uses a mutable ':latest' image tag`);
    }
    this.assertValidPort(configArg.port, `${labelArg} port`);
    for (const envVar of configArg.envVars || []) {
      if (!envVar.key || !/^[A-Z_][A-Z0-9_]*$/.test(envVar.key)) {
        throw new Error(`Invalid ${labelArg}: env var key '${envVar.key}' is not valid`);
      }
      if (envVar.value !== undefined && typeof envVar.value !== 'string') {
        throw new Error(`Invalid ${labelArg}: env var '${envVar.key}' value must be a string`);
      }
    }
    this.normalizeVolumes(configArg.volumes);
    this.validatePublishedPorts(configArg.publishedPorts || [], labelArg);
  }
  private validateInstallOptions(optionsArg: IAppInstallOptions): void {
    if (!optionsArg.appId || !/^[a-z0-9][a-z0-9-]*$/.test(optionsArg.appId)) {
      throw new Error(`Invalid app id: ${optionsArg.appId}`);
    }
    if (!optionsArg.serviceName || !/^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,119}$/.test(optionsArg.serviceName)) {
      throw new Error(`Invalid service name: ${optionsArg.serviceName}`);
    }
    if (optionsArg.port !== undefined) {
      this.assertValidPort(optionsArg.port, 'install service port');
    }
    if (optionsArg.publishedPorts) {
      this.validatePublishedPorts(optionsArg.publishedPorts, `install options for ${optionsArg.appId}`);
    }
  }
  private validateVolume(volumeArg: IAppCatalogVolume, labelArg: string): void {
    if (!volumeArg.mountPath || !volumeArg.mountPath.startsWith('/')) {
      throw new Error(`Invalid ${labelArg}: mountPath must be an absolute path`);
    }
    if (volumeArg.mountPath.includes(':')) {
      throw new Error(`Invalid ${labelArg}: mountPath must not contain ':'`);
    }
    if ((volumeArg.source || volumeArg.name)?.includes(':')) {
      throw new Error(`Invalid ${labelArg}: source/name must not contain ':'`);
    }
  }
  private validatePublishedPorts(
    publishedPortsArg: IAppVersionConfig['publishedPorts'] = [],
    labelArg: string,
  ): void {
    const seenPublishedPorts = new Set<string>();
    for (const portArg of publishedPortsArg) {
      const protocol = portArg.protocol || 'tcp';
      const targetStart = portArg.targetPort;
      const targetEnd = portArg.targetPortEnd || targetStart;
      const publishedStart = portArg.publishedPort || targetStart;
      const publishedEnd = portArg.publishedPortEnd || (publishedStart + (targetEnd - targetStart));
      const hostIp = portArg.hostIp || '0.0.0.0';
      if (!['tcp', 'udp'].includes(protocol)) {
        throw new Error(`Invalid ${labelArg}: published port protocol '${protocol}' is not supported`);
      }
      this.assertValidPort(targetStart, `${labelArg} targetPort`);
      this.assertValidPort(targetEnd, `${labelArg} targetPortEnd`);
      this.assertValidPort(publishedStart, `${labelArg} publishedPort`);
      this.assertValidPort(publishedEnd, `${labelArg} publishedPortEnd`);
      if (targetEnd < targetStart || publishedEnd < publishedStart) {
        throw new Error(`Invalid ${labelArg}: published port ranges must be ascending`);
      }
      if ((targetEnd - targetStart) !== (publishedEnd - publishedStart)) {
        throw new Error(`Invalid ${labelArg}: target and published port ranges must have the same size`);
      }
      if ((targetEnd - targetStart) > 1000) {
        throw new Error(`Invalid ${labelArg}: published port ranges may not exceed 1001 ports`);
      }
      for (let offset = 0; offset <= targetEnd - targetStart; offset++) {
        const publishedPort = publishedStart + offset;
        const publishedKey = `${hostIp}/${protocol}/${publishedPort}`;
        const wildcardKey = `0.0.0.0/${protocol}/${publishedPort}`;
        const conflictsWithWildcard = hostIp === '0.0.0.0'
          ? Array.from(seenPublishedPorts).some((keyArg) => keyArg.endsWith(`/${protocol}/${publishedPort}`))
          : seenPublishedPorts.has(wildcardKey);
        if (seenPublishedPorts.has(publishedKey) || conflictsWithWildcard) {
          throw new Error(`Invalid ${labelArg}: duplicate published port ${hostIp}:${publishedPort}/${protocol}`);
        }
        seenPublishedPorts.add(publishedKey);
      }
    }
  }
  private assertValidPort(portArg: number, labelArg: string): void {
    if (!Number.isInteger(portArg) || portArg < 1 || portArg > 65535) {
      throw new Error(`Invalid ${labelArg}: ${portArg}. Expected an integer port between 1 and 65535.`);
    }
  }
  private getAppStoreEnvVars(
    configArg: IAppVersionConfig,
    overridesArg: Record<string, string>,
  ): Record<string, string> {
    const envVars: Record<string, string> = {};
    const missingRequiredEnvVars: string[] = [];
    for (const envVar of configArg.envVars || []) {
      const value = overridesArg[envVar.key] ?? envVar.value ?? '';
      if (envVar.required && !value) {
        missingRequiredEnvVars.push(envVar.key);
      }
      envVars[envVar.key] = value;
    }
    for (const [key, value] of Object.entries(overridesArg)) {
      envVars[key] = value;
    }
    if (missingRequiredEnvVars.length > 0) {
      throw new Error(
        `Missing required app env var(s): ${missingRequiredEnvVars.join(', ')}`,
      );
    }
    return envVars;
  }
  private requiresTemplateValue(envVarsArg: Record<string, string>, templateNameArg: string): boolean {
    return Object.values(envVarsArg).some((value) => value.includes(`\${${templateNameArg}}`));
  }
  private assertRuntimeCompatibility(configArg: IAppVersionConfig): void {
    if (!configArg.minOneboxVersion) return;
    if (this.compareVersions(projectInfo.version, configArg.minOneboxVersion) < 0) {
      throw new Error(
        `App requires Onebox >= ${configArg.minOneboxVersion}; current version is ${projectInfo.version}`,
      );
    }
  }
  private compareVersions(versionAArg: string, versionBArg: string): number {
    const normalize = (versionArg: string) => versionArg.replace(/^v/, '').split('.').map((partArg) => Number(partArg) || 0);
    const a = normalize(versionAArg);
    const b = normalize(versionBArg);
    for (let i = 0; i < Math.max(a.length, b.length); i++) {
      const diff = (a[i] || 0) - (b[i] || 0);
      if (diff !== 0) return diff > 0 ? 1 : -1;
    }
    return 0;
  }
 }
@@ -185,7 +185,12 @@ export class BackupManager {
        await this.exportDockerImage(service.image, `${tempDir}/data/image/image.tar`);
      }
-      // 4. Build ingest items from temp directory files
+      // 4. Export declared service volume data when the volume opts into backup.
      if (service.volumes?.some((volumeArg) => volumeArg.backup !== false)) {
        await this.exportServiceVolumes(service, tempDir);
      }
      // 5. Build ingest items from temp directory files
      const items: Array<{ stream: NodeJS.ReadableStream; name: string; type?: string }> = [];
      // Service config
@@ -218,6 +223,19 @@ export class BackupManager {
        }
      }
      const volumeDataDir = `${tempDir}/data/volumes`;
      try {
        for await (const filePath of this.walkFiles(volumeDataDir)) {
          items.push({
            stream: plugins.nodeFs.createReadStream(filePath),
            name: plugins.path.relative(tempDir, filePath).replaceAll('\\', '/'),
            type: 'volume',
          });
        }
      } catch {
        // No service volume data was exported.
      }
      // Docker image
      if (includeImage && service.image) {
        const imagePath = `${tempDir}/data/image/image.tar`;
@@ -233,7 +251,7 @@ export class BackupManager {
        }
      }
-      // 5. Build snapshot tags
+      // 6. Build snapshot tags
      const tags: Record<string, string> = {
        serviceName: service.name,
        serviceId: String(service.id),
@@ -245,10 +263,10 @@ export class BackupManager {
        tags.scheduleId = String(options.scheduleId);
      }
-      // 6. Ingest multi-item snapshot into containerarchive
+      // 7. Ingest multi-item snapshot into containerarchive
      const snapshot = await this.archive.ingestMulti(items, { tags });
-      // 7. Store backup record in database
+      // 8. Store backup record in database
      const backup: IBackup = {
        serviceId: service.id!,
        serviceName: service.name,
@@ -675,6 +693,8 @@ export class BackupManager {
          registry: serviceConfig.registry,
          port: serviceConfig.port,
          domain: serviceConfig.domain,
          volumes: serviceConfig.volumes,
          publishedPorts: serviceConfig.publishedPorts,
          useOneboxRegistry: serviceConfig.useOneboxRegistry,
          registryRepository: serviceConfig.registryRepository,
          registryImageTag: serviceConfig.registryImageTag,
@@ -705,6 +725,8 @@ export class BackupManager {
          port: serviceConfig.port,
          domain: options.mode === 'clone' ? undefined : serviceConfig.domain,
          envVars: serviceConfig.envVars,
          volumes: serviceConfig.volumes,
          publishedPorts: serviceConfig.publishedPorts,
          useOneboxRegistry: serviceConfig.useOneboxRegistry,
          registryImageTag: serviceConfig.registryImageTag,
          autoUpdateOnPush: serviceConfig.autoUpdateOnPush,
@@ -729,6 +751,8 @@ export class BackupManager {
        }
      }
      await this.restoreServiceVolumes(service, serviceConfig.volumes || [], tempDir, warnings);
      // Cleanup
      await Deno.remove(tempDir, { recursive: true });
@@ -791,6 +815,8 @@ export class BackupManager {
      image: service.image,
      registry: service.registry,
      envVars: service.envVars,
      volumes: service.volumes,
      publishedPorts: service.publishedPorts,
      port: service.port,
      domain: service.domain,
      useOneboxRegistry: service.useOneboxRegistry,
@@ -802,6 +828,62 @@ export class BackupManager {
    };
  }
  private getVolumeBackupName(volumeArg: { mountPath: string }, indexArg: number): string {
    const safeMountPath = volumeArg.mountPath
      .replace(/^\/+/, '')
      .replace(/\/+$/g, '')
      .replace(/[^a-zA-Z0-9_.-]+/g, '-') || 'root';
    return `${String(indexArg).padStart(3, '0')}-${safeMountPath}`;
  }
  private async exportServiceVolumes(serviceArg: IService, tempDirArg: string): Promise<void> {
    if (!serviceArg.containerID) {
      throw new Error(`Cannot export service volumes for ${serviceArg.name}: service has no container ID`);
    }
    const volumes = (serviceArg.volumes || []).filter((volumeArg) => volumeArg.backup !== false);
    for (let i = 0; i < volumes.length; i++) {
      const volume = volumes[i];
      const backupName = this.getVolumeBackupName(volume, i);
      const outputPath = `${tempDirArg}/data/volumes/${backupName}`;
      await Deno.mkdir(outputPath, { recursive: true });
      await this.copyFromContainer(serviceArg.containerID, `${volume.mountPath}/.`, outputPath);
      logger.info(`Exported volume ${volume.mountPath} for service ${serviceArg.name}`);
    }
  }
  private async restoreServiceVolumes(
    serviceArg: IService,
    volumesArg: NonNullable<IBackupServiceConfig['volumes']>,
    tempDirArg: string,
    warningsArg: string[],
  ): Promise<void> {
    if (!serviceArg.containerID) {
      if (volumesArg.some((volumeArg) => volumeArg.backup !== false)) {
        warningsArg.push(`Could not restore service volumes for ${serviceArg.name}: service has no container ID`);
      }
      return;
    }
    const volumes = volumesArg.filter((volumeArg) => volumeArg.backup !== false);
    for (let i = 0; i < volumes.length; i++) {
      const volume = volumes[i];
      const backupName = this.getVolumeBackupName(volume, i);
      const inputPath = `${tempDirArg}/data/volumes/${backupName}`;
      try {
        await Deno.stat(inputPath);
      } catch {
        continue;
      }
      try {
        await this.copyToContainer(`${inputPath}/.`, serviceArg.containerID, volume.mountPath);
        logger.info(`Restored volume ${volume.mountPath} for service ${serviceArg.name}`);
      } catch (error) {
        warningsArg.push(`Volume restore failed for ${volume.mountPath}: ${getErrorMessage(error)}`);
      }
    }
  }
  /**
   * Export MongoDB database
   */
@@ -5,14 +5,258 @@
 */
 import * as plugins from '../plugins.ts';
-import type { IService, IContainerStats } from '../types.ts';
+import type { IService, IContainerStats, IServicePublishedPort } from '../types.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 type TExpandedPublishedPort = Required<Pick<
  IServicePublishedPort,
  'targetPort' | 'publishedPort' | 'protocol' | 'hostIp'
 >>;
 export class OneboxDockerManager {
  private dockerClient: InstanceType<typeof plugins.docker.Docker> | null = null;
  private networkName = 'onebox-network';
  private getDockerSafeName(valueArg: string, maxLengthArg = 120): string {
    const safeName = valueArg
      .replace(/[^a-zA-Z0-9_.-]+/g, '-')
      .replace(/^[^a-zA-Z0-9]+|[^a-zA-Z0-9]+$/g, '')
      .slice(0, maxLengthArg)
      .replace(/[^a-zA-Z0-9]+$/g, '');
    return safeName || 'data';
  }
  private getServiceVolumeSource(serviceArg: IService, mountPathArg: string, requestedSourceArg?: string): string {
    if (requestedSourceArg) {
      return this.getDockerSafeName(requestedSourceArg);
    }
    const mountName = this.getDockerSafeName(mountPathArg.replace(/^\/+/, '').replace(/\/+$/g, ''), 40);
    return this.getDockerSafeName(`onebox-${serviceArg.name}-${mountName}`);
  }
  private getStandaloneVolumeBinds(serviceArg: IService): string[] {
    return (serviceArg.volumes || []).map((volumeArg) => {
      const source = this.getServiceVolumeSource(serviceArg, volumeArg.mountPath, volumeArg.source || volumeArg.name);
      return `${source}:${volumeArg.mountPath}${volumeArg.readOnly ? ':ro' : ''}`;
    });
  }
  private getSwarmVolumeMounts(serviceArg: IService): Array<Record<string, unknown>> {
    return (serviceArg.volumes || []).map((volumeArg) => ({
      Type: 'volume',
      Source: this.getServiceVolumeSource(serviceArg, volumeArg.mountPath, volumeArg.source || volumeArg.name),
      Target: volumeArg.mountPath,
      ReadOnly: Boolean(volumeArg.readOnly),
      VolumeOptions: {
        DriverConfig: {
          Name: volumeArg.driver || 'local',
          Options: volumeArg.options || {},
        },
        Labels: {
          'managed-by': 'onebox',
          'onebox-service': serviceArg.name,
          'onebox-mount-path': volumeArg.mountPath,
          'onebox-backup': String(volumeArg.backup !== false),
        },
      },
    }));
  }
  public validateServiceSpec(serviceArg: IService): void {
    this.assertValidPort(serviceArg.port, `service port for ${serviceArg.name}`);
    for (const volumeArg of serviceArg.volumes || []) {
      if (!volumeArg.mountPath || !volumeArg.mountPath.startsWith('/')) {
        throw new Error(`Volume mountPath for service ${serviceArg.name} must be an absolute path`);
      }
      if (volumeArg.mountPath.includes(':')) {
        throw new Error(`Volume mountPath for service ${serviceArg.name} must not contain ':'`);
      }
      if ((volumeArg.source || volumeArg.name)?.includes(':')) {
        throw new Error(`Volume source/name for service ${serviceArg.name} must not contain ':'`);
      }
    }
    this.expandPublishedPorts(serviceArg);
  }
  private assertValidPort(portArg: number, labelArg: string): void {
    if (!Number.isInteger(portArg) || portArg < 1 || portArg > 65535) {
      throw new Error(`Invalid ${labelArg}: ${portArg}. Expected an integer port between 1 and 65535.`);
    }
  }
  private expandPublishedPorts(serviceArg: IService): TExpandedPublishedPort[] {
    const expandedPorts: TExpandedPublishedPort[] = [];
    const seenPublishedPorts = new Set<string>();
    for (const portArg of serviceArg.publishedPorts || []) {
      const protocol = portArg.protocol || 'tcp';
      const targetStart = portArg.targetPort;
      const targetEnd = portArg.targetPortEnd || targetStart;
      const publishedStart = portArg.publishedPort || targetStart;
      const publishedEnd = portArg.publishedPortEnd || (publishedStart + (targetEnd - targetStart));
      const hostIp = portArg.hostIp || '0.0.0.0';
      if (!['tcp', 'udp'].includes(protocol)) {
        throw new Error(`Invalid published port protocol for service ${serviceArg.name}: ${protocol}`);
      }
      this.assertValidPort(targetStart, `published targetPort for service ${serviceArg.name}`);
      this.assertValidPort(targetEnd, `published targetPortEnd for service ${serviceArg.name}`);
      this.assertValidPort(publishedStart, `published publishedPort for service ${serviceArg.name}`);
      this.assertValidPort(publishedEnd, `published publishedPortEnd for service ${serviceArg.name}`);
      if (targetEnd < targetStart) {
        throw new Error(`Invalid target port range for service ${serviceArg.name}: ${targetStart}-${targetEnd}`);
      }
      if (publishedEnd < publishedStart) {
        throw new Error(`Invalid published port range for service ${serviceArg.name}: ${publishedStart}-${publishedEnd}`);
      }
      if ((targetEnd - targetStart) !== (publishedEnd - publishedStart)) {
        throw new Error(
          `Published port range size must match target port range size for service ${serviceArg.name}`,
        );
      }
      if (!this.isValidHostIp(hostIp)) {
        throw new Error(`Invalid hostIp for service ${serviceArg.name}: ${hostIp}`);
      }
      for (let offset = 0; offset <= targetEnd - targetStart; offset++) {
        const publishedPort = publishedStart + offset;
        const publishedKey = `${hostIp}/${protocol}/${publishedPort}`;
        const wildcardKey = `0.0.0.0/${protocol}/${publishedPort}`;
        const conflictsWithWildcard = hostIp === '0.0.0.0'
          ? Array.from(seenPublishedPorts).some((keyArg) => keyArg.endsWith(`/${protocol}/${publishedPort}`))
          : seenPublishedPorts.has(wildcardKey);
        if (seenPublishedPorts.has(publishedKey) || conflictsWithWildcard) {
          throw new Error(`Duplicate published port for service ${serviceArg.name}: ${hostIp}:${publishedPort}/${protocol}`);
        }
        seenPublishedPorts.add(publishedKey);
        expandedPorts.push({
