v1.24.2

fix(deps): bump runtime and build tool dependencies
v1.24.1
2026-03-24 20:17:30 +00:00 · 2026-03-24 20:17:30 +00:00 · 2026-03-24 20:08:25 +00:00 · 2026-03-24 20:08:25 +00:00 · 2026-03-24 19:54:56 +00:00 · 2026-03-24 19:54:56 +00:00
193 changed files with 56546 additions and 19611 deletions
@@ -1,140 +0,0 @@
-# Onebox Development Notes
-
-## ⚠️ CRITICAL DEVELOPMENT RULES ⚠️
-
-### NEVER GUESS - ALWAYS READ THE ACTUAL CODE
-**FUCKING ALWAYS look at the dependency actual code. Don't start fucking guessing stuff.**
-
-run "pnpm run watch" when starting to do stuff, so the UI gets recompiled and the server automatically restarts on file changes.
-
-When working with any dependency:
-1. **READ the actual source code** in `node_modules/` or check the package documentation
-2. **CHECK the exact API** - don't assume based on similar libraries
-3. **VERIFY method names, return types, and property structures** before using them
-4. **TEST with the actual implementation** - APIs change between versions
-
-Common mistakes to avoid:
- ❌ Assuming API structure based on similar libraries
- ❌ Guessing method names or property paths
- ❌ Using outdated documentation without checking current version
- ✅ Read the actual TypeScript definitions in node_modules
- ✅ Check the package's README and changelog
- ✅ Test the actual behavior before implementing
-
-## Architecture Changes
-
-### Reverse Proxy Implementation
- **Replaced Nginx** with native Deno reverse proxy (`ts/classes/reverseproxy.ts`)
- Features:
-  - HTTP/HTTPS dual servers (ports 80/443)
-  - TLS/SSL certificate management with hot-reload
-  - WebSocket bidirectional proxying
-  - Dynamic routing from database
-  - SNI (Server Name Indication) support
-
-### Code Organization
- Removed "onebox." prefix from all TypeScript files
- Organized into subfolders:
-  - `ts/classes/` - All class implementations
-  - `ts/` - Root level utilities (logging, types, plugins, cli, info)
-
-### WebSocket Real-time Communication
- **Backend**: WebSocket endpoint at `/api/ws` (`ts/classes/httpserver.ts:96-174`)
-  - Connection management with client Set tracking
-  - Broadcast methods: `broadcast()`, `broadcastServiceUpdate()`, `broadcastServiceStatus()`
-  - Integrated with service lifecycle (start/stop/restart actions)
-  - Status monitoring loop broadcasts changes automatically
- **Frontend**: Angular WebSocket service (`ui/src/app/core/services/websocket.service.ts`)
-  - Auto-connects on app initialization
-  - Exponential backoff reconnection (max 5 attempts)
-  - RxJS Observable-based message streaming
-  - Components subscribe to real-time updates
- **Message Types**:
-  - `connected` - Initial connection confirmation
-  - `service_update` - Service lifecycle changes (action: created/updated/deleted/started/stopped)
-  - `service_status` - Real-time status changes from monitoring loop
-  - `system_status` - System-wide updates
- **Testing**: Use `.nogit/test-ws-updates.ts` to monitor WebSocket messages
-
-### Docker Configuration
- **System Docker**: Uses root Docker at `/var/run/docker.sock` (NOT rootless)
- **Swarm Mode**: Enabled for service orchestration
- **API Access**: Interact with Docker via direct API calls to the socket
-  - ❌ DO NOT switch Docker CLI contexts
-  - ✅ Use curl/HTTP requests to `/var/run/docker.sock`
- **Network**: Overlay network `onebox-network` with `Attachable: true`
- **Services vs Containers**: All workloads run as Swarm services (not standalone containers)
-
-## Debugging Tips
-
-### Backend Logs
-Use the background bash task to check server logs:
-```bash
-# Check for specific patterns (e.g., Login attempts)
-BashOutput tool with filter: "Login|error|Error"
-
-# Check all recent output
-BashOutput tool without filter
-```
-
-The dev server runs with `--watch` so it auto-restarts on file changes.
-
-### Frontend Testing
-Use Playwright for UI testing:
-```typescript
-// Navigate to app
-mcp__playwright__browser_navigate({ url: "http://localhost:3000" })
-
-// Fill login form
-mcp__playwright__browser_fill_form({
-  fields: [
-    { name: "Username", type: "textbox", ref: "...", value: "admin" },
-    { name: "Password", type: "textbox", ref: "...", value: "admin" }
-  ]
-})
-
-// Click button
-mcp__playwright__browser_click({ element: "Sign in button", ref: "..." })
-
-// Check console errors
-// Playwright automatically shows console messages in results
-```
-
-### Common Issues
-
-#### Login Issue (Fixed)
-**Problem**: `admin/admin` credentials returned "Invalid credentials"
-
-**Root Cause**: `rowToUser()` function in database.ts was accessing rows as arrays `row[2]` instead of objects `row.password_hash`. The @db/sqlite library returns rows as objects with snake_case column names.