          targetPort: targetStart + offset,
          publishedPort,
          protocol,
          hostIp,
        });
      }
    }
    return expandedPorts;
  }
  private isValidHostIp(hostIpArg: string): boolean {
    if (['0.0.0.0', '127.0.0.1', '::', '::1', 'localhost'].includes(hostIpArg)) return true;
    if (/^(\d{1,3}\.){3}\d{1,3}$/.test(hostIpArg)) {
      return hostIpArg.split('.').every((partArg) => Number(partArg) >= 0 && Number(partArg) <= 255);
    }
    return /^[0-9a-fA-F:]+$/.test(hostIpArg);
  }
  private async assertPublishedPortsAvailable(serviceArg: IService): Promise<void> {
    const publishedPorts = this.expandPublishedPorts(serviceArg);
    if (publishedPorts.length === 0) return;
    await this.assertPublishedPortsNotUsedByDocker(serviceArg, publishedPorts);
    await this.assertPublishedPortsNotUsedByHost(serviceArg, publishedPorts);
  }
  private async assertPublishedPortsNotUsedByDocker(
    serviceArg: IService,
    publishedPortsArg: TExpandedPublishedPort[],
  ): Promise<void> {
    const requestedPorts = new Set(
      publishedPortsArg.map((portArg) => `${portArg.protocol}/${portArg.publishedPort}`),
    );
    try {
      const containersResponse = await this.dockerClient!.request('GET', '/containers/json?all=true', {});
      if (containersResponse.statusCode === 200 && Array.isArray(containersResponse.body)) {
        for (const containerArg of containersResponse.body) {
          const labels = containerArg.Labels || {};
          if (labels['onebox-service'] === serviceArg.name) continue;
          for (const portArg of containerArg.Ports || []) {
            if (!portArg.PublicPort || !portArg.Type) continue;
            if (requestedPorts.has(`${portArg.Type}/${portArg.PublicPort}`)) {
              throw new Error(
                `Published port ${portArg.PublicPort}/${portArg.Type} is already used by container ${containerArg.Names?.[0] || containerArg.Id}`,
              );
            }
          }
        }
      }
      const servicesResponse = await this.dockerClient!.request('GET', '/services', {});
      if (servicesResponse.statusCode === 200 && Array.isArray(servicesResponse.body)) {
        for (const service of servicesResponse.body) {
          if (service.Spec?.Name === `onebox-${serviceArg.name}`) continue;
          for (const portArg of service.Endpoint?.Ports || []) {
            if (!portArg.PublishedPort || !portArg.Protocol) continue;
            if (requestedPorts.has(`${portArg.Protocol}/${portArg.PublishedPort}`)) {
              throw new Error(
                `Published port ${portArg.PublishedPort}/${portArg.Protocol} is already used by Docker service ${service.Spec?.Name || service.ID}`,
              );
            }
          }
        }
      }
    } catch (error) {
      if (error instanceof Error && error.message.startsWith('Published port ')) throw error;
      logger.warn(`Could not complete Docker published-port preflight: ${getErrorMessage(error)}`);
    }
  }
  private async assertPublishedPortsNotUsedByHost(
    serviceArg: IService,
    publishedPortsArg: TExpandedPublishedPort[],
  ): Promise<void> {
    for (const portArg of publishedPortsArg) {
      try {
        if (portArg.protocol === 'udp') {
          await this.assertUdpPortAvailable(portArg.hostIp, portArg.publishedPort);
        } else {
          const listener = Deno.listen({ hostname: portArg.hostIp, port: portArg.publishedPort });
          listener.close();
        }
      } catch (error) {
        throw new Error(
          `Published port ${portArg.hostIp}:${portArg.publishedPort}/${portArg.protocol} for service ${serviceArg.name} is not available: ${getErrorMessage(error)}`,
        );
      }
    }
  }
  private async assertUdpPortAvailable(hostIpArg: string, portArg: number): Promise<void> {
    const dgram = await import('node:dgram');
    const socket = dgram.createSocket(hostIpArg.includes(':') ? 'udp6' : 'udp4');
    await new Promise<void>((resolve, reject) => {
      socket.once('error', reject);
      socket.bind(portArg, hostIpArg, () => {
        socket.close();
        resolve();
      });
    });
  }
  private getStandalonePortConfig(serviceArg: IService): {
    exposedPorts: Record<string, Record<string, never>>;
    portBindings: Record<string, Array<{ HostIp: string; HostPort: string }>>;
  } {
    const exposedPorts: Record<string, Record<string, never>> = {
      [`${serviceArg.port}/tcp`]: {},
    };
    const portBindings: Record<string, Array<{ HostIp: string; HostPort: string }>> = {
      [`${serviceArg.port}/tcp`]: [],
    };
    for (const publishedPort of this.expandPublishedPorts(serviceArg)) {
      const key = `${publishedPort.targetPort}/${publishedPort.protocol}`;
      exposedPorts[key] = {};
      portBindings[key] = [{ HostIp: publishedPort.hostIp, HostPort: String(publishedPort.publishedPort) }];
    }
    return { exposedPorts, portBindings };
  }
  /**
   * Initialize Docker client and create onebox network
   */
@@ -122,6 +366,9 @@ export class OneboxDockerManager {
   */
  async createContainer(service: IService): Promise<string> {
    try {
      this.validateServiceSpec(service);
      await this.assertPublishedPortsAvailable(service);
      // Check if Docker is in Swarm mode
      let isSwarmMode = false;
      try {
@@ -158,6 +405,8 @@ export class OneboxDockerManager {
      env.push(`${key}=${value}`);
    }
    const portConfig = this.getStandalonePortConfig(service);
    // Create container using Docker REST API directly
    const response = await this.dockerClient!.request('POST', `/containers/create?name=onebox-${service.name}`, {
      Image: fullImage,
@@ -166,18 +415,14 @@ export class OneboxDockerManager {
        'managed-by': 'onebox',
        'onebox-service': service.name,
      },
-      ExposedPorts: {
+      ExposedPorts: portConfig.exposedPorts,
        [`${service.port}/tcp`]: {},
      },
      HostConfig: {
        NetworkMode: this.networkName,
        RestartPolicy: {
          Name: 'unless-stopped',
        },
-        PortBindings: {
+        PortBindings: portConfig.portBindings,
-          // Don't bind to host ports - nginx will proxy
+        Binds: this.getStandaloneVolumeBinds(service),
          [`${service.port}/tcp`]: [],
        },
      },
    });
@@ -207,6 +452,25 @@ export class OneboxDockerManager {
      env.push(`${key}=${value}`);
    }
    const expandedPublishedPorts = this.expandPublishedPorts(service);
    const endpointPorts: Array<Record<string, unknown>> = [];
    if (!expandedPublishedPorts.some((publishedPort) => publishedPort.protocol === 'tcp' && publishedPort.targetPort === service.port)) {
      endpointPorts.push({
        Protocol: 'tcp',
        TargetPort: service.port,
        PublishMode: 'host',
      });
    }
    for (const publishedPort of expandedPublishedPorts) {
      endpointPorts.push({
        Protocol: publishedPort.protocol,
        TargetPort: publishedPort.targetPort,
        PublishedPort: publishedPort.publishedPort,
        PublishMode: 'host',
      });
    }
    // Create Swarm service using Docker REST API
    const response = await this.dockerClient!.request('POST', '/services/create', {
      Name: `onebox-${service.name}`,
@@ -218,6 +482,7 @@ export class OneboxDockerManager {
        ContainerSpec: {
          Image: fullImage,
          Env: env,
          Mounts: this.getSwarmVolumeMounts(service),
          Labels: {
            'managed-by': 'onebox',
            'onebox-service': service.name,
@@ -239,13 +504,7 @@ export class OneboxDockerManager {
        },
      },
      EndpointSpec: {
-        Ports: [
+        Ports: endpointPorts,
          {
            Protocol: 'tcp',
            TargetPort: service.port,
            PublishMode: 'host',
          },
        ],
      },
    });
@@ -3,19 +3,40 @@ import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import { OneboxDatabase } from './database.ts';
 import type { IDomain, IService } from '../types.ts';
 import type { TDcRouterMode } from './managed-dcrouter.ts';
 type TWorkHosterType = 'onebox';
 interface IExternalGatewayConfig {
  url: string;
  apiToken: string;
-  workHosterId: string;
+  gatewayClientType?: TWorkHosterType;
  gatewayClientId?: string;
  /** @deprecated Use gatewayClientId. */
  workHosterId?: string;
  targetHost?: string;
  targetPort?: number;
 }
 interface IGatewayClientContextResponse {
  context: {
    role: 'admin' | 'gatewayClient' | 'operator';
    gatewayClient?: {
      type: 'onebox' | 'cloudly' | 'custom';
      id: string;
    };
  };
 }
 interface IWorkHosterDomain {
  id?: string;
  name: string;
  source?: 'dcrouter' | 'provider';
  authoritative?: boolean;
  providerId?: string;
  serviceCount?: number;
  managePath?: string;
  manageUrl?: string;
  capabilities?: {
    canCreateSubdomains: boolean;
    canManageDnsRecords: boolean;
@@ -24,6 +45,26 @@ interface IWorkHosterDomain {
  };
 }
 interface IGatewayDnsRecord {
  id: string;
  domainId: string;
  domainName?: string;
  name: string;
  type: string;
  value: string;
  ttl: number;
  source: string;
  status: 'active' | 'missing';
  gatewayClientType: 'onebox' | 'cloudly' | 'custom';
  gatewayClientId: string;
  appId: string;
  hostname: string;
  routeId?: string;
  serviceName?: string;
  managePath?: string;
  manageUrl?: string;
 }
 interface IWorkAppRouteOwnership {
  workHosterType: TWorkHosterType;
  workHosterId: string;
@@ -31,6 +72,13 @@ interface IWorkAppRouteOwnership {
  hostname: string;
 }
 interface IGatewayClientOwnership {
  gatewayClientType?: TWorkHosterType;
  gatewayClientId?: string;
  appId: string;
  hostname: string;
 }
 interface IWorkAppRouteSyncResult {
  success: boolean;
  action?: 'created' | 'updated' | 'deleted' | 'unchanged';
@@ -85,20 +133,66 @@ export class ExternalGatewayManager {
    }
    await this.syncDomains();
    await this.syncServiceRoutes();
  }
  public async syncServiceRoutes(): Promise<void> {
    const services = this.database.getAllServices()
      .filter((service) => service.domain && service.status === 'running');
    const activeHostnames = new Set(services.map((service) => service.domain!));
    for (const service of services) {
      try {
        await this.syncServiceRoute(service);
      } catch (error) {
        logger.warn(`Failed to sync external gateway route for ${service.domain}: ${getErrorMessage(error)}`);
      }
    }
    await this.deleteStaleServiceRoutes(activeHostnames);
  }
  private async deleteStaleServiceRoutes(activeHostnamesArg: Set<string>): Promise<void> {
    const records = await this.getGatewayDnsRecords();
    const staleRecordsByHostname = new Map<string, IGatewayDnsRecord>();
    for (const record of records) {
      if (!record.hostname || activeHostnamesArg.has(record.hostname)) continue;
      if (!record.routeId && !record.appId && !record.serviceName) continue;
      staleRecordsByHostname.set(record.hostname, record);
    }
    for (const record of staleRecordsByHostname.values()) {
      try {
        await this.deleteServiceRoute({
          name: record.serviceName || record.appId,
          domain: record.hostname,
        });
      } catch (error) {
        logger.warn(`Failed to delete stale external gateway route for ${record.hostname}: ${getErrorMessage(error)}`);
      }
    }
  }
  public async isConfigured(): Promise<boolean> {
-    const config = await this.getConfig({ requireTarget: false });
+    if (this.getMode() === 'disabled') {
-    return Boolean(config);
+      return false;
    }
    const mode = this.getMode();
    const url = mode === 'managed'
      ? this.oneboxRef.managedDcRouter.getGatewayUrl()
      : this.normalizeUrl(this.database.getSetting('dcrouterGatewayUrl') || '');
    const apiToken = mode === 'managed'
      ? await this.oneboxRef.managedDcRouter.getAdminToken()
      : await this.database.getSecretSetting('dcrouterGatewayApiToken');
    return Boolean(url && apiToken);
  }
  public async syncDomains(): Promise<IDomain[]> {
-    const config = await this.requireConfig({ requireTarget: false });
+    if (!(await this.isConfigured())) {
-    const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>(
+      return this.database.getDomainsByProvider('dcrouter');
-      'getWorkHosterDomains',
+    }
-      {},
+    const response = { domains: await this.getGatewayDomains() };
      config,
    );
    const activeDomainNames = new Set<string>();
    const now = Date.now();
@@ -143,6 +237,55 @@ export class ExternalGatewayManager {
    return this.database.getDomainsByProvider('dcrouter');
  }
  public async getGatewayDomains(): Promise<IWorkHosterDomain[]> {
    const config = await this.getConfig({ requireTarget: false });
    if (!config) return [];
    try {
      const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>(
        'getGatewayClientDomains',
        config.gatewayClientId ? { gatewayClientId: config.gatewayClientId } : {},
        config,
      );
      return response.domains.map((domain) => ({
        ...domain,
        manageUrl: this.buildManageUrl(config, domain.managePath),
      }));
    } catch (error) {
      logger.debug(`Falling back to legacy gateway domain API: ${getErrorMessage(error)}`);
      const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>(
        'getWorkHosterDomains',
        {},
        config,
      );
      return response.domains.map((domain) => ({
        ...domain,
        manageUrl: this.buildManageUrl(config, domain.managePath),
      }));
    }
  }
  public async getGatewayDnsRecords(): Promise<IGatewayDnsRecord[]> {
    const config = await this.getConfig({ requireTarget: false });
    if (!config) return [];
    try {
      const response = await this.fireDcRouterRequest<{ records: IGatewayDnsRecord[] }>(
        'getGatewayClientDnsRecords',
        config.gatewayClientId ? { gatewayClientId: config.gatewayClientId } : {},
        config,
      );
      return response.records.map((record) => ({
        ...record,
        serviceName: record.serviceName || record.appId,
        manageUrl: this.buildManageUrl(config, record.managePath),
      }));
    } catch (error) {
      logger.warn(`Failed to fetch gateway DNS records: ${getErrorMessage(error)}`);
      return [];
    }
  }
  public async syncServiceRoute(service: IService): Promise<void> {
    if (!service.domain) return;
@@ -150,14 +293,24 @@ export class ExternalGatewayManager {
    if (!config) return;
    const result = await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
-      'syncWorkAppRoute',
+      'syncGatewayClientRoute',
      {
-        ownership: this.buildOwnership(service, service.domain, config),
+        ownership: this.buildGatewayClientOwnership(service, service.domain, config),
        route: this.buildRoute(service, config),
        enabled: service.status === 'running',
      },
      config,
-    );
+    ).catch(async () => {
      return await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
        'syncWorkAppRoute',
        {
          ownership: this.buildOwnership(service, service.domain!, config),
          route: this.buildRoute(service, config),
          enabled: service.status === 'running',
        },
        config,
      );
    });
    if (!result.success) {
      throw new Error(result.message || `dcrouter route sync failed for ${service.domain}`);
@@ -176,13 +329,22 @@ export class ExternalGatewayManager {
    if (!config) return;
    const result = await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
-      'syncWorkAppRoute',
+      'syncGatewayClientRoute',
      {
-        ownership: this.buildOwnership(service, service.domain, config),
+        ownership: this.buildGatewayClientOwnership(service, service.domain, config),
        delete: true,
      },
      config,
-    );
+    ).catch(async () => {
      return await this.fireDcRouterRequest<IWorkAppRouteSyncResult>(
        'syncWorkAppRoute',
        {
          ownership: this.buildOwnership(service, service.domain!, config),
          delete: true,
        },
        config,
      );
    });
    if (!result.success) {
      throw new Error(result.message || `dcrouter route delete failed for ${service.domain}`);
@@ -234,8 +396,17 @@ export class ExternalGatewayManager {
  }
  private async getConfig(options: { requireTarget?: boolean } = {}): Promise<IExternalGatewayConfig | null> {
-    const url = this.normalizeUrl(this.database.getSetting('dcrouterGatewayUrl') || '');
+    const mode = this.getMode();
-    const apiToken = await this.database.getSecretSetting('dcrouterGatewayApiToken');
+    if (mode === 'disabled') {
      return null;
    }
    const url = mode === 'managed'
      ? this.oneboxRef.managedDcRouter.getGatewayUrl()
      : this.normalizeUrl(this.database.getSetting('dcrouterGatewayUrl') || '');
    const apiToken = mode === 'managed'
      ? await this.oneboxRef.managedDcRouter.getAdminToken()
      : await this.database.getSecretSetting('dcrouterGatewayApiToken');
    if (!url || !apiToken) {
      return null;
    }
@@ -243,19 +414,40 @@ export class ExternalGatewayManager {
    const config: IExternalGatewayConfig = {
      url,
      apiToken,
      workHosterId: this.ensureWorkHosterId(),
    };
    const contextClient = await this.getGatewayClientFromToken(config);
    if (contextClient) {
      config.gatewayClientType = contextClient.type;
      config.gatewayClientId = contextClient.id;
      config.workHosterId = contextClient.id;
    } else {
      const fallbackGatewayClientId = mode === 'managed'
        ? this.oneboxRef.managedDcRouter.ensureGatewayClientId()
        : this.getStoredGatewayClientId();
      if (fallbackGatewayClientId) {
        config.gatewayClientType = 'onebox';
        config.gatewayClientId = fallbackGatewayClientId;
        config.workHosterId = fallbackGatewayClientId;
      }
    }
    if (options.requireTarget !== false) {
-      config.targetHost = this.database.getSetting('dcrouterTargetHost')
+      if (mode === 'managed') {
-        || this.database.getSetting('serverIP')
+        const target = this.oneboxRef.managedDcRouter.getRouteTarget();
-        || undefined;
+        config.targetHost = target.host;
-      const targetPort = this.parsePort(
+        config.targetPort = target.port;
-        this.database.getSetting('dcrouterTargetPort')
+      } else {
-          || this.database.getSetting('httpPort')
+        config.targetHost = this.database.getSetting('dcrouterTargetHost')
-          || '80',
+          || this.database.getSetting('serverIP')
-      );
+          || undefined;
-      config.targetPort = targetPort;
+        const targetPort = this.parsePort(
          this.database.getSetting('dcrouterTargetPort')
            || this.database.getSetting('httpPort')
            || '80',
        );
        config.targetPort = targetPort;
      }
      if (!config.targetHost) {
        throw new Error('dcrouterTargetHost or serverIP must be configured for external gateway route sync');
@@ -265,6 +457,10 @@ export class ExternalGatewayManager {
    return config;
  }
  private getMode(): TDcRouterMode {
    return this.oneboxRef.managedDcRouter?.getMode?.() || 'external';
  }
  private async requireConfig(options: { requireTarget?: boolean } = {}): Promise<IExternalGatewayConfig> {
    const config = await this.getConfig(options);
    if (!config) {
@@ -288,13 +484,27 @@ export class ExternalGatewayManager {
    return port;
  }
-  private ensureWorkHosterId(): string {
+  private getStoredGatewayClientId(): string {
-    let workHosterId = this.database.getSetting('dcrouterWorkHosterId');
+    return this.database.getSetting('dcrouterGatewayClientId') || this.database.getSetting('dcrouterWorkHosterId') || '';
-    if (!workHosterId) {
+  }
-      workHosterId = crypto.randomUUID();
+
-      this.database.setSetting('dcrouterWorkHosterId', workHosterId);
+  private async getGatewayClientFromToken(config: IExternalGatewayConfig): Promise<{ type: TWorkHosterType; id: string } | null> {
    try {
      const response = await this.fireDcRouterRequest<IGatewayClientContextResponse>(
        'getGatewayClientContext',
        {},
        config,
      );
      const gatewayClient = response.context.gatewayClient;
      if (!gatewayClient) return null;
      if (gatewayClient.type !== 'onebox') {
        throw new Error(`dcrouter token is bound to unsupported gateway client type: ${gatewayClient.type}`);
      }
      return { type: gatewayClient.type, id: gatewayClient.id };
    } catch (error) {
      logger.debug(`dcrouter gateway client context unavailable: ${getErrorMessage(error)}`);
      return null;
    }
    return workHosterId;
  }
  private buildOwnership(
@@ -304,12 +514,28 @@ export class ExternalGatewayManager {
  ): IWorkAppRouteOwnership {
    return {
      workHosterType: 'onebox',
-      workHosterId: config.workHosterId,
+      workHosterId: config.gatewayClientId || '',
      workAppId: service.name || `service-${service.id}`,
      hostname,
    };
  }
  private buildGatewayClientOwnership(
    service: Pick<IService, 'id' | 'name'>,
    hostname: string,
    config: IExternalGatewayConfig,
  ): IGatewayClientOwnership {
    const ownership: IGatewayClientOwnership = {
      gatewayClientType: config.gatewayClientType || 'onebox',
      appId: service.name || `service-${service.id}`,
      hostname,
    };
    if (config.gatewayClientId) {
      ownership.gatewayClientId = config.gatewayClientId;
    }
    return ownership;
  }
  private buildRoute(service: IService, config: IExternalGatewayConfig): IDcRouterRouteConfig {
    return {
      name: this.routeName(service.domain!),
@@ -335,6 +561,11 @@ export class ExternalGatewayManager {
    return `onebox-${domain.replace(/[^a-zA-Z0-9]+/g, '-').replace(/^-|-$/g, '')}`;
  }
  private buildManageUrl(config: IExternalGatewayConfig, managePath?: string): string {
    const normalizedPath = managePath?.startsWith('/') ? managePath : managePath ? `/${managePath}` : '';
    return `${config.url}${normalizedPath}`;
  }
  private async fireDcRouterRequest<TResponse>(
    method: string,
    requestData: Record<string, unknown>,
@@ -0,0 +1,354 @@
 import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import { OneboxDatabase } from './database.ts';
 export type TDcRouterMode = 'managed' | 'external' | 'disabled';
 export interface IManagedDcRouterStatus {
  mode: TDcRouterMode;
  configured: boolean;
  running: boolean;
  healthy: boolean;
  containerId?: string;
  image: string;
  gatewayUrl: string;
  opsPort: number;
  httpPort: number;
  httpsPort: number;
  message?: string;
 }
 const containerName = 'onebox-dcrouter';
 const defaultImage = 'code.foss.global/serve.zone/dcrouter:latest';
 const defaultDataDir = './.nogit/dcrouter-data';
 const defaultOpsPort = 3300;
 const defaultHttpPort = 80;
 const defaultHttpsPort = 443;
 const internalBaseDir = '/data';
 export class ManagedDcRouterManager {
  private database: OneboxDatabase;
  private dockerClient: InstanceType<typeof plugins.docker.Docker> | null = null;
  constructor(private oneboxRef: any) {
    this.database = oneboxRef.database;
  }
  public getMode(): TDcRouterMode {
    const storedMode = this.database.getSetting('dcrouterMode');
    if (storedMode === 'managed' || storedMode === 'external' || storedMode === 'disabled') {
      return storedMode;
    }
    const hasExternalGateway = Boolean(this.database.getSetting('dcrouterGatewayUrl'));
    return hasExternalGateway ? 'external' : 'managed';
  }
  public getImage(): string {
    return this.database.getSetting('dcrouterManagedImage') || defaultImage;
  }
  public getOpsPort(): number {
    return this.parsePort(this.database.getSetting('dcrouterManagedOpsPort'), defaultOpsPort);
  }
  public getHttpPort(): number {
    return this.parsePort(this.database.getSetting('dcrouterManagedHttpPort'), defaultHttpPort);
  }
  public getHttpsPort(): number {
    return this.parsePort(this.database.getSetting('dcrouterManagedHttpsPort'), defaultHttpsPort);
  }
  public getDataDir(): string {
    return this.database.getSetting('dcrouterManagedDataDir') || defaultDataDir;
  }
  public getGatewayUrl(): string {
    return `http://127.0.0.1:${this.getOpsPort()}`;
  }
  public getRouteTarget(): { host: string; port: number } {
    return {
      host: 'onebox-smartproxy',
      port: 80,
    };
  }
  public ensureGatewayClientId(): string {
    let gatewayClientId = this.database.getSetting('dcrouterGatewayClientId')
      || this.database.getSetting('dcrouterWorkHosterId');
    if (!gatewayClientId) {
      gatewayClientId = `onebox-${crypto.randomUUID()}`;
      this.database.setSetting('dcrouterGatewayClientId', gatewayClientId);
    }
    return gatewayClientId;
  }
  public async getAdminToken(): Promise<string> {
    const existingToken = await this.database.getSecretSetting('dcrouterManagedAdminApiToken');
    if (existingToken) {
      return existingToken;
    }
    const token = `dcr_${crypto.randomUUID().replaceAll('-', '')}${crypto.randomUUID().replaceAll('-', '')}`;
    await this.database.setSecretSetting('dcrouterManagedAdminApiToken', token);
    return token;
  }
  public async prepareGatewaySettings(): Promise<void> {
    if (this.getMode() !== 'managed') {
      return;
    }
    const target = this.getRouteTarget();
    this.database.setSetting('dcrouterMode', 'managed');
    this.database.setSetting('dcrouterGatewayUrl', this.getGatewayUrl());
    this.database.setSetting('dcrouterTargetHost', target.host);
    this.database.setSetting('dcrouterTargetPort', String(target.port));
    this.ensureGatewayClientId();
    await this.getAdminToken();
  }
  public async init(): Promise<void> {
    if (this.getMode() === 'managed') {
      await this.start();
      return;
    }
    await this.stop();
  }
  public async start(options: { recreate?: boolean } = {}): Promise<IManagedDcRouterStatus> {
    if (this.getMode() !== 'managed') {
      throw new Error('Managed dcrouter mode is not enabled');
    }
    await this.prepareGatewaySettings();
    await this.ensureDockerClient();
    if (options.recreate) {
      await this.removeExistingContainer();
    }
    const existingContainer = await this.getExistingContainer();
    if (existingContainer) {
      if (this.isContainerRunning(existingContainer)) {
        await this.waitForReady().catch((error) => {
          logger.warn(`Managed dcrouter readiness check failed: ${getErrorMessage(error)}`);
        });
        return await this.getStatus();
      }
      await this.startContainer(existingContainer.Id);
      await this.waitForReady();
      return await this.getStatus();
    }
    await this.createContainer();
    await this.waitForReady();
    return await this.getStatus();
  }
  public async stop(): Promise<IManagedDcRouterStatus> {
    await this.ensureDockerClient();
    const existingContainer = await this.getExistingContainer();
    if (existingContainer && this.isContainerRunning(existingContainer)) {
      await this.stopContainer(existingContainer.Id);
    }
    return await this.getStatus();
  }
  public async restart(): Promise<IManagedDcRouterStatus> {
    return await this.start({ recreate: true });
  }
  public async getStatus(): Promise<IManagedDcRouterStatus> {
    const baseStatus: IManagedDcRouterStatus = {
      mode: this.getMode(),
      configured: this.getMode() === 'managed',
      running: false,
      healthy: false,
      image: this.getImage(),
      gatewayUrl: this.getGatewayUrl(),
      opsPort: this.getOpsPort(),
      httpPort: this.getHttpPort(),
      httpsPort: this.getHttpsPort(),
    };
    try {
      await this.ensureDockerClient();
      const existingContainer = await this.getExistingContainer();
      if (!existingContainer) {
        return baseStatus;
      }
      const running = this.isContainerRunning(existingContainer);
      return {
        ...baseStatus,
        running,
        healthy: running ? await this.checkHealthy() : false,
        containerId: existingContainer.Id,
      };
    } catch (error) {
      return {
        ...baseStatus,
        message: getErrorMessage(error),
      };
    }
  }
  private async ensureDockerClient(): Promise<void> {
    if (!this.dockerClient) {
      this.dockerClient = new plugins.docker.Docker({
        socketPath: 'unix:///var/run/docker.sock',
      });
      await this.dockerClient.start();
    }
  }
  private parsePort(value: string | null, fallback: number): number {
    if (!value) return fallback;
    const port = Number(value);
    if (!Number.isInteger(port) || port < 1 || port > 65535) {
      return fallback;
    }
    return port;
  }
  private async getAbsoluteDataDir(): Promise<string> {
    const dataDir = plugins.path.resolve(this.getDataDir());
    await Deno.mkdir(dataDir, { recursive: true });
    return dataDir;
  }
  private async createContainer(): Promise<void> {
    const image = this.getImage();
    const token = await this.getAdminToken();
    const dataDir = await this.getAbsoluteDataDir();
    await this.writeManagedConfig(dataDir);
    await this.oneboxRef.docker.pullImage(image);
    const response = await this.dockerClient!.request('POST', `/containers/create?name=${containerName}`, {
      Image: image,
      Env: [
        `DCROUTER_BASE_DIR=${internalBaseDir}`,
        `DCROUTER_CONFIG_PATH=${internalBaseDir}/managed-config.json`,
        `DCROUTER_ADMIN_API_TOKEN=${token}`,
        'DCROUTER_ADMIN_API_TOKEN_NAME=Onebox Managed Admin Token',
      ],
      Labels: {
        'managed-by': 'onebox',
        'onebox-type': 'dcrouter',
      },
      ExposedPorts: {
        '80/tcp': {},
        '443/tcp': {},
        '3000/tcp': {},
      },
      HostConfig: {
        NetworkMode: 'onebox-network',
        RestartPolicy: {
          Name: 'unless-stopped',
        },
        Binds: [`${dataDir}:${internalBaseDir}`],
        PortBindings: {
          '80/tcp': [{ HostIp: '0.0.0.0', HostPort: String(this.getHttpPort()) }],
          '443/tcp': [{ HostIp: '0.0.0.0', HostPort: String(this.getHttpsPort()) }],
          '3000/tcp': [{ HostIp: '127.0.0.1', HostPort: String(this.getOpsPort()) }],
        },
      },
    });
    if (response.statusCode >= 300) {
      throw new Error(`Failed to create managed dcrouter container: HTTP ${response.statusCode} - ${JSON.stringify(response.body)}`);
    }
    await this.startContainer(response.body.Id);
    logger.success(`Managed dcrouter container started: ${response.body.Id}`);
  }
  private async writeManagedConfig(dataDirArg: string): Promise<void> {
    const configPath = plugins.path.join(dataDirArg, 'managed-config.json');
    try {
      const existingConfig = await Deno.readTextFile(configPath);
      JSON.parse(existingConfig);
      return;
    } catch (error) {
      if (!(error instanceof Deno.errors.NotFound)) {
        throw new Error(`Managed dcrouter config exists but is not valid JSON: ${getErrorMessage(error)}`);
      }
    }
    const config = {
      smartProxyConfig: {
        routes: [],
      },
    };
    await Deno.writeTextFile(configPath, JSON.stringify(config, null, 2));
  }
  private async getExistingContainer(): Promise<any | null> {
    const filters = encodeURIComponent(JSON.stringify({ name: [containerName] }));
    const response = await this.dockerClient!.request('GET', `/containers/json?all=true&filters=${filters}`, {});
    if (response.statusCode >= 300 || !Array.isArray(response.body)) {
      return null;
    }
    return response.body.find((container: any) => {
      return container.Names?.some((name: string) => name === `/${containerName}` || name === containerName);
    }) ?? null;
  }
  private isContainerRunning(container: any): boolean {
    return container.State === 'running' || Boolean(container.Status?.toLowerCase().startsWith('up '));
  }
  private async startContainer(containerId: string): Promise<void> {
    const response = await this.dockerClient!.request('POST', `/containers/${containerId}/start`, {});
    if (response.statusCode >= 300 && response.statusCode !== 304) {
      throw new Error(`Failed to start managed dcrouter container: HTTP ${response.statusCode}`);
    }
  }
  private async stopContainer(containerId: string): Promise<void> {
    const response = await this.dockerClient!.request('POST', `/containers/${containerId}/stop`, {});
    if (response.statusCode >= 300 && response.statusCode !== 304) {
      throw new Error(`Failed to stop managed dcrouter container: HTTP ${response.statusCode}`);
    }
  }
  private async removeExistingContainer(): Promise<void> {
    const existingContainer = await this.getExistingContainer();
    if (!existingContainer) {
      return;
    }
    const response = await this.dockerClient!.request('DELETE', `/containers/${existingContainer.Id}?force=true`, {});
    if (response.statusCode >= 300) {
      throw new Error(`Failed to remove managed dcrouter container: HTTP ${response.statusCode}`);
    }
  }
  private async checkHealthy(): Promise<boolean> {
    try {
      const response = await fetch(this.getGatewayUrl());
      return response.ok;
    } catch {
      return false;
    }
  }
  private async waitForReady(maxAttempts = 30, intervalMs = 1000): Promise<void> {
    for (let i = 0; i < maxAttempts; i++) {
      if (await this.checkHealthy()) {
        return;
      }
      await new Promise((resolve) => setTimeout(resolve, intervalMs));
    }
    throw new Error('Managed dcrouter did not become ready in time');
  }
 }
@@ -25,6 +25,7 @@ import { ProxyLogReceiver } from './proxy-log-receiver.ts';
 import { BackupManager } from './backup-manager.ts';
 import { BackupScheduler } from './backup-scheduler.ts';
 import { ExternalGatewayManager } from './external-gateway.ts';
 import { ManagedDcRouterManager } from './managed-dcrouter.ts';
 import { OpsServer } from '../opsserver/index.ts';
 export class Onebox {
@@ -45,6 +46,7 @@ export class Onebox {
  public proxyLogReceiver: ProxyLogReceiver;
  public backupManager: BackupManager;
  public backupScheduler: BackupScheduler;
  public managedDcRouter: ManagedDcRouterManager;
  public externalGateway: ExternalGatewayManager;
  public opsServer: OpsServer;
@@ -88,7 +90,8 @@ export class Onebox {
    // Initialize Backup scheduler
    this.backupScheduler = new BackupScheduler(this);
-    // Initialize optional dcrouter edge gateway integration
+    // Initialize optional dcrouter gateway integration
    this.managedDcRouter = new ManagedDcRouterManager(this);
    this.externalGateway = new ExternalGatewayManager(this);
    // Initialize OpsServer (TypedRequest-based server)
@@ -111,6 +114,20 @@ export class Onebox {
      // Initialize Docker
      await this.docker.init();
      try {
        await this.managedDcRouter.prepareGatewaySettings();
      } catch (error) {
        logger.warn(`Managed dcrouter settings preparation failed: ${getErrorMessage(error)}`);
      }
      if (this.managedDcRouter.getMode() !== 'managed') {
        try {
          await this.managedDcRouter.stop();
        } catch (error) {
          logger.warn(`Failed to stop inactive managed dcrouter: ${getErrorMessage(error)}`);
        }
      }
      // Start proxy log receiver before reverse proxy startup.
      try {
        await this.proxyLogReceiver.start();
@@ -128,8 +145,9 @@ export class Onebox {
      // Start HTTP reverse proxy (non-critical - don't fail init if ports are busy)
      // Use 8080/8443 in dev mode to avoid permission issues
      const isDev = Deno.env.get('ONEBOX_DEV') === 'true' || Deno.args.includes('--ephemeral');
-      const httpPort = isDev ? 8080 : 80;
+      const isManagedDcRouter = this.managedDcRouter.getMode() === 'managed';
-      const httpsPort = isDev ? 8443 : 443;
+      const httpPort = isDev || isManagedDcRouter ? 8080 : 80;
      const httpsPort = isDev || isManagedDcRouter ? 8443 : 443;
      try {
        await this.reverseProxy.startHttp(httpPort);
@@ -165,6 +183,14 @@ export class Onebox {
        logger.warn('Cloudflare domain sync initialization failed - domain sync will be limited');
      }
      // Initialize managed local dcrouter before syncing delegated routes.