-
-**Fix**: Updated `rowToUser()` to support both access patterns:
-```typescript
-private rowToUser(row: any): IUser {
-  return {
-    passwordHash: String(row.password_hash || row[2]),
-    // ... other fields
-  };
-}
-```
-
-**Location**: `ts/classes/database.ts:506-515`
-
-## Default Credentials
- Username: `admin`
- Password: `admin`
- ⚠️ Change immediately after first login!
-
-## Development Server
-```bash
-# Main server (port 3000)
-deno task dev
-
-# Check server status
-curl http://localhost:3000/api/status
-```
-
-## API Endpoints
- `POST /api/auth/login` - Login (returns JWT-like token)
- `GET /api/status` - System status (requires auth)
- `GET /api/services` - List services (requires auth)
- See `ts/classes/httpserver.ts` for full API
@@ -0,0 +1,37 @@
+## Onebox {{VERSION}}
+
+Pre-compiled binaries for multiple platforms.
+
+### Installation
+
+#### Option 1: Via npm (recommended)
+
+```bash
+npm install -g @serve.zone/onebox
+```
+
+#### Option 2: Via installer script
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+```
+
+#### Option 3: Direct binary download
+
+Download the appropriate binary for your platform from the assets below and make it executable.
+
+### Supported Platforms
+
+- Linux x86_64 (x64)
+- Linux ARM64 (aarch64)
+- macOS x86_64 (Intel)
+- macOS ARM64 (Apple Silicon)
+- Windows x86_64
+
+### Checksums
+
+SHA256 checksums are provided in `SHA256SUMS.txt` for binary verification.
+
+### npm Package
+
+The npm package includes automatic binary detection and installation for your platform.
@@ -0,0 +1,211 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Install dependencies
+        run: pnpm install --ignore-scripts
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Building version: $VERSION"
+
+      - name: Verify deno.json version matches tag
+        run: |
+          DENO_VERSION=$(grep -o '"version": "[^"]*"' deno.json | cut -d'"' -f4)
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "deno.json version: $DENO_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$DENO_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            echo "deno.json has version $DENO_VERSION but tag is $TAG_VERSION"
+            exit 1
+          fi
+
+      - name: Compile binaries for all platforms
+        run: mkdir -p dist/binaries && npx tsdeno compile
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+          cd ../..
+
+      - name: Extract changelog for this version
+        id: changelog
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Check if CHANGELOG.md exists
+          if [ ! -f CHANGELOG.md ] && [ ! -f changelog.md ]; then
+            echo "No changelog found, using default release notes"
+            cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          Pre-compiled binaries for multiple platforms.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+
+          Or download the binary for your platform and make it executable.
+
+          ### Supported Platforms
+          - Linux x86_64 (x64)
+          - Linux ARM64 (aarch64)
+          - macOS x86_64 (Intel)
+          - macOS ARM64 (Apple Silicon)
+          - Windows x86_64
+
+          ### Checksums
+          SHA256 checksums are provided in SHA256SUMS.txt
+          EOF
+          else
+            CHANGELOG_FILE=$([ -f CHANGELOG.md ] && echo "CHANGELOG.md" || echo "changelog.md")
+            awk "/## \[$VERSION\]/,/## \[/" "$CHANGELOG_FILE" | sed '$d' > /tmp/release_notes.md || cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          See changelog.md for full details.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+          EOF
+          fi
+
+          echo "Release notes:"
+          cat /tmp/release_notes.md
+
+      - name: Delete existing release if it exists
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          echo "Checking for existing release $VERSION..."
+
+          # Try to get existing release by tag
+          EXISTING_RELEASE_ID=$(curl -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/tags/$VERSION" \
+            | jq -r '.id // empty')
+
+          if [ -n "$EXISTING_RELEASE_ID" ]; then
+            echo "Found existing release (ID: $EXISTING_RELEASE_ID), deleting..."
+            curl -X DELETE -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$EXISTING_RELEASE_ID"
+            echo "Existing release deleted"
+            sleep 2
+          else
+            echo "No existing release found, proceeding with creation"
+          fi
+
+      - name: Create Gitea Release
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_NOTES=$(cat /tmp/release_notes.md)
+
+          # Create the release
+          echo "Creating release for $VERSION..."
+          RELEASE_ID=$(curl -X POST -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" \
+            -d "{
+              \"tag_name\": \"$VERSION\",
+              \"name\": \"Onebox $VERSION\",
+              \"body\": $(jq -Rs . /tmp/release_notes.md),
+              \"draft\": false,
+              \"prerelease\": false
+            }" | jq -r '.id')
+
+          echo "Release created with ID: $RELEASE_ID"
+
+          # Upload binaries as release assets
+          for binary in dist/binaries/*; do
+            filename=$(basename "$binary")
+            echo "Uploading $filename..."
+            curl -X POST -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@$binary" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$RELEASE_ID/assets?name=$filename"
+          done
+
+          echo "All assets uploaded successfully"
+
+      - name: Clean up old releases
+        run: |
+          echo "Cleaning up old releases (keeping only last 3)..."
+
+          # Fetch all releases sorted by creation date
+          RELEASES=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" | \
+            jq -r 'sort_by(.created_at) | reverse | .[3:] | .[].id')
+
+          # Delete old releases
+          if [ -n "$RELEASES" ]; then
+            echo "Found releases to delete:"
+            for release_id in $RELEASES; do
+              echo "  Deleting release ID: $release_id"
+              curl -X DELETE -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$release_id"
+            done
+            echo "Old releases deleted successfully"
+          else
+            echo "No old releases to delete (less than 4 releases total)"
+          fi
+          echo ""
+
+      - name: Release Summary
+        run: |
+          echo "================================================"
+          echo "  Release ${{ steps.version.outputs.version }} Complete!"
+          echo "================================================"
+          echo ""
+          echo "Binaries published:"
+          ls -lh dist/binaries/
+          echo ""
+          echo "Release URL:"
+          echo "https://code.foss.global/serve.zone/onebox/releases/tag/${{ steps.version.outputs.version }}"
+          echo ""
+          echo "Installation command:"
+          echo "curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+          echo ""
@@ -1,3 +1,30 @@
+.nogit/
+
+# artifacts
+coverage/
+public/
+
+# installs
+node_modules/
+
+# caches
+.yarn/
+.cache/
+.rpt2_cache
+
+# builds
+dist/
+dist_*/
+
+# rust
+rust/target/
+dist_rust/
+
+# AI
+.claude/
+.serena/
+
+#------# custom
 # Deno
 .deno/
 deno.lock
@@ -50,4 +77,4 @@ logs/
 *.log

 .playwright-mcp
-./dist/
+./dist/
@@ -0,0 +1,79 @@
+{
+  "@git.zone/tsbundle": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "includeFiles": [
+          {
+            "from": "./html/index.html",
+            "to": "index.html"
+          }
+        ]
+      }
+    ]
+  },
+  "@git.zone/tsdeno": {
+    "compileTargets": [
+      {
+        "name": "onebox-linux-x64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "x86_64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      },
+      {
+        "name": "onebox-linux-arm64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "aarch64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      }
+    ]
+  },
+  "@git.zone/tswatch": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "watchPatterns": ["./ts_web/**/*", "./html/**/*"],
+        "includeFiles": [
+          {
+            "from": "./html/index.html",
+            "to": "index.html"
+          }
+        ]
+      }
+    ],
+    "watchers": [
+      {
+        "name": "backend",
+        "watch": ["./ts/**/*", "./ts_interfaces/**/*", "./ts_bundled/**/*"],
+        "command": "deno run --allow-all --unstable-ffi mod.ts server --ephemeral --monitor",
+        "restart": true,
+        "debounce": 500,
+        "runOnStart": true
+      }
+    ]
+  },
+  "@git.zone/cli": {
+    "projectType": "denoSaaS",
+    "module": {
+      "githost": "code.foss.global",
+      "gitscope": "serve.zone",
+      "gitrepo": "onebox",
+      "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
+      "npmPackagename": "@serve.zone/onebox",
+      "license": "MIT"
+    }
+  },
+  "@ship.zone/szci": {}
+}
@@ -1,17 +1,579 @@
 # Changelog

+## 2026-03-24 - 1.24.2 - fix(deps)
+bump runtime and build tool dependencies
+
+- update @design.estate/dees-catalog to ^3.49.0
+- update development tooling packages @git.zone/tsbundle, @git.zone/tsdeno, and @git.zone/tswatch
+
+## 2026-03-24 - 1.24.1 - fix(repo)
+migrate smart build config to .smartconfig.json and tidy repository metadata
+
+- Rename npmextra.json to .smartconfig.json and extend it with CLI project metadata for the repository.
+- Mark the package as private and add an empty pnpm overrides block in package.json.
+- Expand .gitignore to cover common build artifacts, caches, install directories, and local tooling folders.
+- Reformat changelog and README files for cleaner spacing and Markdown table alignment without changing documented behavior.