      try {
        await this.managedDcRouter.init();
      } catch (error) {
        logger.warn('Managed dcrouter initialization failed - local gateway sync will be disabled');
        logger.warn(`Error: ${getErrorMessage(error)}`);
      }
      // Initialize external dcrouter gateway (non-critical)
      try {
        await this.externalGateway.init();
@@ -95,6 +95,8 @@ export class OneboxServicesManager {
        image: options.useOneboxRegistry ? imageToPull : options.image,
        registry: options.registry,
        envVars: options.envVars || {},
        volumes: options.volumes || [],
        publishedPorts: options.publishedPorts || [],
        port: options.port,
        domain: options.domain,
        status: 'stopped',
@@ -578,6 +580,8 @@ export class OneboxServicesManager {
      port?: number;
      domain?: string;
      envVars?: Record<string, string>;
      volumes?: IService['volumes'];
      publishedPorts?: IService['publishedPorts'];
    }
  ): Promise<IService> {
    try {
@@ -616,6 +620,8 @@ export class OneboxServicesManager {
      if (updates.port !== undefined) updateData.port = updates.port;
      if (updates.domain !== undefined) updateData.domain = updates.domain;
      if (updates.envVars !== undefined) updateData.envVars = updates.envVars;
      if (updates.volumes !== undefined) updateData.volumes = updates.volumes;
      if (updates.publishedPorts !== undefined) updateData.publishedPorts = updates.publishedPorts;
      this.database.updateService(service.id!, updateData);
@@ -175,11 +175,13 @@ export class SmartProxyManager {
        throw new Error(`Failed to create SmartProxy service: HTTP ${response.statusCode} - ${JSON.stringify(response.body)}`);
      }
-      logger.info(`SmartProxy service created: ${response.body.ID}`);
+      const serviceId = response.body.ID;
      logger.info(`SmartProxy service created: ${serviceId}`);
      await this.waitForServiceTaskRunning(serviceId);
      await this.waitForReady();
      this.serviceRunning = true;
-      await this.reloadConfig();
+      await this.reloadConfig({ skipRunningCheck: true });
      logger.success(`SmartProxy started (HTTP: ${this.httpPort}, HTTPS: ${this.httpsPort}, Admin: ${this.adminUrl})`);
    } catch (error) {
@@ -232,6 +234,37 @@ export class SmartProxyManager {
    throw new Error('SmartProxy service failed to start within timeout');
  }
  private async waitForServiceTaskRunning(
    serviceIdArg: string,
    maxAttempts = 30,
    intervalMs = 1000,
  ): Promise<void> {
    let lastState = 'unknown';
    for (let i = 0; i < maxAttempts; i++) {
      const tasksResponse = await this.dockerClient!.request(
        'GET',
        `/tasks?filters=${encodeURIComponent(JSON.stringify({ service: [serviceIdArg] }))}`,
        {},
      );
      if (tasksResponse.statusCode === 200 && Array.isArray(tasksResponse.body)) {
        const tasks = tasksResponse.body;
        const runningTask = tasks.find((task: any) => task.Status?.State === 'running');
        if (runningTask) {
          return;
        }
        const latestTask = tasks[0];
        lastState = latestTask?.Status?.State || lastState;
      }
      await new Promise((resolve) => setTimeout(resolve, intervalMs));
    }
    throw new Error(`SmartProxy service task did not reach running state (last state: ${lastState})`);
  }
  async stop(): Promise<void> {
    try {
      await this.ensureDockerClient();
@@ -360,11 +393,13 @@ export class SmartProxyManager {
    return routeConfigs;
  }
-  async reloadConfig(): Promise<void> {
+  async reloadConfig(options: { skipRunningCheck?: boolean } = {}): Promise<void> {
-    const isRunning = await this.isRunning();
+    if (!options.skipRunningCheck) {
-    if (!isRunning) {
+      const isRunning = await this.isRunning();
-      logger.warn('SmartProxy not running, cannot reload config');
+      if (!isRunning) {
-      return;
+        logger.warn('SmartProxy not running, cannot reload config');
        return;
      }
    }
    const routes = this.buildRoutes();
@@ -214,33 +214,25 @@ async function handleAppStoreCommand(onebox: Onebox, subcommand: string, args: s
      const appMeta = await onebox.appStore.getAppMeta(appId);
      const version = getArg(args, '--version') || appMeta.latestVersion;
      const config = await onebox.appStore.getAppVersionConfig(appId, version);
      const serviceName = getArg(args, '--name') || appId;
      const domain = getArg(args, '--domain');
-      const port = parseInt(getArg(args, '--port') || String(config.port), 10);
+      const portArg = getArg(args, '--port');
-      const envVars = getAppStoreEnvVars(config, parseEnvArgs(args));
+      const port = portArg ? parseInt(portArg, 10) : undefined;
      const autoDNS = getBooleanArg(args, '--auto-dns', true);
      requireValue(serviceName, '--name');
-      assertValidPort(port, '--port');
+      if (port !== undefined) {
-      if (requiresTemplateValue(envVars, 'SERVICE_DOMAIN')) {
+        assertValidPort(port, '--port');
        requireValue(domain, '--domain');
      }
-      const service = await onebox.services.deployService({
+      const service = await onebox.appStore.installApp({
-        name: serviceName,
+        appId,
-        image: config.image,
+        version,
-        port,
+        serviceName,
        domain,
        port,
        autoDNS,
-        envVars,
+        envVars: parseEnvArgs(args),
        enableMongoDB: Boolean(config.platformRequirements?.mongodb),
        enableS3: Boolean(config.platformRequirements?.s3),
        enableClickHouse: Boolean(config.platformRequirements?.clickhouse),
        enableRedis: Boolean(config.platformRequirements?.redis),
        enableMariaDB: Boolean(config.platformRequirements?.mariadb),
        appTemplateId: appId,
        appTemplateVersion: version,
      });
      logger.success(`Installed ${appMeta.name} ${version} as ${service.name}`);
@@ -0,0 +1,11 @@
 import { BaseMigration } from './base-migration.ts';
 import type { TQueryFunction } from '../types.ts';
 export class Migration016ServiceVolumes extends BaseMigration {
  readonly version = 16;
  readonly description = 'Add persistent volume declarations to services';
  up(query: TQueryFunction): void {
    query(`ALTER TABLE services ADD COLUMN volumes TEXT DEFAULT '[]'`);
  }
 }
@@ -0,0 +1,11 @@
 import { BaseMigration } from './base-migration.ts';
 import type { TQueryFunction } from '../types.ts';
 export class Migration017ServicePublishedPorts extends BaseMigration {
  readonly version = 17;
  readonly description = 'Add raw published port declarations to services';
  up(query: TQueryFunction): void {
    query(`ALTER TABLE services ADD COLUMN published_ports TEXT DEFAULT '[]'`);
  }
 }
@@ -22,6 +22,8 @@ import { Migration012GfsRetention } from './migration-012-gfs-retention.ts';
 import { Migration013AppTemplateVersion } from './migration-013-app-template-version.ts';
 import { Migration014ContainerArchive } from './migration-014-containerarchive.ts';
 import { Migration015SmartProxyPlatformService } from './migration-015-smartproxy-platform-service.ts';
 import { Migration016ServiceVolumes } from './migration-016-service-volumes.ts';
 import { Migration017ServicePublishedPorts } from './migration-017-service-published-ports.ts';
 import type { BaseMigration } from './base-migration.ts';
 export class MigrationRunner {
@@ -48,6 +50,8 @@ export class MigrationRunner {
      new Migration013AppTemplateVersion(),
      new Migration014ContainerArchive(),
      new Migration015SmartProxyPlatformService(),
      new Migration016ServiceVolumes(),
      new Migration017ServicePublishedPorts(),
    ].sort((a, b) => a.version - b.version);
  }
@@ -14,17 +14,19 @@ export class ServiceRepository extends BaseRepository {
    const now = Date.now();
    this.query(
      `INSERT INTO services (
-        name, image, registry, env_vars, port, domain, container_id, status,
+        name, image, registry, env_vars, volumes, published_ports, port, domain, container_id, status,
        created_at, updated_at,
        use_onebox_registry, registry_repository, registry_image_tag,
        auto_update_on_push, image_digest, platform_requirements,
        app_template_id, app_template_version
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
      [
        service.name,
        service.image,
        service.registry || null,
        JSON.stringify(service.envVars),
        JSON.stringify(service.volumes || []),
        JSON.stringify(service.publishedPorts || []),
        service.port,
        service.domain || null,
        service.containerID || null,
@@ -82,6 +84,14 @@ export class ServiceRepository extends BaseRepository {
      fields.push('env_vars = ?');
      values.push(JSON.stringify(updates.envVars));
    }
    if (updates.volumes !== undefined) {
      fields.push('volumes = ?');
      values.push(JSON.stringify(updates.volumes));
    }
    if (updates.publishedPorts !== undefined) {
      fields.push('published_ports = ?');
      values.push(JSON.stringify(updates.publishedPorts));
    }
    if (updates.port !== undefined) {
      fields.push('port = ?');
      values.push(updates.port);
@@ -169,18 +179,42 @@ export class ServiceRepository extends BaseRepository {
      }
    }
    let volumes = [];
    const volumesRaw = row.volumes ?? row[20];
    if (volumesRaw && volumesRaw !== 'undefined' && volumesRaw !== 'null') {
      try {
        volumes = JSON.parse(String(volumesRaw));
      } catch (e) {
        logger.warn(`Failed to parse volumes for service: ${getErrorMessage(e)}`);
        volumes = [];
      }
    }
    let publishedPorts = [];
    const publishedPortsRaw = row.published_ports;
    if (publishedPortsRaw && publishedPortsRaw !== 'undefined' && publishedPortsRaw !== 'null') {
      try {
        publishedPorts = JSON.parse(String(publishedPortsRaw));
      } catch (e) {
        logger.warn(`Failed to parse published_ports for service: ${getErrorMessage(e)}`);
        publishedPorts = [];
      }
    }
    return {
      id: Number(row.id || row[0]),
      name: String(row.name || row[1]),
      image: String(row.image || row[2]),
      registry: (row.registry || row[3]) ? String(row.registry || row[3]) : undefined,
      envVars,
-      port: Number(row.port || row[5]),
+      volumes,
-      domain: (row.domain || row[6]) ? String(row.domain || row[6]) : undefined,
+      publishedPorts,
-      containerID: (row.container_id || row[7]) ? String(row.container_id || row[7]) : undefined,
+      port: Number(row.port ?? row[6] ?? row[5]),
-      status: String(row.status || row[8]) as IService['status'],
+      domain: (row.domain ?? row[7] ?? row[6]) ? String(row.domain ?? row[7] ?? row[6]) : undefined,
-      createdAt: Number(row.created_at || row[9]),
+      containerID: (row.container_id ?? row[8] ?? row[7]) ? String(row.container_id ?? row[8] ?? row[7]) : undefined,
-      updatedAt: Number(row.updated_at || row[10]),
+      status: String(row.status ?? row[9] ?? row[8]) as IService['status'],
      createdAt: Number(row.created_at ?? row[10] ?? row[9]),
      updatedAt: Number(row.updated_at ?? row[11] ?? row[10]),
      useOneboxRegistry: row.use_onebox_registry ? Boolean(row.use_onebox_registry) : undefined,
      registryRepository: row.registry_repository ? String(row.registry_repository) : undefined,
      registryImageTag: row.registry_image_tag ? String(row.registry_image_tag) : undefined,
@@ -7,6 +7,7 @@ const secretSettingAliases = {
  backupPassword: ['backup_encryption_password'],
  cloudflareToken: ['cloudflareAPIKey'],
  dcrouterGatewayApiToken: ['externalGatewayApiToken'],
  dcrouterManagedAdminApiToken: [],
 } as const;
 type TCanonicalSecretSettingKey = keyof typeof secretSettingAliases;
@@ -23,6 +23,7 @@ export class OpsServer {
  public backupsHandler!: handlers.BackupsHandler;
  public schedulesHandler!: handlers.SchedulesHandler;
  public settingsHandler!: handlers.SettingsHandler;
  public managedDcRouterHandler!: handlers.ManagedDcRouterHandler;
  public logsHandler!: handlers.LogsHandler;
  public workspaceHandler!: handlers.WorkspaceHandler;
  public appStoreHandler!: handlers.AppStoreHandler;
@@ -66,6 +67,7 @@ export class OpsServer {
    this.backupsHandler = new handlers.BackupsHandler(this);
    this.schedulesHandler = new handlers.SchedulesHandler(this);
    this.settingsHandler = new handlers.SettingsHandler(this);
    this.managedDcRouterHandler = new handlers.ManagedDcRouterHandler(this);
    this.logsHandler = new handlers.LogsHandler(this);
    this.workspaceHandler = new handlers.WorkspaceHandler(this);
    this.appStoreHandler = new handlers.AppStoreHandler(this);
@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { hashPassword, needsPasswordUpgrade, verifyPassword } from '../../utils/auth.ts';
+import { hashPassword, verifyPassword } from '../../utils/auth.ts';
 export interface IJwtData {
  userId: string;
@@ -112,11 +112,6 @@ export class AdminHandler {
              throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
            }
            if (needsPasswordUpgrade(user.passwordHash)) {
              const upgradedHash = await hashPassword(dataArg.password);
              this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, upgradedHash);
            }
            const expiresAt = Date.now() + 24 * 3600 * 1000;
            const freshUser = this.opsServerRef.oneboxRef.database.getUserByUsername(user.username) || user;
            const identity = await this.createIdentityForUser(freshUser, expiresAt);
@@ -41,6 +41,17 @@ export class AppStoreHandler {
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_InstallAppTemplate>(
        'installAppTemplate',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const service = await this.opsServerRef.oneboxRef.appStore.installApp(dataArg.install);
          return { service };
        },
      ),
    );
    // Get services with available upgrades
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetUpgradeableServices>(
@@ -61,5 +61,16 @@ export class DnsHandler {
        },
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayDnsRecords>(
        'getGatewayDnsRecords',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const records = await this.opsServerRef.oneboxRef.externalGateway.getGatewayDnsRecords();
          return { records };
        },
      ),
    );
  }
 }
@@ -97,5 +97,16 @@ export class DomainsHandler {
        },
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayDomains>(
        'getGatewayDomains',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const domains = await this.opsServerRef.oneboxRef.externalGateway.getGatewayDomains();
          return { domains };
        },
      ),
    );
  }
 }
@@ -10,6 +10,7 @@ export * from './network.handler.ts';
 export * from './backups.handler.ts';
 export * from './schedules.handler.ts';
 export * from './settings.handler.ts';
 export * from './managed-dcrouter.handler.ts';
 export * from './logs.handler.ts';
 export * from './workspace.handler.ts';
 export * from './appstore.handler.ts';
@@ -0,0 +1,59 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
 import { requireAdminIdentity } from '../helpers/guards.ts';
 export class ManagedDcRouterHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
  constructor(private opsServerRef: OpsServer) {
    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }
  private registerHandlers(): void {
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetManagedDcRouterStatus>(
        'getManagedDcRouterStatus',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const status = await this.opsServerRef.oneboxRef.managedDcRouter.getStatus();
          return { status };
        },
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StartManagedDcRouter>(
        'startManagedDcRouter',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const status = await this.opsServerRef.oneboxRef.managedDcRouter.start();
          return { status };
        },
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StopManagedDcRouter>(
        'stopManagedDcRouter',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const status = await this.opsServerRef.oneboxRef.managedDcRouter.stop();
          return { status };
        },
      ),
    );
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RestartManagedDcRouter>(
        'restartManagedDcRouter',
        async (dataArg) => {
          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const status = await this.opsServerRef.oneboxRef.managedDcRouter.restart();
          return { status };
        },
      ),
    );
  }
 }
@@ -18,13 +18,21 @@ export class SettingsHandler {
    const cloudflareToken = await db.getSecretSetting('cloudflareToken');
    const dcrouterGatewayApiToken = await db.getSecretSetting('dcrouterGatewayApiToken');
    const settingsMap = db.getAllSettings();
    const managedDcRouter = this.opsServerRef.oneboxRef.managedDcRouter;
    return {
      cloudflareToken: cloudflareToken || '',
      cloudflareZoneId: settingsMap['cloudflareZoneId'] || '',
      dcrouterMode: managedDcRouter.getMode(),
      dcrouterManagedImage: managedDcRouter.getImage(),
      dcrouterManagedOpsPort: managedDcRouter.getOpsPort(),
      dcrouterManagedHttpPort: managedDcRouter.getHttpPort(),
      dcrouterManagedHttpsPort: managedDcRouter.getHttpsPort(),
      dcrouterManagedDataDir: managedDcRouter.getDataDir(),
      dcrouterGatewayUrl: settingsMap['dcrouterGatewayUrl'] || '',
      dcrouterGatewayApiToken: dcrouterGatewayApiToken || '',
-      dcrouterWorkHosterId: settingsMap['dcrouterWorkHosterId'] || '',
+      dcrouterGatewayClientId: settingsMap['dcrouterGatewayClientId'] || settingsMap['dcrouterWorkHosterId'] || '',
      dcrouterWorkHosterId: settingsMap['dcrouterWorkHosterId'] || settingsMap['dcrouterGatewayClientId'] || '',
      dcrouterTargetHost: settingsMap['dcrouterTargetHost'] || '',
      dcrouterTargetPort: parseInt(settingsMap['dcrouterTargetPort'] || '0', 10),
      autoRenewCerts: settingsMap['autoRenewCerts'] === 'true',
@@ -68,8 +76,8 @@ export class SettingsHandler {
          }
          if (this.hasExternalGatewaySetting(updates)) {
-            this.refreshExternalGateway().catch((error) => {
+            this.refreshDcRouterGateway().catch((error) => {
-              logger.warn(`External gateway settings refresh failed: ${getErrorMessage(error)}`);
+              logger.warn(`dcrouter gateway settings refresh failed: ${getErrorMessage(error)}`);
            });
          }
@@ -104,16 +112,29 @@ export class SettingsHandler {
  private hasExternalGatewaySetting(settings: Partial<interfaces.data.ISettings>): boolean {
    return [
      'dcrouterMode',
      'dcrouterManagedImage',
      'dcrouterManagedOpsPort',
      'dcrouterManagedHttpPort',
      'dcrouterManagedHttpsPort',
      'dcrouterManagedDataDir',
      'dcrouterGatewayUrl',
      'dcrouterGatewayApiToken',
      'dcrouterGatewayClientId',
      'dcrouterWorkHosterId',
      'dcrouterTargetHost',
      'dcrouterTargetPort',
    ].some((key) => Object.prototype.hasOwnProperty.call(settings, key));
  }
-  private async refreshExternalGateway(): Promise<void> {
+  private async refreshDcRouterGateway(): Promise<void> {
    const onebox = this.opsServerRef.oneboxRef;
    if (onebox.managedDcRouter.getMode() === 'managed') {
      await onebox.managedDcRouter.restart();
    } else {
      await onebox.managedDcRouter.stop();
    }
    await onebox.externalGateway.syncDomains();
    const services = onebox.database.getAllServices().filter((service) => service.domain);
@@ -55,10 +55,6 @@ export const awsS3 = {
 import * as taskbuffer from '@push.rocks/taskbuffer';
 export { taskbuffer };
 // Crypto utilities (for password hashing, encryption)
 import * as bcrypt from 'https://deno.land/x/bcrypt@v0.4.1/mod.ts';
 export { bcrypt };
 // JWT for authentication
 import * as jwt from 'https://deno.land/x/djwt@v3.0.2/mod.ts';
 export { jwt};
@@ -9,6 +9,8 @@ export interface IService {
  image: string;
  registry?: string;
  envVars: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
  port: number;
  domain?: string;
  containerID?: string;
@@ -30,6 +32,27 @@ export interface IService {
  appTemplateVersion?: string;
 }
 export interface IServiceVolume {
  name?: string;
  source?: string;
  mountPath: string;
  driver?: string;
  readOnly?: boolean;
  backup?: boolean;
  options?: Record<string, string>;
 }
 export type TServicePortProtocol = 'tcp' | 'udp';
 export interface IServicePublishedPort {
  targetPort: number;
  targetPortEnd?: number;
  publishedPort?: number;
  publishedPortEnd?: number;
  protocol?: TServicePortProtocol;
  hostIp?: string;
 }
 // Registry types
 export interface IRegistry {
  id?: number;
@@ -259,8 +282,16 @@ export interface IAppSettings {
  serverIP?: string;
  cloudflareToken?: string;
  cloudflareZoneId?: string;
  dcrouterMode?: 'managed' | 'external' | 'disabled';
  dcrouterManagedImage?: string;
  dcrouterManagedOpsPort?: number;
  dcrouterManagedHttpPort?: number;
  dcrouterManagedHttpsPort?: number;
  dcrouterManagedDataDir?: string;
  dcrouterGatewayUrl?: string;
  dcrouterGatewayApiToken?: string;
  dcrouterGatewayClientId?: string;
  /** @deprecated Use dcrouterGatewayClientId. */
  dcrouterWorkHosterId?: string;
  dcrouterTargetHost?: string;
  dcrouterTargetPort?: number;
@@ -291,6 +322,8 @@ export interface IServiceDeployOptions {
  image: string;
  registry?: string;
  envVars?: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
  port: number;
  domain?: string;
  autoSSL?: boolean;
@@ -389,6 +422,8 @@ export interface IBackupServiceConfig {
  image: string;
  registry?: string;
  envVars: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
  port: number;
  domain?: string;
  useOneboxRegistry?: boolean;
@@ -1,17 +1,79 @@
-import * as plugins from '../plugins.ts';
+const pbkdf2HashPattern = /^pbkdf2-sha256\$(\d+)\$([A-Za-z0-9+/=]+)\$([A-Za-z0-9+/=]+)$/;
 const pbkdf2Iterations = 210_000;
 const pbkdf2KeyLengthBits = 256;
-const bcryptHashPattern = /^\$2[abxy]\$\d\d\$/;
+const bytesToBase64 = (bytesArg: Uint8Array): string => {
  let binary = '';
  for (const byte of bytesArg) {
    binary += String.fromCharCode(byte);
  }
  return btoa(binary);
 };
-export function isBcryptHash(passwordHash: string): boolean {
+const base64ToBytes = (base64Arg: string): Uint8Array => {
-  return bcryptHashPattern.test(passwordHash);
+  const binary = atob(base64Arg);
-}
+  const bytes = new Uint8Array(binary.length);
  for (let i = 0; i < binary.length; i++) {
    bytes[i] = binary.charCodeAt(i);
  }
  return bytes;
 };
-export function needsPasswordUpgrade(passwordHash: string): boolean {
+const timingSafeEqual = (aArg: Uint8Array, bArg: Uint8Array): boolean => {
-  return !isBcryptHash(passwordHash);
+  if (aArg.length !== bArg.length) {
    return false;
  }
  let diff = 0;
  for (let i = 0; i < aArg.length; i++) {
    diff |= aArg[i] ^ bArg[i];
  }
  return diff === 0;
 };
 const toArrayBuffer = (bytesArg: Uint8Array): ArrayBuffer => {
  return bytesArg.buffer.slice(
    bytesArg.byteOffset,
    bytesArg.byteOffset + bytesArg.byteLength,
  ) as ArrayBuffer;
 };
 const derivePasswordHash = async (
  passwordArg: string,
  saltArg: Uint8Array,
  iterationsArg: number,
 ): Promise<Uint8Array> => {
  const key = await crypto.subtle.importKey(
    'raw',
    new TextEncoder().encode(passwordArg),
    'PBKDF2',
    false,
    ['deriveBits'],
  );
  const bits = await crypto.subtle.deriveBits(
    {
      name: 'PBKDF2',
      hash: 'SHA-256',
      salt: toArrayBuffer(saltArg),
      iterations: iterationsArg,
    },
    key,
    pbkdf2KeyLengthBits,
  );
  return new Uint8Array(bits);
 };
 export function isPbkdf2Hash(passwordHash: string): boolean {
  return pbkdf2HashPattern.test(passwordHash);
 }
 export async function hashPassword(password: string): Promise<string> {
-  return await plugins.bcrypt.hash(password);
+  // Use Web Crypto only so compiled binaries do not depend on external worker files.
  const salt = crypto.getRandomValues(new Uint8Array(16));
  const hash = await derivePasswordHash(password, salt, pbkdf2Iterations);
  return `pbkdf2-sha256$${pbkdf2Iterations}$${bytesToBase64(salt)}$${bytesToBase64(hash)}`;
 }
 export async function verifyPassword(password: string, passwordHash: string): Promise<boolean> {
@@ -19,10 +81,14 @@ export async function verifyPassword(password: string, passwordHash: string): Pr
    return false;
  }
-  if (isBcryptHash(passwordHash)) {
+  const pbkdf2Match = passwordHash.match(pbkdf2HashPattern);
-    return await plugins.bcrypt.compare(password, passwordHash);
+  if (pbkdf2Match) {
    const iterations = Number(pbkdf2Match[1]);
    const salt = base64ToBytes(pbkdf2Match[2]);
    const expectedHash = base64ToBytes(pbkdf2Match[3]);
    const actualHash = await derivePasswordHash(password, salt, iterations);
    return timingSafeEqual(actualHash, expectedHash);
  }
-  // Legacy compatibility for older databases that stored base64-encoded passwords.
+  return false;
  return passwordHash === btoa(password);
 }
@@ -57,3 +57,40 @@ export interface IDnsRecord {
  createdAt: number;
  updatedAt: number;
 }
 export interface IGatewayDomain {
  id?: string;
  name: string;
  source?: 'dcrouter' | 'provider';
  authoritative?: boolean;
  providerId?: string;
  serviceCount?: number;
  managePath?: string;
  manageUrl?: string;
  capabilities?: {
    canCreateSubdomains: boolean;
    canManageDnsRecords: boolean;
    canIssueCertificates: boolean;
    canHostEmail: boolean;
  };
 }
 export interface IGatewayDnsRecord {
  id: string;
  domainId: string;
  domainName?: string;
  name: string;
  type: string;
  value: string;
  ttl: number;
  source: string;
  status: 'active' | 'missing';
  gatewayClientType: 'onebox' | 'cloudly' | 'custom';
  gatewayClientId: string;
  appId: string;
  hostname: string;
  routeId?: string;
  serviceName?: string;
  managePath?: string;
  manageUrl?: string;
 }
@@ -12,6 +12,8 @@ export interface IService {
  image: string;
  registry?: string;
  envVars: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
  port: number;
  domain?: string;
  containerID?: string;
@@ -33,12 +35,35 @@ export interface IService {
  appTemplateVersion?: string;
 }
 export interface IServiceVolume {
  name?: string;
  source?: string;
  mountPath: string;
  driver?: string;
  readOnly?: boolean;
  backup?: boolean;
  options?: Record<string, string>;
 }
 export type TServicePortProtocol = 'tcp' | 'udp';
 export interface IServicePublishedPort {
  targetPort: number;
  targetPortEnd?: number;
  publishedPort?: number;
  publishedPortEnd?: number;
  protocol?: TServicePortProtocol;
  hostIp?: string;
 }
 export interface IServiceCreate {
  name: string;
  image: string;
  port: number;
  domain?: string;
  envVars?: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
  useOneboxRegistry?: boolean;
  registryImageTag?: string;
  autoUpdateOnPush?: boolean;
@@ -57,6 +82,8 @@ export interface IServiceUpdate {
  port?: number;
  domain?: string;
  envVars?: Record<string, string>;
  volumes?: IServiceVolume[];
  publishedPorts?: IServicePublishedPort[];
 }
 export interface IContainerStats {
@@ -2,11 +2,35 @@
 * Settings data shapes for Onebox
 */
 export type TDcRouterMode = 'managed' | 'external' | 'disabled';
 export interface IManagedDcRouterStatus {
  mode: TDcRouterMode;
  configured: boolean;
  running: boolean;
  healthy: boolean;
  containerId?: string;
  image: string;
  gatewayUrl: string;
  opsPort: number;
  httpPort: number;
  httpsPort: number;
  message?: string;
 }
 export interface ISettings {
  cloudflareToken: string;
  cloudflareZoneId: string;
  dcrouterMode: TDcRouterMode;
  dcrouterManagedImage: string;
  dcrouterManagedOpsPort: number;
  dcrouterManagedHttpPort: number;
  dcrouterManagedHttpsPort: number;
  dcrouterManagedDataDir: string;
  dcrouterGatewayUrl: string;
  dcrouterGatewayApiToken: string;
  dcrouterGatewayClientId: string;
  /** @deprecated Use dcrouterGatewayClientId. */
  dcrouterWorkHosterId: string;
  dcrouterTargetHost: string;
  dcrouterTargetPort: number;
@@ -16,7 +16,8 @@ export interface IAppVersionConfig {
  image: string;
  port: number;
  envVars?: Array<{ key: string; value: string; description: string; required?: boolean }>;
-  volumes?: string[];
+  volumes?: Array<string | data.IServiceVolume>;
  publishedPorts?: data.IServicePublishedPort[];
  platformRequirements?: {
    mongodb?: boolean;
    s3?: boolean;
@@ -27,6 +28,17 @@ export interface IAppVersionConfig {
  minOneboxVersion?: string;
 }
 export interface IAppInstallOptions {
  appId: string;
  version?: string;
  serviceName: string;
  domain?: string;
  port?: number;
  publishedPorts?: data.IServicePublishedPort[];
  envVars?: Record<string, string>;
  autoDNS?: boolean;
 }
 export interface IAppMeta {
  id: string;
  name: string;
@@ -76,6 +88,20 @@ export interface IReq_GetAppConfig extends plugins.typedrequestInterfaces.implem
  };
 }
 export interface IReq_InstallAppTemplate extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_InstallAppTemplate
 > {
  method: 'installAppTemplate';
  request: {
    identity: data.IIdentity;
    install: IAppInstallOptions;
  };
  response: {
    service: data.IService;
  };
 }
 export interface IReq_GetUpgradeableServices extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_GetUpgradeableServices
@@ -56,3 +56,16 @@ export interface IReq_SyncDns extends plugins.typedrequestInterfaces.implementsT
    records: data.IDnsRecord[];
  };
 }
 export interface IReq_GetGatewayDnsRecords extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_GetGatewayDnsRecords
 > {
  method: 'getGatewayDnsRecords';
  request: {
    identity: data.IIdentity;
  };
  response: {
    records: data.IGatewayDnsRecord[];
  };
 }
@@ -40,3 +40,16 @@ export interface IReq_SyncDomains extends plugins.typedrequestInterfaces.impleme
    domains: data.IDomainDetail[];
  };
 }
 export interface IReq_GetGatewayDomains extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_GetGatewayDomains
 > {
  method: 'getGatewayDomains';
  request: {
    identity: data.IIdentity;
  };
  response: {
    domains: data.IGatewayDomain[];
  };
 }
@@ -54,3 +54,55 @@ export interface IReq_GetBackupPasswordStatus extends plugins.typedrequestInterf
    status: data.IBackupPasswordStatus;
  };
 }
 export interface IReq_GetManagedDcRouterStatus extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_GetManagedDcRouterStatus
 > {
  method: 'getManagedDcRouterStatus';
  request: {
    identity: data.IIdentity;
  };
  response: {
    status: data.IManagedDcRouterStatus;
  };
 }
 export interface IReq_StartManagedDcRouter extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_StartManagedDcRouter
 > {
  method: 'startManagedDcRouter';
  request: {
    identity: data.IIdentity;
  };
  response: {
    status: data.IManagedDcRouterStatus;
  };
 }
 export interface IReq_StopManagedDcRouter extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_StopManagedDcRouter
 > {
  method: 'stopManagedDcRouter';
  request: {
    identity: data.IIdentity;
  };
  response: {
    status: data.IManagedDcRouterStatus;
  };
 }
 export interface IReq_RestartManagedDcRouter extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_RestartManagedDcRouter
 > {
  method: 'restartManagedDcRouter';
  request: {
    identity: data.IIdentity;
  };
  response: {
    status: data.IManagedDcRouterStatus;
  };
 }
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/onebox',
-  version: '1.24.2',
+  version: '1.28.0',
  description: 'Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers'
 }
@@ -36,6 +36,8 @@ export interface INetworkState {
  trafficStats: interfaces.data.ITrafficStats | null;
  dnsRecords: interfaces.data.IDnsRecord[];
  domains: interfaces.data.IDomainDetail[];
  gatewayDomains: interfaces.data.IGatewayDomain[];
  gatewayDnsRecords: interfaces.data.IGatewayDnsRecord[];
  certificates: interfaces.data.ICertificate[];
 }
@@ -52,6 +54,7 @@ export interface IBackupsState {
 export interface ISettingsState {
  settings: interfaces.data.ISettings | null;
  backupPasswordConfigured: boolean;
  managedDcRouterStatus: interfaces.data.IManagedDcRouterStatus | null;
 }
 export interface IAppStoreState {
@@ -61,6 +64,7 @@ export interface IAppStoreState {
 export interface IUiState {
  activeView: string;
  activeSubview: string | null;
  autoRefresh: boolean;
  refreshInterval: number;
  pendingAppTemplate?: any;
@@ -110,6 +114,8 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
    trafficStats: null,
    dnsRecords: [],
    domains: [],
    gatewayDomains: [],
    gatewayDnsRecords: [],
    certificates: [],
  },
  'soft',
@@ -138,6 +144,7 @@ export const settingsStatePart = await appState.getStatePart<ISettingsState>(
  {
    settings: null,
    backupPasswordConfigured: false,
    managedDcRouterStatus: null,
  },
  'soft',
 );
@@ -155,6 +162,7 @@ export const uiStatePart = await appState.getStatePart<IUiState>(
  'ui',
  {
    activeView: 'dashboard',
    activeSubview: null,
    autoRefresh: true,
    refreshInterval: 30000,
  },
@@ -628,6 +636,34 @@ export const fetchDomainsAction = networkStatePart.createAction(async (statePart
  }
 });
 export const fetchGatewayDomainsAction = networkStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_GetGatewayDomains
    >('/typedrequest', 'getGatewayDomains');
    const response = await typedRequest.fire({ identity: context.identity! });
    return { ...statePartArg.getState(), gatewayDomains: response.domains };
  } catch (err) {
    console.error('Failed to fetch gateway domains:', err);
    return statePartArg.getState();
  }
 });
 export const fetchGatewayDnsRecordsAction = networkStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_GetGatewayDnsRecords
    >('/typedrequest', 'getGatewayDnsRecords');
    const response = await typedRequest.fire({ identity: context.identity! });
    return { ...statePartArg.getState(), gatewayDnsRecords: response.records };
  } catch (err) {
    console.error('Failed to fetch gateway DNS records:', err);
    return statePartArg.getState();
  }
 });
 export const fetchCertificatesAction = networkStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
@@ -866,17 +902,21 @@ export const triggerScheduleAction = backupsStatePart.createAction<{ scheduleId:
 export const fetchSettingsAction = settingsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
-    const [settingsResp, passwordResp] = await Promise.all([
+    const [settingsResp, passwordResp, managedDcRouterResp] = await Promise.all([
      new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_GetSettings
      >('/typedrequest', 'getSettings').fire({ identity: context.identity! }),
      new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_GetBackupPasswordStatus
      >('/typedrequest', 'getBackupPasswordStatus').fire({ identity: context.identity! }),
      new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_GetManagedDcRouterStatus
      >('/typedrequest', 'getManagedDcRouterStatus').fire({ identity: context.identity! }),
    ]);
    return {
      settings: settingsResp.settings,
      backupPasswordConfigured: passwordResp.status.isConfigured,
      managedDcRouterStatus: managedDcRouterResp.status,
    };
  } catch (err) {
    console.error('Failed to fetch settings:', err);
@@ -903,6 +943,58 @@ export const updateSettingsAction = settingsStatePart.createAction<{
  }
 });
 export const fetchManagedDcRouterStatusAction = settingsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const response = await new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_GetManagedDcRouterStatus
    >('/typedrequest', 'getManagedDcRouterStatus').fire({ identity: context.identity! });
    return { ...statePartArg.getState(), managedDcRouterStatus: response.status };
  } catch (err) {
    console.error('Failed to fetch managed dcrouter status:', err);
    return statePartArg.getState();
  }
 });
 export const startManagedDcRouterAction = settingsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const response = await new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_StartManagedDcRouter
    >('/typedrequest', 'startManagedDcRouter').fire({ identity: context.identity! });
    return { ...statePartArg.getState(), managedDcRouterStatus: response.status };
  } catch (err) {
    console.error('Failed to start managed dcrouter:', err);
    return statePartArg.getState();
  }
 });
 export const stopManagedDcRouterAction = settingsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const response = await new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_StopManagedDcRouter
    >('/typedrequest', 'stopManagedDcRouter').fire({ identity: context.identity! });
    return { ...statePartArg.getState(), managedDcRouterStatus: response.status };
  } catch (err) {
    console.error('Failed to stop managed dcrouter:', err);
    return statePartArg.getState();
  }
 });
 export const restartManagedDcRouterAction = settingsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  try {
    const response = await new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_RestartManagedDcRouter
    >('/typedrequest', 'restartManagedDcRouter').fire({ identity: context.identity! });
    return { ...statePartArg.getState(), managedDcRouterStatus: response.status };
  } catch (err) {
    console.error('Failed to restart managed dcrouter:', err);
    return statePartArg.getState();
  }
 });
 export const setBackupPasswordAction = settingsStatePart.createAction<{ password: string }>(
  async (statePartArg, dataArg) => {
    const context = getActionContext();
@@ -926,10 +1018,17 @@ export const setBackupPasswordAction = settingsStatePart.createAction<{ password
 // UI Actions
 // ============================================================================
-export const setActiveViewAction = uiStatePart.createAction<{ view: string }>(
+export const setActiveViewAction = uiStatePart.createAction<{ view: string; subview?: string | null }>(
  async (statePartArg, dataArg) => {
    const normalizedView = dataArg.view.toLowerCase().replace(/\s+/g, '-');
-    return { ...statePartArg.getState(), activeView: normalizedView };
+    const normalizedSubview = dataArg.subview
      ? dataArg.subview.toLowerCase().replace(/\s+/g, '-')
      : null;
    return {
      ...statePartArg.getState(),
      activeView: normalizedView,
      activeSubview: normalizedSubview,
    };
  },
 );
@@ -949,7 +1048,10 @@ const dispatchCombinedRefreshAction = async () => {
  if (!loginState.isLoggedIn) return;
  try {
-    await systemStatePart.dispatchAction(fetchSystemStatusAction, null);
+    await Promise.all([
      systemStatePart.dispatchAction(fetchSystemStatusAction, null),
      networkStatePart.dispatchAction(fetchTrafficStatsAction, null),
    ]);
  } catch (err) {
    // Silently fail on auto-refresh
  }
@@ -12,12 +12,21 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';
-import type { ObViewDashboard } from './ob-view-dashboard.js';
+interface IUnresolvedView {
-import type { ObViewServices } from './ob-view-services.js';
+  slug?: string;
-import type { ObViewNetwork } from './ob-view-network.js';
+  name: string;
-import type { ObViewRegistries } from './ob-view-registries.js';
+  iconName?: string;
-import type { ObViewTokens } from './ob-view-tokens.js';
+  element?: Promise<any>;
-import type { ObViewSettings } from './ob-view-settings.js';
+  subViews?: IUnresolvedView[];
 }
 interface IResolvedView {
  slug?: string;
  name: string;
  iconName?: string;
  element?: any;
  subViews?: IResolvedView[];
 }
@customElement('ob-app-shell')
 export class ObAppShell extends DeesElement {
@@ -27,6 +36,7 @@ export class ObAppShell extends DeesElement {
  @state()
  accessor uiState: appstate.IUiState = {
    activeView: 'dashboard',
    activeSubview: null,
    autoRefresh: true,
    refreshInterval: 30000,
  };
@@ -37,25 +47,93 @@ export class ObAppShell extends DeesElement {
  @state()
  accessor loginError: string = '';
-  private viewTabs = [
+  private viewTabs: IUnresolvedView[] = [
-    { name: 'Dashboard', iconName: 'lucide:layoutDashboard', element: (async () => (await import('./ob-view-dashboard.js')).ObViewDashboard)() },
+    {
-    { name: 'App Store', iconName: 'lucide:store', element: (async () => (await import('./ob-view-appstore.js')).ObViewAppStore)() },
+      slug: 'dashboard',
-    { name: 'Services', iconName: 'lucide:boxes', element: (async () => (await import('./ob-view-services.js')).ObViewServices)() },
+      name: 'Dashboard',
-    { name: 'Network', iconName: 'lucide:network', element: (async () => (await import('./ob-view-network.js')).ObViewNetwork)() },
+      iconName: 'lucide:layoutDashboard',
-    { name: 'Registries', iconName: 'lucide:package', element: (async () => (await import('./ob-view-registries.js')).ObViewRegistries)() },
+      element: (async () => (await import('./ob-view-dashboard.js')).ObViewDashboard)(),
-    { name: 'Tokens', iconName: 'lucide:key', element: (async () => (await import('./ob-view-tokens.js')).ObViewTokens)() },
+    },
-    { name: 'Settings', iconName: 'lucide:settings', element: (async () => (await import('./ob-view-settings.js')).ObViewSettings)() },
+    {
      slug: 'apps',
      name: 'Apps',
      iconName: 'lucide:store',
      subViews: [
        {
          slug: 'app-store',
          name: 'App Store',
          iconName: 'lucide:store',
          element: (async () => (await import('./ob-view-appstore.js')).ObViewAppStore)(),
        },
        {
          slug: 'services',
          name: 'Services',
          iconName: 'lucide:boxes',
          element: (async () => (await import('./ob-view-services.js')).ObViewServices)(),
        },
      ],
    },
    {
      slug: 'network',
      name: 'Network',
      iconName: 'lucide:network',
      subViews: [
        {
          slug: 'proxy',
          name: 'Proxy',
          iconName: 'lucide:route',
          element: (async () => (await import('./ob-view-network.js')).ObViewNetwork)(),
        },
        {
          slug: 'domains',
          name: 'Domains',
          iconName: 'lucide:globe',
          element: (async () => (await import('./ob-view-domains.js')).ObViewDomains)(),
        },
        {
          slug: 'dns-records',
          name: 'DNS Records',
          iconName: 'lucide:listTree',
          element: (async () => (await import('./ob-view-dns-records.js')).ObViewDnsRecords)(),
        },
      ],
    },
    {
      slug: 'registry',
      name: 'Registry',
      iconName: 'lucide:package',
      subViews: [
        {
          slug: 'registries',
          name: 'Registries',
          iconName: 'lucide:package',
          element: (async () => (await import('./ob-view-registries.js')).ObViewRegistries)(),
        },
        {
          slug: 'tokens',
          name: 'Tokens',
          iconName: 'lucide:key',
          element: (async () => (await import('./ob-view-tokens.js')).ObViewTokens)(),
        },
      ],
    },
    {
      slug: 'settings',
      name: 'Settings',
      iconName: 'lucide:settings',
      element: (async () => (await import('./ob-view-settings.js')).ObViewSettings)(),
    },
  ];
-  private resolvedViewTabs: Array<{ name: string; iconName?: string; element: any }> = [];
+  private resolvedViewTabs: IResolvedView[] = [];
  constructor() {
    super();
    document.title = 'Onebox';
    const loginSubscription = appstate.loginStatePart
-      .select((stateArg) => stateArg)
+      .select((stateArg: appstate.ILoginState) => stateArg)
-      .subscribe((loginState) => {
+      .subscribe((loginState: appstate.ILoginState) => {
        this.loginState = loginState;
        if (loginState.isLoggedIn) {
          appstate.systemStatePart.dispatchAction(appstate.fetchSystemStatusAction, null);
@@ -64,15 +142,56 @@ export class ObAppShell extends DeesElement {
    this.rxSubscriptions.push(loginSubscription);
    const uiSubscription = appstate.uiStatePart
-      .select((stateArg) => stateArg)
+      .select((stateArg: appstate.IUiState) => stateArg)
-      .subscribe((uiState) => {
+      .subscribe((uiState: appstate.IUiState) => {
        this.uiState = uiState;
-        this.syncAppdashView(uiState.activeView);
+        this.syncAppdashView(uiState.activeView, uiState.activeSubview);
      });
    this.rxSubscriptions.push(uiSubscription);
  }
-  public static styles = [
+  private async resolveViewTabs(tabs: IUnresolvedView[]): Promise<IResolvedView[]> {
    return Promise.all(
      tabs.map(async (tab) => {
        const resolvedTab: IResolvedView = {
          slug: tab.slug,
          name: tab.name,
          iconName: tab.iconName,
        };
        if (tab.element) {
          resolvedTab.element = await tab.element;
        }
        if (tab.subViews) {
          resolvedTab.subViews = await this.resolveViewTabs(tab.subViews);
        }
        return resolvedTab;
      }),
    );
  }
  private slugFor(view: IResolvedView): string {
    return view.slug ?? view.name.toLowerCase().replace(/\s+/g, '-');
  }
  private findParent(view: IResolvedView): IResolvedView | undefined {
    return this.resolvedViewTabs.find((viewTab) => viewTab.subViews?.includes(view));
  }
  private findViewBySlug(viewSlug: string, subviewSlug: string | null): IResolvedView | undefined {
    const topLevelView = this.resolvedViewTabs.find((view) => this.slugFor(view) === viewSlug);
    if (!topLevelView) return undefined;
    if (subviewSlug && topLevelView.subViews) {
      return topLevelView.subViews.find((subview) => this.slugFor(subview) === subviewSlug) ?? topLevelView;
    }
    return topLevelView;
  }
  private get currentViewTab(): IResolvedView | undefined {
    if (this.resolvedViewTabs.length === 0) return undefined;
    return this.findViewBySlug(this.uiState.activeView, this.uiState.activeSubview) ?? this.resolvedViewTabs[0];
  }
  public static override styles = [
    cssManager.defaultStyles,
    css`
      :host {
@@ -87,16 +206,14 @@ export class ObAppShell extends DeesElement {
    `,
  ];
-  public render(): TemplateResult {
+  public override render(): TemplateResult {
    return html`
      <div class="maincontainer">
        <dees-simple-login name="Onebox">
          <dees-simple-appdash
            name="Onebox"
            .viewTabs=${this.resolvedViewTabs}
-            .selectedView=${this.resolvedViewTabs.find(
+            .selectedView=${this.currentViewTab}
              (t) => t.name.toLowerCase().replace(/\s+/g, '-') === this.uiState.activeView
            ) || this.resolvedViewTabs[0]}
          >
          </dees-simple-appdash>
        </dees-simple-login>
@@ -104,15 +221,8 @@ export class ObAppShell extends DeesElement {
    `;
  }
-  public async firstUpdated() {
+  public override async firstUpdated() {
-    // Resolve async view tab imports
+    this.resolvedViewTabs = await this.resolveViewTabs(this.viewTabs);
    this.resolvedViewTabs = await Promise.all(
      this.viewTabs.map(async (tab) => ({
        name: tab.name,
        iconName: tab.iconName,
        element: await tab.element,
      })),
    );
    this.requestUpdate();
    await this.updateComplete;
@@ -126,34 +236,44 @@ export class ObAppShell extends DeesElement {
    const appDash = this.shadowRoot!.querySelector('dees-simple-appdash') as any;
    if (appDash) {
      appDash.addEventListener('view-select', (e: CustomEvent) => {
-        const viewName = e.detail.view.name.toLowerCase().replace(/\s+/g, '-');
+        const view = e.detail.view as IResolvedView;
-        appRouter.navigateToView(viewName);
+        const parent = this.findParent(view);
        const currentState = appstate.uiStatePart.getState();
        if (parent) {
          const parentSlug = this.slugFor(parent);
          const subviewSlug = this.slugFor(view);
          if (currentState.activeView === parentSlug && currentState.activeSubview === subviewSlug) {
            return;
          }
          appRouter.navigateToView(parentSlug, subviewSlug);
        } else {
          const slug = this.slugFor(view);
          if (currentState.activeView === slug && !currentState.activeSubview) {
            return;
          }
          appRouter.navigateToView(slug);
        }
      });
      appDash.addEventListener('logout', async () => {
        await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
      });
    }
    // Load the initial view on the appdash now that tabs are resolved
    // Read activeView directly from state (not this.uiState which may be stale)
    if (appDash && this.resolvedViewTabs.length > 0) {
-      const currentActiveView = appstate.uiStatePart.getState().activeView;
+      const currentUiState = appstate.uiStatePart.getState();
-      const initialView = this.resolvedViewTabs.find(
+      const initialView =
-        (t) => t.name.toLowerCase().replace(/\s+/g, '-') === currentActiveView,
+        this.findViewBySlug(currentUiState.activeView, currentUiState.activeSubview) ||
-      ) || this.resolvedViewTabs[0];
+        this.resolvedViewTabs[0];
      await appDash.loadView(initialView);
    }
    // Check for stored session (persistent login state)
    const loginState = appstate.loginStatePart.getState();
    if (loginState.identity?.jwt) {
      if (loginState.identity.expiresAt > Date.now()) {
        // Switch to dashboard immediately (no flash of login form)
        this.loginState = loginState;
        if (simpleLogin) {
          await simpleLogin.switchToSlottedContent();
        }
        // Validate token with server in the background
        try {
          const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
            interfaces.requests.IReq_GetSystemStatus
@@ -161,11 +281,9 @@ export class ObAppShell extends DeesElement {
          const response = await typedRequest.fire({ identity: loginState.identity });
          appstate.systemStatePart.setState({ status: response.status });
        } catch (err) {
          // Token rejected by server - switch back to login
          console.warn('Stored session invalid, returning to login:', err);
          await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
          if (simpleLogin) {
            // Force page reload to show login properly
            window.location.reload();
          }
        }
@@ -206,14 +324,13 @@ export class ObAppShell extends DeesElement {
    }
  }
-  private syncAppdashView(viewName: string): void {
+  private syncAppdashView(viewName: string, subviewName: string | null): void {
    const appDash = this.shadowRoot?.querySelector('dees-simple-appdash') as any;
    if (!appDash || this.resolvedViewTabs.length === 0) return;
-    // Match kebab-case view name (e.g., 'app-store') to tab name (e.g., 'App Store')
+
-    const targetTab = this.resolvedViewTabs.find(
+    const targetTab = this.findViewBySlug(viewName, subviewName);
-      (t) => t.name.toLowerCase().replace(/\s+/g, '-') === viewName
+    if (!targetTab || appDash.selectedView === targetTab) return;
-    );
+
    if (!targetTab) return;
    appDash.loadView(targetTab);
  }
 }
@@ -288,6 +288,34 @@ export class ObViewAppStore extends DeesElement {
        text-align: center;
        color: var(--ci-shade-4, #71717a);
      }
      .footprint-list {
        display: grid;
        gap: 8px;
      }
      .footprint-item {
        display: flex;
        justify-content: space-between;
        gap: 12px;
        padding: 10px 12px;
        border: 1px solid var(--ci-shade-2, #27272a);
        border-radius: 6px;
        font-size: 13px;
        color: var(--ci-shade-6, #d4d4d8);
      }
      .footprint-meta {
        color: var(--ci-shade-4, #71717a);
        font-family: monospace;
      }
      .exposure-warning {
        margin-top: 10px;
        color: #fbbf24;
        font-size: 12px;
        line-height: 1.5;
      }
    `,
  ];
@@ -410,6 +438,8 @@ export class ObViewAppStore extends DeesElement {
        </div>
      ` : ''}
      ${this.renderDeploymentFootprint(config)}
      <!-- Version & Image -->
      <div class="detail-card">
        <div class="section-label">Version</div>
@@ -489,6 +519,8 @@ export class ObViewAppStore extends DeesElement {
            Onebox routes this domain to the deployed app. Required when the app uses SERVICE_DOMAIN.
          </div>
          ${this.renderDeployConfirmation(config)}
          <div class="actions-row">
            <button class="btn btn-secondary" @click=${() => { this.currentView = 'grid'; }}>Cancel</button>
            <button class="btn btn-primary" @click=${() => this.handleDeploy()}>
@@ -509,6 +541,73 @@ export class ObViewAppStore extends DeesElement {
    `;
  }
  private renderDeploymentFootprint(config: interfaces.requests.IAppVersionConfig): TemplateResult | '' {
    const volumes = this.getConfigVolumes(config);
    const publishedPorts = config.publishedPorts || [];
    if (volumes.length === 0 && publishedPorts.length === 0) {
      return '';
    }
    return html`
      <div class="detail-card">
        <div class="section-label">Deployment Footprint</div>
        <div class="footprint-list">
          ${volumes.map((volume) => html`
            <div class="footprint-item">
              <span>Volume mount</span>
              <span class="footprint-meta">
                ${volume.source || volume.name || 'managed volume'}:${volume.mountPath}${volume.readOnly ? ':ro' : ''}
              </span>
            </div>
          `)}
          ${publishedPorts.map((port) => html`
            <div class="footprint-item">
              <span>Published host port</span>
              <span class="footprint-meta">${this.formatPublishedPort(port)}</span>
            </div>
          `)}
        </div>
        ${publishedPorts.length > 0 ? html`
          <div class="exposure-warning">
            This app publishes raw host ports outside the HTTP proxy. Confirm firewall and network policy before deploying.
          </div>
        ` : ''}
      </div>
    `;
  }
  private renderDeployConfirmation(config: interfaces.requests.IAppVersionConfig): TemplateResult | '' {
    const volumes = this.getConfigVolumes(config);
    const publishedPorts = config.publishedPorts || [];
    if (volumes.length === 0 && publishedPorts.length === 0) return '';
    return html`
      <div class="exposure-warning">
        Deploying this app will create ${volumes.length} persistent volume(s)
        ${publishedPorts.length > 0 ? html`and expose ${publishedPorts.length} host port declaration(s)` : ''}.
      </div>
    `;
  }
  private getConfigVolumes(config: interfaces.requests.IAppVersionConfig): interfaces.data.IServiceVolume[] {
    return (config.volumes || []).map((volume) => {
      if (typeof volume === 'string') {
        return { mountPath: volume };
      }
      return volume;
    }).filter((volume) => Boolean(volume.mountPath));
  }
  private formatPublishedPort(port: interfaces.data.IServicePublishedPort): string {
    const protocol = port.protocol || 'tcp';
    const target = port.targetPortEnd ? `${port.targetPort}-${port.targetPortEnd}` : String(port.targetPort);
    const publishedStart = port.publishedPort || port.targetPort;
    const publishedEnd = port.publishedPortEnd || (port.targetPortEnd ? publishedStart + (port.targetPortEnd - port.targetPort) : undefined);
    const published = publishedEnd ? `${publishedStart}-${publishedEnd}` : String(publishedStart);
    return `${port.hostIp || '0.0.0.0'}:${published}/${protocol} -> ${target}/${protocol}`;
  }
  private async handleViewDetails(e: CustomEvent) {
    const app = e.detail?.app;
    if (!app) return;
@@ -625,25 +724,21 @@ export class ObViewAppStore extends DeesElement {
      }
    }
    const platformReqs = config.platformRequirements || {};
    const serviceConfig: interfaces.data.IServiceCreate = {
      name: this.serviceName || app.id,
      image: config.image,
      port: config.port || 80,
      domain: this.serviceDomain || undefined,
      envVars,
      enableMongoDB: platformReqs.mongodb || false,
      enableS3: platformReqs.s3 || false,
      enableClickHouse: platformReqs.clickhouse || false,
      enableRedis: platformReqs.redis || false,
      enableMariaDB: platformReqs.mariadb || false,
      appTemplateId: app.id,
      appTemplateVersion: this.selectedVersion,
    };
    try {
-      await appstate.servicesStatePart.dispatchAction(appstate.createServiceAction, {
+      const identity = appstate.loginStatePart.getState().identity;
-        config: serviceConfig,
+      if (!identity) return;
      const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_InstallAppTemplate
      >('/typedrequest', 'installAppTemplate');
      await typedRequest.fire({
        identity,
        install: {
          appId: app.id,
          version: this.selectedVersion,
          serviceName: this.serviceName || app.id,
          domain: this.serviceDomain || undefined,
          envVars,
        },
      });
      setTimeout(() => {
        appRouter.navigateToView('services');
@@ -12,6 +12,20 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';
 const byteUnits = ['B', 'KB', 'MB', 'GB', 'TB'];
 function getByteUnitIndex(bytes: number): number {
  if (!bytes || bytes === 0) return 0;
  return Math.min(Math.floor(Math.log(bytes) / Math.log(1024)), byteUnits.length - 1);
 }
 function formatBytes(bytes: number, forcedUnitIndex?: number): string {
  if ((!bytes || bytes === 0) && forcedUnitIndex === undefined) return '0 B';
  const unitIndex = forcedUnitIndex ?? getByteUnitIndex(bytes);
  const value = bytes / Math.pow(1024, unitIndex);
  return `${value.toFixed(1)} ${byteUnits[unitIndex]}`;
 }
@customElement('ob-view-dashboard')
 export class ObViewDashboard extends DeesElement {
  @state()
@@ -36,6 +50,8 @@ export class ObViewDashboard extends DeesElement {
    trafficStats: null,
    dnsRecords: [],
    domains: [],
    gatewayDomains: [],
    gatewayDnsRecords: [],
    certificates: [],
  };
@@ -67,7 +83,42 @@ export class ObViewDashboard extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
    shared.viewHostCss,
-    css``,
+    css`
      .dashboard {
        display: flex;
        flex-direction: column;
        gap: 24px;
      }
      .section {
        display: flex;
        flex-direction: column;
      }
      .section-title {
        font-size: 18px;
        font-weight: 600;
        color: ${cssManager.bdTheme('#18181b', '#fafafa')};
        margin: 0 0 12px;
      }
      .services-grid {
        display: grid;
        grid-template-columns: 1fr;
        gap: 16px;
        align-items: stretch;
      }
      .services-grid > * {
        height: 100%;
      }
      @media (min-width: 768px) {
        .services-grid {
          grid-template-columns: 1fr 1fr;
        }
      }
    `,
  ];
  async connectedCallback() {
@@ -77,6 +128,7 @@ export class ObViewDashboard extends DeesElement {
      appstate.servicesStatePart.dispatchAction(appstate.fetchServicesAction, null),
      appstate.servicesStatePart.dispatchAction(appstate.fetchPlatformServicesAction, null),
      appstate.networkStatePart.dispatchAction(appstate.fetchNetworkStatsAction, null),
      appstate.networkStatePart.dispatchAction(appstate.fetchTrafficStatsAction, null),
      appstate.networkStatePart.dispatchAction(appstate.fetchCertificatesAction, null),
    ]);
  }
@@ -86,10 +138,15 @@ export class ObViewDashboard extends DeesElement {
    const services = this.servicesState.services;
    const platformServices = this.servicesState.platformServices;
    const networkStats = this.networkState.stats;
    const trafficStats = this.networkState.trafficStats;
    const certificates = this.networkState.certificates;
    const statusCounts = trafficStats?.statusCounts || {};
    const runningServices = services.filter((s) => s.status === 'running').length;
    const stoppedServices = services.filter((s) => s.status === 'stopped').length;
    const memoryUnitIndex = getByteUnitIndex(
      status?.docker?.memoryTotal || status?.docker?.memoryUsage || 0,
    );
    const validCerts = certificates.filter((c) => c.isValid).length;
    const expiringCerts = certificates.filter(
@@ -97,65 +154,98 @@ export class ObViewDashboard extends DeesElement {
    ).length;
    const expiredCerts = certificates.filter((c) => !c.isValid).length;
    const dashboardData = {
      cluster: {
        totalServices: services.length,
        running: runningServices,
        stopped: stoppedServices,
        dockerStatus: status?.docker?.running ? 'running' as const : 'stopped' as const,
      },
      resourceUsage: {
        cpu: status?.docker?.cpuUsage || 0,
        memoryUsed: formatBytes(status?.docker?.memoryUsage || 0, memoryUnitIndex),
        memoryTotal: formatBytes(status?.docker?.memoryTotal || 0, memoryUnitIndex),
        networkIn: formatBytes(status?.docker?.networkIn || 0),
        networkOut: formatBytes(status?.docker?.networkOut || 0),
        topConsumers: [],
      },
      platformServices: platformServices
        .filter((ps) => ps.status === 'running' || ps.status === 'starting' || ps.status === 'stopping' || ps.isCore)
        .map((ps) => ({
          name: ps.displayName,
          status: ps.status === 'running' ? 'Running' : ps.status === 'starting' ? 'Starting...' : ps.status === 'stopping' ? 'Stopping...' : 'Stopped',
          running: ps.status === 'running',
        })),
      traffic: {
        requests: trafficStats?.requestCount || 0,
        errors: trafficStats?.errorCount || 0,
        errorPercent: trafficStats?.errorRate || 0,
        avgResponse: trafficStats?.avgResponseTime || 0,
        reqPerMin: trafficStats?.requestsPerMinute || 0,
        status2xx: statusCounts['2xx'] || 0,
        status3xx: statusCounts['3xx'] || 0,
        status4xx: statusCounts['4xx'] || 0,
        status5xx: statusCounts['5xx'] || 0,
      },
      proxy: {
        httpPort: String(networkStats?.proxy?.httpPort || 80),
        httpsPort: String(networkStats?.proxy?.httpsPort || 443),
        httpActive: networkStats?.proxy?.running || false,
        httpsActive: networkStats?.proxy?.running || false,
        routeCount: String(networkStats?.proxy?.routes || 0),
      },
      certificates: {
        valid: validCerts,
        expiring: expiringCerts,
        expired: expiredCerts,
      },
      dnsConfigured: status?.dns?.configured || false,
      acmeConfigured: status?.ssl?.configured || false,
      quickActions: [
        { label: 'Deploy Service', icon: 'lucide:Plus', primary: true },
        { label: 'Add Domain', icon: 'lucide:Globe' },
        { label: 'View Logs', icon: 'lucide:FileText' },
      ],
    };
    return html`
      <ob-sectionheading>Dashboard</ob-sectionheading>
-      <sz-dashboard-view
+      <div class="dashboard">
-        .data=${{
+        <section class="section">
-          cluster: {
+          <h2 class="section-title">Cluster Overview</h2>
-            totalServices: services.length,
+          <sz-status-grid-cluster .stats=${dashboardData.cluster}></sz-status-grid-cluster>
-            running: runningServices,
+        </section>
-            stopped: stoppedServices,
+
-            dockerStatus: status?.docker?.running ? 'running' : 'stopped',
+        <section class="section">
-          },
+          <h2 class="section-title">Services & Resources</h2>
-          resourceUsage: {
+          <div class="services-grid">
-            cpu: status?.docker?.cpuUsage || 0,
+            <sz-resource-usage-card .data=${dashboardData.resourceUsage}></sz-resource-usage-card>
-            memoryUsed: status?.docker?.memoryUsage || 0,
+            <sz-platform-services-card
-            memoryTotal: status?.docker?.memoryTotal || 0,
+              .services=${dashboardData.platformServices}
-            networkIn: status?.docker?.networkIn || 0,
+              @service-click=${(e: CustomEvent) => this.handlePlatformServiceClick(e)}
-            networkOut: status?.docker?.networkOut || 0,
+            ></sz-platform-services-card>
-            topConsumers: [],
+          </div>
-          },
+        </section>
-          platformServices: platformServices
+
-            .filter((ps) => ps.status === 'running' || ps.status === 'starting' || ps.status === 'stopping' || ps.isCore)
+        <section class="section">
-            .map((ps) => ({
+          <h2 class="section-title">Network & Traffic</h2>
-              name: ps.displayName,
+          <sz-status-grid-network
-              status: ps.status === 'running' ? 'Running' : ps.status === 'starting' ? 'Starting...' : ps.status === 'stopping' ? 'Stopping...' : 'Stopped',
+            .traffic=${dashboardData.traffic}
-              running: ps.status === 'running',
+            .proxy=${dashboardData.proxy}
-            })),
+            .certificates=${dashboardData.certificates}
-          traffic: {
+          ></sz-status-grid-network>
-            requests: 0,
+        </section>
-            errors: 0,
+
-            errorPercent: 0,
+        <section class="section">
-            avgResponse: 0,
+          <h2 class="section-title">Infrastructure</h2>
-            reqPerMin: 0,
+          <sz-status-grid-infra
-            status2xx: 0,
+            ?dnsConfigured=${dashboardData.dnsConfigured}
-            status3xx: 0,
+            ?acmeConfigured=${dashboardData.acmeConfigured}
-            status4xx: 0,
+            .actions=${dashboardData.quickActions}
-            status5xx: 0,
+            @action-click=${(e: CustomEvent) => this.handleQuickAction(e)}
-          },
+          ></sz-status-grid-infra>
-          proxy: {
+        </section>
-            httpPort: networkStats?.proxy?.httpPort || 80,
+      </div>
            httpsPort: networkStats?.proxy?.httpsPort || 443,
            httpActive: networkStats?.proxy?.running || false,
            httpsActive: networkStats?.proxy?.running || false,
            routeCount: networkStats?.proxy?.routes || 0,
          },
          certificates: {
            valid: validCerts,
            expiring: expiringCerts,
            expired: expiredCerts,
          },
          dnsConfigured: true,
          acmeConfigured: true,
          quickActions: [
            { label: 'Deploy Service', icon: 'lucide:Plus', primary: true },
            { label: 'Add Domain', icon: 'lucide:Globe' },
            { label: 'View Logs', icon: 'lucide:FileText' },
          ],
        }}
        @action-click=${(e: CustomEvent) => this.handleQuickAction(e)}
        @service-click=${(e: CustomEvent) => this.handlePlatformServiceClick(e)}
      ></sz-dashboard-view>
    `;
  }
@@ -0,0 +1,117 @@
 import * as shared from './shared/index.js';
 import * as plugins from '../plugins.js';
 import * as appstate from '../appstate.js';
 import { appRouter } from '../router.js';
 import {
  DeesElement,
  customElement,
  html,
  state,
  css,
  cssManager,
  type TemplateResult,
 } from '@design.estate/dees-element';
 type TGatewayDnsRecord = appstate.INetworkState['gatewayDnsRecords'][number];
@customElement('ob-view-dns-records')
 export class ObViewDnsRecords extends DeesElement {
  @state()
  accessor networkState: appstate.INetworkState = {
    targets: [],
    stats: null,
    trafficStats: null,
    dnsRecords: [],
    domains: [],
    gatewayDomains: [],
    gatewayDnsRecords: [],
    certificates: [],
  };
  constructor() {
    super();
    const networkSub = appstate.networkStatePart.select((s) => s).subscribe((newState) => {
      this.networkState = newState;
    });
    this.rxSubscriptions.push(networkSub);
  }
  public static styles = [
    cssManager.defaultStyles,
    shared.viewHostCss,
    css`
      .name { font-weight: 600; }
      .value { font-family: monospace; color: var(--ci-shade-5, #71717a); overflow-wrap: anywhere; }
      .muted { color: var(--ci-shade-5, #71717a); font-size: 13px; }
      .badge { border-radius: 999px; padding: 3px 8px; background: var(--ci-shade-1, #f4f4f5); font-size: 12px; }
      .missing { color: #dc2626; }
      .empty { padding: 32px; text-align: center; color: var(--ci-shade-5, #71717a); }
    `,
  ];
  async connectedCallback() {
    super.connectedCallback();
    await appstate.networkStatePart.dispatchAction(appstate.fetchGatewayDnsRecordsAction, null);
  }
  public render(): TemplateResult {
    const records = this.networkState.gatewayDnsRecords;
    return html`
      <ob-sectionheading>DNS Records</ob-sectionheading>
      ${records.length
        ? html`
            <dees-table
              .heading1=${'Gateway DNS Records'}
              .heading2=${'DNS records published through dcrouter for Onebox services'}
              .data=${records}
              .showColumnFilters=${true}
              .displayFunction=${(record: TGatewayDnsRecord) => ({
                Name: html`
                  <div>
                    <div class="name">${record.name}</div>
                    ${record.domainName ? html`<div class="muted">${record.domainName}</div>` : ''}
                  </div>
                `,
                Type: html`<span class="badge">${record.type}</span>`,
                Value: html`<span class="value">${record.value || '-'}</span>`,
                Status: html`<span class=${record.status === 'missing' ? 'missing' : ''}>${record.status}</span>`,
                Service: record.serviceName || record.appId || '-',
              })}
              .dataActions=${[
                {
                  name: 'Refresh',
                  iconName: 'lucide:rotateCw',
                  type: ['header'],
                  actionFunc: async () => {
                    await appstate.networkStatePart.dispatchAction(
                      appstate.fetchGatewayDnsRecordsAction,
                      null,
                    );
                  },
                },
                {
                  name: 'View service',
                  iconName: 'lucide:boxes',
                  type: ['inRow', 'contextmenu'],
                  actionFunc: async () => {
                    appRouter.navigateToView('services');
                  },
                },
                {
                  name: 'Manage in dcrouter',
                  iconName: 'lucide:externalLink',
                  type: ['inRow', 'contextmenu'],
                  actionRelevancyCheckFunc: (record: TGatewayDnsRecord) => !!record.manageUrl,
                  actionFunc: async (actionData: plugins.deesCatalog.ITableActionDataArg<TGatewayDnsRecord>) => {
                    if (actionData.item.manageUrl) {
                      globalThis.open(actionData.item.manageUrl, '_blank', 'noopener');
                    }
                  },
                },
              ] as plugins.deesCatalog.ITableAction<TGatewayDnsRecord>[]}
            ></dees-table>
          `
        : html`<div class="empty">No gateway DNS records found. Configure a dcrouter gateway in Settings.</div>`}
    `;
  }
 }
@@ -0,0 +1,108 @@
 import * as shared from './shared/index.js';
 import * as plugins from '../plugins.js';
 import * as appstate from '../appstate.js';
 import {
  DeesElement,
  customElement,
  html,
  state,
  css,
  cssManager,
  type TemplateResult,
 } from '@design.estate/dees-element';
 type TGatewayDomain = appstate.INetworkState['gatewayDomains'][number];
@customElement('ob-view-domains')
 export class ObViewDomains extends DeesElement {
  @state()
  accessor networkState: appstate.INetworkState = {
    targets: [],
    stats: null,
    trafficStats: null,
    dnsRecords: [],
    domains: [],
    gatewayDomains: [],
    gatewayDnsRecords: [],
    certificates: [],
  };
  constructor() {
    super();
    const networkSub = appstate.networkStatePart.select((s) => s).subscribe((newState) => {
      this.networkState = newState;
    });
    this.rxSubscriptions.push(networkSub);
  }
  public static styles = [
    cssManager.defaultStyles,
    shared.viewHostCss,
    css`
      .domain { font-weight: 600; }
      .muted { color: var(--ci-shade-5, #71717a); font-size: 13px; }
      .badge { border-radius: 999px; padding: 3px 8px; background: var(--ci-shade-1, #f4f4f5); font-size: 12px; }
      .empty { padding: 32px; text-align: center; color: var(--ci-shade-5, #71717a); }
    `,
  ];
  async connectedCallback() {
    super.connectedCallback();
    await appstate.networkStatePart.dispatchAction(appstate.fetchGatewayDomainsAction, null);
  }
  public render(): TemplateResult {
    const domains = this.networkState.gatewayDomains;
    return html`
      <ob-sectionheading>Domains</ob-sectionheading>
      <div class="muted" style="margin-bottom: 16px;">
        Domains are managed in dcrouter. Onebox shows gateway visibility for deployed services.
      </div>
      ${domains.length
        ? html`
            <dees-table
              .heading1=${'Gateway Domains'}
              .heading2=${'Domains imported from dcrouter gateway visibility'}
              .data=${domains}
              .showColumnFilters=${true}
              .displayFunction=${(domain: TGatewayDomain) => ({
                Domain: html`
                  <div>
                    <div class="domain">${domain.name}</div>
                    ${domain.providerId ? html`<div class="muted">Provider: ${domain.providerId}</div>` : ''}
                  </div>
                `,
                Source: html`<span class="badge">${domain.source || 'dcrouter'}</span>`,
                Authoritative: domain.authoritative ? 'Yes' : 'No',
                Services: domain.serviceCount || 0,
              })}
              .dataActions=${[
                {
                  name: 'Refresh',
                  iconName: 'lucide:rotateCw',
                  type: ['header'],
                  actionFunc: async () => {
                    await appstate.networkStatePart.dispatchAction(
                      appstate.fetchGatewayDomainsAction,
                      null,
                    );
                  },
                },
                {
                  name: 'Manage in dcrouter',
                  iconName: 'lucide:externalLink',
                  type: ['inRow', 'contextmenu'],
                  actionRelevancyCheckFunc: (domain: TGatewayDomain) => !!domain.manageUrl,
                  actionFunc: async (actionData: plugins.deesCatalog.ITableActionDataArg<TGatewayDomain>) => {
                    if (actionData.item.manageUrl) {
                      globalThis.open(actionData.item.manageUrl, '_blank', 'noopener');
                    }
                  },
                },
              ] as plugins.deesCatalog.ITableAction<TGatewayDomain>[]}
            ></dees-table>
          `
        : html`<div class="empty">No gateway domains found. Configure a dcrouter gateway in Settings.</div>`}
    `;
  }
 }
@@ -20,6 +20,8 @@ export class ObViewNetwork extends DeesElement {
    trafficStats: null,
    dnsRecords: [],
    domains: [],
    gatewayDomains: [],
    gatewayDnsRecords: [],
    certificates: [],
  };
@@ -17,6 +17,7 @@ export class ObViewSettings extends DeesElement {
  accessor settingsState: appstate.ISettingsState = {
    settings: null,
    backupPasswordConfigured: false,
    managedDcRouterStatus: null,
  };
  @state()
@@ -49,27 +50,29 @@ export class ObViewSettings extends DeesElement {
    css`
      .gateway-card {
        margin-bottom: 24px;
-        border: 1px solid var(--dees-color-border-subtle);
+        border: 1px solid ${cssManager.bdTheme('#e4e4e7', '#27272a')};
        border-radius: 12px;
-        background: var(--dees-color-background, #ffffff);
+        background: ${cssManager.bdTheme('#ffffff', '#09090b')};
        overflow: hidden;
        box-shadow: 0 1px 2px ${cssManager.bdTheme('rgba(0,0,0,0.04)', 'rgba(0,0,0,0.2)')};
      }
      .gateway-header {
        padding: 16px 20px;
-        border-bottom: 1px solid var(--dees-color-border-subtle);
+        border-bottom: 1px solid ${cssManager.bdTheme('#f4f4f5', '#27272a')};
        background: ${cssManager.bdTheme('#fafafa', '#101013')};
      }
      .gateway-title {
        font-size: 15px;
        font-weight: 600;
-        color: var(--dees-color-text-primary);
+        color: ${cssManager.bdTheme('#18181b', '#fafafa')};
      }
      .gateway-subtitle {
        margin-top: 4px;
        font-size: 13px;
-        color: var(--dees-color-text-muted);
+        color: ${cssManager.bdTheme('#71717a', '#a1a1aa')};
      }
      .gateway-content {
@@ -79,38 +82,96 @@ export class ObViewSettings extends DeesElement {
        gap: 16px;
      }
      .gateway-mode-row,
      .gateway-status-row {
        display: flex;
        justify-content: space-between;
        align-items: center;
        gap: 12px;
        padding: 16px 20px;
        border-bottom: 1px solid ${cssManager.bdTheme('#f4f4f5', '#27272a')};
      }
      .gateway-mode-row {
        justify-content: flex-start;
      }
      .gateway-mode-button {
        border: 1px solid ${cssManager.bdTheme('#d4d4d8', '#3f3f46')};
        border-radius: 999px;
        background: ${cssManager.bdTheme('#ffffff', '#18181b')};
        color: ${cssManager.bdTheme('#3f3f46', '#d4d4d8')};
        padding: 8px 12px;
        font: inherit;
        cursor: pointer;
      }
      .gateway-mode-button.active {
        border-color: ${cssManager.bdTheme('#2563eb', '#60a5fa')};
        background: ${cssManager.bdTheme('#eff6ff', '#172554')};
        color: ${cssManager.bdTheme('#1d4ed8', '#bfdbfe')};
      }
      .gateway-status-label {
        font-size: 12px;
        font-weight: 600;
        text-transform: uppercase;
        color: ${cssManager.bdTheme('#71717a', '#a1a1aa')};
      }
      .gateway-status-value {
        margin-top: 4px;
        font-size: 14px;
        color: ${cssManager.bdTheme('#18181b', '#fafafa')};
      }
      .gateway-status-error,
      .gateway-disabled {
        color: ${cssManager.bdTheme('#b91c1c', '#fca5a5')};
        font-size: 13px;
      }
      .gateway-disabled {
        grid-column: 1 / -1;
      }
      .gateway-actions {
        display: flex;
        gap: 8px;
      }
      .gateway-field.full {
        grid-column: 1 / -1;
      }
-      .field-label {
+      .gateway-readonly {
        display: block;
        margin-bottom: 6px;
        font-size: 13px;
        font-weight: 500;
        color: var(--dees-color-text-secondary);
      }
      input {
        width: 100%;
        box-sizing: border-box;
        padding: 10px 12px;
-        border: 1px solid var(--dees-color-border-subtle);
+        border: 1px solid ${cssManager.bdTheme('#e4e4e7', '#27272a')};
        border-radius: 8px;
-        background: transparent;
+        background: ${cssManager.bdTheme('#fafafa', '#18181b')};
        color: var(--dees-color-text-primary);
        font-size: 14px;
      }
-      input:focus {
+      .gateway-readonly-label {
        outline: none;
        border-color: #3b82f6;
      }
      .field-hint {
        margin-top: 5px;
        font-size: 12px;
-        color: var(--dees-color-text-muted);
+        font-weight: 600;
        color: ${cssManager.bdTheme('#52525b', '#d4d4d8')};
      }
      .gateway-readonly-value {
        margin-top: 4px;
        font-size: 13px;
        color: ${cssManager.bdTheme('#18181b', '#fafafa')};
        word-break: break-all;
      }
      .gateway-readonly-hint {
        margin-top: 4px;
        font-size: 12px;
        color: ${cssManager.bdTheme('#71717a', '#a1a1aa')};
      }
      dees-input-text {
        width: 100%;
      }
      .gateway-footer {
@@ -119,25 +180,15 @@ export class ObViewSettings extends DeesElement {
        padding: 0 20px 20px;
      }
      .save-button {
        border: none;
        border-radius: 8px;
        background: #2563eb;
        color: white;
        cursor: pointer;
        font-size: 13px;
        font-weight: 600;
        padding: 9px 14px;
      }
      .save-button:hover {
        background: #1d4ed8;
      }
      @media (max-width: 700px) {
        .gateway-content {
          grid-template-columns: 1fr;
        }
        .gateway-status-row {
          align-items: flex-start;
          flex-direction: column;
        }
      }
    `,
  ];
@@ -156,6 +207,14 @@ export class ObViewSettings extends DeesElement {
          darkMode: true,
          cloudflareToken: '',
          cloudflareZoneId: '',
          dcrouterMode: 'managed',
          dcrouterManagedImage: 'code.foss.global/serve.zone/dcrouter:latest',
          dcrouterManagedOpsPort: 3300,
          dcrouterManagedHttpPort: 80,
          dcrouterManagedHttpsPort: 443,
          dcrouterManagedDataDir: './.nogit/dcrouter-data',
          dcrouterGatewayClientId: '',
          dcrouterWorkHosterId: '',
          autoRenewCerts: false,
          renewalThreshold: 30,
          acmeEmail: '',
@@ -187,45 +246,109 @@ export class ObViewSettings extends DeesElement {
  private renderExternalGatewaySettings(): TemplateResult {
    const settings = this.settingsState.settings;
    const mode = settings?.dcrouterMode || 'managed';
    return html`
      <section class="gateway-card">
        <div class="gateway-header">
-          <div class="gateway-title">External dcrouter Gateway</div>
+          <div class="gateway-title">dcrouter Gateway</div>
-          <div class="gateway-subtitle">Delegate public WorkApp routing, DNS, and certificates to a dcrouter edge authority.</div>
+          <div class="gateway-subtitle">Run a local managed dcrouter or delegate routing, DNS, and certificates to an external dcrouter.</div>
        </div>
        <div class="gateway-mode-row">
          ${this.renderModeButton('managed', 'Managed Local', mode)}
          ${this.renderModeButton('external', 'External dcrouter', mode)}
          ${this.renderModeButton('disabled', 'Disabled', mode)}
        </div>
        ${mode === 'managed' ? this.renderManagedGatewayStatus() : null}
        <div class="gateway-content">
-          ${this.renderGatewayInput('dcrouterGatewayUrl', 'Gateway URL', settings?.dcrouterGatewayUrl || '', 'https://edge.example.com', 'Base URL of the dcrouter OpsServer.')}
+          ${mode === 'managed' ? html`
-          ${this.renderGatewayInput('dcrouterGatewayApiToken', 'API Token', settings?.dcrouterGatewayApiToken || '', 'dcrouter API token', 'Requires workhosters and certificates scopes.', 'password')}
+            ${this.renderGatewayInput('dcrouterManagedImage', 'dcrouter Image', settings?.dcrouterManagedImage || 'code.foss.global/serve.zone/dcrouter:latest', 'OCI image used for the managed local gateway.')}
-          ${this.renderGatewayInput('dcrouterWorkHosterId', 'WorkHoster ID', settings?.dcrouterWorkHosterId || '', 'optional stable owner ID', 'Leave empty to let Onebox create a stable ID.')}
+            ${this.renderGatewayInput('dcrouterManagedDataDir', 'Data Directory', settings?.dcrouterManagedDataDir || './.nogit/dcrouter-data', 'Host directory mounted into the dcrouter container.')}
-          ${this.renderGatewayInput('dcrouterTargetHost', 'Target Host', settings?.dcrouterTargetHost || '', 'public or private host/IP', 'Defaults to the configured server IP when empty.')}
+            ${this.renderGatewayInput('dcrouterManagedOpsPort', 'Local Ops Port', String(settings?.dcrouterManagedOpsPort || 3300), 'Bound to 127.0.0.1 for Onebox to call dcrouter APIs.')}
-          ${this.renderGatewayInput('dcrouterTargetPort', 'Target Port', String(settings?.dcrouterTargetPort || 80), '80', 'Internal HTTP port dcrouter forwards to.', 'number')}
+            ${this.renderGatewayInput('dcrouterManagedHttpPort', 'Public HTTP Port', String(settings?.dcrouterManagedHttpPort || 80), 'Host port owned by dcrouter for HTTP ingress.')}
            ${this.renderGatewayInput('dcrouterManagedHttpsPort', 'Public HTTPS Port', String(settings?.dcrouterManagedHttpsPort || 443), 'Host port owned by dcrouter for HTTPS ingress.')}
            ${this.renderGatewayReadonly('Gateway Client ID', settings?.dcrouterGatewayClientId || settings?.dcrouterWorkHosterId || 'Created when managed dcrouter starts', 'Diagnostic only. Onebox manages this local client automatically.')}
          ` : mode === 'external' ? html`
            ${this.renderGatewayInput('dcrouterGatewayUrl', 'Gateway URL', settings?.dcrouterGatewayUrl || '', 'Base URL of the dcrouter OpsServer.')}
            ${this.renderGatewayInput('dcrouterGatewayApiToken', 'API Token', settings?.dcrouterGatewayApiToken || '', 'Requires gateway-client access in dcrouter.', true)}
            ${this.renderGatewayReadonly('Gateway Client ID', settings?.dcrouterGatewayClientId || settings?.dcrouterWorkHosterId || 'Derived from token', 'Configure this in dcrouter Gateway Clients, not in Onebox.')}
            ${this.renderGatewayInput('dcrouterTargetHost', 'Target Host', settings?.dcrouterTargetHost || '', 'Defaults to the configured server IP when empty.')}
            ${this.renderGatewayInput('dcrouterTargetPort', 'Target Port', String(settings?.dcrouterTargetPort || 80), 'Internal HTTP port dcrouter forwards to.')}
          ` : html`
            <div class="gateway-disabled">dcrouter route delegation is disabled. Onebox will keep using its local SmartProxy directly.</div>
          `}
        </div>
        <div class="gateway-footer">
-          <button class="save-button" @click=${() => this.saveExternalGatewaySettings()}>Save Gateway Settings</button>
+          <dees-button
            .text=${'Save dcrouter Settings'}
            .type=${'default'}
            .icon=${'lucide:Save'}
            @click=${() => this.saveExternalGatewaySettings()}
          ></dees-button>
        </div>
      </section>
    `;
  }
  private renderModeButton(
    mode: 'managed' | 'external' | 'disabled',
    label: string,
    activeMode: string,
  ): TemplateResult {
    return html`
      <button
        class="gateway-mode-button ${activeMode === mode ? 'active' : ''}"
        @click=${() => this.updateGatewayDraft('dcrouterMode', mode)}
      >${label}</button>
    `;
  }
  private renderManagedGatewayStatus(): TemplateResult {
    const status = this.settingsState.managedDcRouterStatus;
    const stateText = status?.running ? (status.healthy ? 'Running' : 'Starting') : 'Stopped';
    return html`
      <div class="gateway-status-row">
        <div>
          <div class="gateway-status-label">Managed dcrouter</div>
          <div class="gateway-status-value">${stateText}${status?.gatewayUrl ? ` at ${status.gatewayUrl}` : ''}</div>
          ${status?.message ? html`<div class="gateway-status-error">${status.message}</div>` : null}
        </div>
        <div class="gateway-actions">
          <dees-button .text=${'Start'} .type=${'default'} @click=${() => appstate.settingsStatePart.dispatchAction(appstate.startManagedDcRouterAction, null)}></dees-button>
          <dees-button .text=${'Restart'} .type=${'default'} @click=${() => appstate.settingsStatePart.dispatchAction(appstate.restartManagedDcRouterAction, null)}></dees-button>
          <dees-button .text=${'Stop'} .type=${'default'} @click=${() => appstate.settingsStatePart.dispatchAction(appstate.stopManagedDcRouterAction, null)}></dees-button>
        </div>
      </div>
    `;
  }
  private renderGatewayInput(
    key: keyof NonNullable<appstate.ISettingsState['settings']>,
    label: string,
    value: string,
    placeholder: string,
    hint: string,
-    type: 'text' | 'password' | 'number' = 'text',
+    isPassword = false,
  ): TemplateResult {
    return html`
-      <label class="gateway-field ${key === 'dcrouterGatewayUrl' ? 'full' : ''}">
+      <div class="gateway-field ${key === 'dcrouterGatewayUrl' ? 'full' : ''}">
-        <span class="field-label">${label}</span>
+        <dees-input-text
-        <input
+          .key=${key}
-          type=${type}
+          .label=${label}
          .value=${value}
-          placeholder=${placeholder}
+          .description=${hint}
          .isPasswordBool=${isPassword}
          @input=${(event: Event) => this.updateGatewayDraft(key, (event.target as HTMLInputElement).value)}
-        />
+        ></dees-input-text>
-        <span class="field-hint">${hint}</span>
+      </div>
-      </label>
+    `;
  }
  private renderGatewayReadonly(label: string, value: string, hint: string): TemplateResult {
    return html`
      <div class="gateway-readonly">
        <div class="gateway-readonly-label">${label}</div>
        <div class="gateway-readonly-value">${value}</div>
        <div class="gateway-readonly-hint">${hint}</div>
      </div>
    `;
  }
@@ -234,7 +357,13 @@ export class ObViewSettings extends DeesElement {
    value: string,
  ): void {
    const currentSettings = this.settingsState.settings || {} as NonNullable<appstate.ISettingsState['settings']>;
-    const nextValue = key === 'dcrouterTargetPort' ? Number(value) || 0 : value;
+    const numberKeys = new Set([
      'dcrouterTargetPort',
      'dcrouterManagedOpsPort',
      'dcrouterManagedHttpPort',
      'dcrouterManagedHttpsPort',
    ]);
    const nextValue = numberKeys.has(key as string) ? Number(value) || 0 : value;
    this.settingsState = {
      ...this.settingsState,
      settings: {
@@ -250,12 +379,18 @@ export class ObViewSettings extends DeesElement {
    await appstate.settingsStatePart.dispatchAction(appstate.updateSettingsAction, {
      settings: {
        dcrouterMode: settings.dcrouterMode || 'managed',
        dcrouterManagedImage: settings.dcrouterManagedImage || 'code.foss.global/serve.zone/dcrouter:latest',
        dcrouterManagedOpsPort: Number(settings.dcrouterManagedOpsPort) || 3300,
        dcrouterManagedHttpPort: Number(settings.dcrouterManagedHttpPort) || 80,
        dcrouterManagedHttpsPort: Number(settings.dcrouterManagedHttpsPort) || 443,
        dcrouterManagedDataDir: settings.dcrouterManagedDataDir || './.nogit/dcrouter-data',
        dcrouterGatewayUrl: settings.dcrouterGatewayUrl || '',
        dcrouterGatewayApiToken: settings.dcrouterGatewayApiToken || '',
        dcrouterWorkHosterId: settings.dcrouterWorkHosterId || '',
        dcrouterTargetHost: settings.dcrouterTargetHost || '',
        dcrouterTargetPort: Number(settings.dcrouterTargetPort) || 80,
      },
    });
    await appstate.settingsStatePart.dispatchAction(appstate.fetchManagedDcRouterStatusAction, null);
  }
 }
@@ -3,12 +3,40 @@ import * as appstate from './appstate.js';
 const SmartRouter = plugins.domtools.plugins.smartrouter.SmartRouter;
-export const validViews = [
+const flatViews = ['dashboard', 'settings'] as const;
  'dashboard', 'app-store', 'services', 'network',
  'registries', 'tokens', 'settings',
 ] as const;
-export type TValidView = typeof validViews[number];
+const subviewMap: Record<string, readonly string[]> = {
  apps: ['app-store', 'services'] as const,
  network: ['proxy', 'domains', 'dns-records'] as const,
  registry: ['registries', 'tokens'] as const,
 };
 const defaultSubview: Record<string, string> = {
  apps: 'app-store',
  network: 'proxy',
  registry: 'registries',
 };
 const legacySubviewTargetMap: Record<string, { view: string; subview: string }> = {
  'app-store': { view: 'apps', subview: 'app-store' },
  services: { view: 'apps', subview: 'services' },
  proxy: { view: 'network', subview: 'proxy' },
  domains: { view: 'network', subview: 'domains' },
  'dns-records': { view: 'network', subview: 'dns-records' },
  registries: { view: 'registry', subview: 'registries' },
  tokens: { view: 'registry', subview: 'tokens' },
 };
 export const validTopLevelViews = [...flatViews, ...Object.keys(subviewMap)] as const;
 export type TValidView = typeof validTopLevelViews[number];
 export function isValidView(view: string): boolean {
  return (validTopLevelViews as readonly string[]).includes(view);
 }
 export function isValidSubview(view: string, subview: string): boolean {
  return subviewMap[view]?.includes(subview) ?? false;
 }
 class AppRouter {
  private router: InstanceType<typeof SmartRouter>;
@@ -28,24 +56,37 @@ class AppRouter {
  }
  private setupRoutes(): void {
-    for (const view of validViews) {
+    for (const view of flatViews) {
      this.router.on(`/${view}`, async () => {
-        this.updateViewState(view);
+        this.updateViewState(view, null);
      });
    }
-    // Root redirect
+    for (const view of Object.keys(subviewMap)) {
      this.router.on(`/${view}`, async () => {
        this.navigateTo(`/${view}/${defaultSubview[view]}`);
      });
      for (const subview of subviewMap[view]) {
        this.router.on(`/${view}/${subview}`, async () => {
          this.updateViewState(view, subview);
        });
      }
    }
    this.router.on('/', async () => {
      this.navigateTo('/dashboard');
    });
  }
  private setupStateSync(): void {
-    appstate.uiStatePart.select((s) => s.activeView).subscribe((activeView) => {
+    appstate.uiStatePart.select().subscribe((uiState: appstate.IUiState) => {
      if (this.suppressStateUpdate) return;
      const currentPath = window.location.pathname;
-      const expectedPath = `/${activeView}`;
+      const expectedPath = uiState.activeSubview
        ? `/${uiState.activeView}/${uiState.activeSubview}`
        : `/${uiState.activeView}`;
      if (currentPath !== expectedPath) {
        this.suppressStateUpdate = true;
@@ -60,25 +101,37 @@ class AppRouter {
    if (!path || path === '/') {
      this.router.pushUrl('/dashboard');
-    } else {
+      return;
-      const segments = path.split('/').filter(Boolean);
+    }
      const view = segments[0];
-      if (validViews.includes(view as TValidView)) {
+    const segments = path.split('/').filter(Boolean);
-        this.updateViewState(view as TValidView);
+    const view = segments[0];
    const subview = segments[1];
    if (!isValidView(view)) {
      this.router.pushUrl('/dashboard');
      return;
    }
    if (subviewMap[view]) {
      if (subview && isValidSubview(view, subview)) {
        this.updateViewState(view, subview);
      } else {
-        this.router.pushUrl('/dashboard');
+        this.router.pushUrl(`/${view}/${defaultSubview[view]}`);
      }
    } else {
      this.updateViewState(view, null);
    }
  }
-  private updateViewState(view: string): void {
+  private updateViewState(view: string, subview: string | null): void {
    this.suppressStateUpdate = true;
    const currentState = appstate.uiStatePart.getState();
-    if (currentState.activeView !== view) {
+    if (currentState.activeView !== view || currentState.activeSubview !== subview) {
      appstate.uiStatePart.setState({
        ...currentState,
        activeView: view,
        activeSubview: subview,
      });
    }
    this.suppressStateUpdate = false;
@@ -88,17 +141,34 @@ class AppRouter {
    this.router.pushUrl(path);
  }
-  public navigateToView(view: string): void {
+  public navigateToView(view: string, subview?: string): void {
-    const normalized = view.toLowerCase().replace(/\s+/g, '-');
+    const normalizedView = view.toLowerCase().replace(/\s+/g, '-');
-    if (validViews.includes(normalized as TValidView)) {
+    const normalizedSubview = subview?.toLowerCase().replace(/\s+/g, '-');
-      this.navigateTo(`/${normalized}`);
+
-    } else {
+    if (!isValidView(normalizedView)) {
      const legacyTarget = legacySubviewTargetMap[normalizedView];
      if (legacyTarget) {
        this.navigateToView(legacyTarget.view, legacyTarget.subview);
        return;
      }
      this.navigateTo('/dashboard');
      return;
    }
    if (normalizedSubview && isValidSubview(normalizedView, normalizedSubview)) {
      this.navigateTo(`/${normalizedView}/${normalizedSubview}`);
    } else if (subviewMap[normalizedView]) {
      this.navigateTo(`/${normalizedView}/${defaultSubview[normalizedView]}`);
    } else {
      this.navigateTo(`/${normalizedView}`);
    }
  }
  public getCurrentView(): string {
-    return appstate.uiStatePart.getState().activeView;
+    const uiState = appstate.uiStatePart.getState();
    return uiState.activeSubview
      ? `${uiState.activeView}/${uiState.activeSubview}`
      : uiState.activeView;
  }
  public destroy(): void {
Author	SHA1	Message	Date
jkunz	4812621376	v1.28.0 Release / build-and-release (push) Successful in 2m38s Details	2026-05-24 10:19:43 +00:00
jkunz	8b98706d27	chore(release): document catalog update	2026-05-24 10:19:29 +00:00
jkunz	e36207347f	fix(deps): update serve zone catalog	2026-05-24 10:19:17 +00:00
jkunz	5228eeaa23	feat(appstore): add service volumes and published ports	2026-05-24 10:15:56 +00:00
jkunz	e6ebac76b4	v1.27.0 Release / build-and-release (push) Successful in 2m34s Details	2026-05-21 20:35:07 +00:00
jkunz	27888a9fd1	chore(web): update bundled onebox app	2026-05-21 20:34:36 +00:00
jkunz	3f6b058ce5	feat(web): group onebox sidebar navigation	2026-05-21 20:32:40 +00:00
jkunz	ba370cbce8	v1.26.3 Release / build-and-release (push) Successful in 2m29s Details	2026-05-21 17:06:38 +00:00
jkunz	43c8f261cc	fix(web): use dees-table for gateway domains and DNS records views	2026-05-21 17:06:15 +00:00
jkunz	2984c41081	v1.26.2 Release / build-and-release (push) Successful in 2m30s Details	2026-05-20 14:32:04 +00:00
jkunz	d143d73ea9	chore(release): remove duplicate pending heading	2026-05-20 14:31:56 +00:00
jkunz	9f8a6eaa76	chore(release): format pending changelog entry	2026-05-20 14:31:18 +00:00
jkunz	0af8da2c9d	chore(release): document proxy reload fix	2026-05-20 14:30:31 +00:00
jkunz	fa96d371d6	fix(proxy): reload routes after SmartProxy startup	2026-05-20 14:27:17 +00:00
jkunz	9e4dcc18a2	v1.26.1 Release / build-and-release (push) Successful in 2m31s Details	2026-05-09 22:36:27 +00:00
jkunz	15574b8629	fix(external-gateway): derive gateway client identity from the dcrouter token and make the settings UI read-only	2026-05-09 22:36:26 +00:00
jkunz	b9c90eca3d	v1.26.0 Release / build-and-release (push) Successful in 2m36s Details	2026-05-09 20:04:02 +00:00
jkunz	dc37a71802	feat(dcrouter): add managed local dcrouter mode with status controls and gateway integration	2026-05-09 20:04:02 +00:00
jkunz	595e84cdb6	v1.25.0 Release / build-and-release (push) Successful in 2m59s Details	2026-05-09 11:58:51 +00:00
jkunz	5e04001790	feat(external-gateway): add gateway client domain and DNS record support for dcrouter integration	2026-05-09 11:58:51 +00:00
jkunz	7fe63541b3	fix: align delegate routing settings UI Release / build-and-release (push) Successful in 2m44s Details	2026-05-08 19:32:40 +00:00
jkunz	201602b733	fix: use compiled-safe password hashing Release / build-and-release (push) Successful in 2m34s Details	2026-05-08 16:36:58 +00:00