+
+## 2026-03-24 - 1.24.0 - feat(backup)
+
+add containerarchive-backed backup storage, restore, download, and pruning support
+
+- add database support for archive snapshot IDs and stored size tracking for backups
+- initialize and close the backup archive during onebox lifecycle startup and shutdown
+- allow backup download and restore flows to work with archive snapshots as well as legacy file-based backups
+- schedule daily archive pruning based on the most generous configured retention policy
+- replace smarts3 with smartstorage for registry-backed S3-compatible storage
+
+## 2026-03-21 - 1.23.0 - feat(appstore)
+
+add remote app store templates with service upgrades and Redis/MariaDB platform support
+
+- introduces an App Store manager, API handlers, shared request types, and web UI flow for browsing remote templates and deploying services from template metadata
+- tracks app template id and version on services, adds upgrade discovery and migration-based service upgrades, and includes a database migration for template version columns
+- adds Redis and MariaDB platform service providers with provisioning plus backup and restore support, and exposes their requirements through service creation and app template config
+
+## 2026-03-18 - 1.22.2 - fix(web-ui)
+
+stabilize app store service creation flow and add Ghost sqlite defaults
+
+- Defers App Store navigation to the services view to avoid destroying the current view during the deploy event handler.
+- Processes pending app templates after services view updates so the create flow opens reliably.
+- Adds default Ghost environment variables for sqlite3 and the database file path in the App Store template.
+- Removes obsolete Gitea CI and npm publish workflow definitions.
+
+## 2026-03-18 - 1.22.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-18 - 1.22.0 - feat(web-appstore)
+
+add an App Store view for quick service deployment from curated templates
+
+- adds a new App Store tab to the web UI with curated Docker app templates
+- passes selected app templates through UI state into the services view for quick deployment
+- supports quick deploy creation with prefilled image, port, environment variables, and optional platform service flags
+- updates @serve.zone/catalog to ^2.8.0 to support the new app store view
+
+## 2026-03-18 - 1.21.0 - feat(opsserver)
+
+add container workspace API and backend execution environment for services
+
+- introduces typed workspace handlers for reading, writing, listing, creating, removing, and executing commands inside service containers
+- adds frontend backend-execution environment integration so the service view can open a workspace against a selected service
+- extends Docker exec lookup to resolve Swarm service container IDs when a direct container ID is unavailable
+
+## 2026-03-17 - 1.20.0 - feat(ops-dashboard)
+
+stream user service logs to the ops dashboard and resolve service containers for Docker log streaming
+
+- add typed socket support for pushing live user service log entries to the web app
+- extend platform log streaming to include running user services with separate dashboard handlers
+- fall back from direct container lookup to service-to-container resolution when streaming Docker logs
+- update log parsing to preserve timestamps and infer log levels for service log entries
+- bump @serve.zone/catalog to ^2.7.0
+
+## 2026-03-17 - 1.19.12 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.11 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.10 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.6 - fix(repository)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.5 - fix(repo)
+
+no changes to commit
+
+## 2026-03-17 - 1.19.4 - fix(repository)
+
+no changes to commit
+
+## 2026-03-16 - 1.19.3 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.19.2 - fix(docs)
+
+remove outdated UI screenshot assets from project documentation
+
+- Deletes multiple PNG screenshots that documented previous dashboard, service form, and hello-world states.
+- Reduces repository clutter by removing obsolete image assets no longer needed in docs.
+
+## 2026-03-16 - 1.19.1 - fix(dashboard)
+
+add updated dashboard screenshots for refresh and resource usage states
+
+- Adds new dashboard screenshots covering post-refresh, resource usage, and populated data views.
+- Updates visual assets to document current dashboard behavior and UI states.
+
+## 2026-03-16 - 1.19.1 - fix(dashboard)
+
+add aggregated resource usage stats to the dashboard
+
+- Aggregate CPU, memory, and network stats across all running user and platform service containers in getSystemStatus
+- Extend ISystemStatus.docker interface with cpuUsage, memoryUsage, memoryTotal, networkIn, networkOut fields
+- Fix getContainerStats to properly handle Swarm service IDs by catching exceptions and falling back to label-based container lookup
+- Wire dashboard resource usage card to display real aggregated data from the backend
+
+## 2026-03-16 - 1.19.0 - feat(opsserver,web)
+
+add real-time platform service log streaming to the dashboard
+
+- stream running platform service container logs from the ops server to connected dashboard clients via TypedSocket
+- parse Docker log timestamps and levels for both pushed and fetched platform service log entries
+- enhance the platform service detail view with mapped statuses and predefined host, port, version, and config metadata
+- add the typedsocket dependency and update the catalog package for dashboard support
+
+## 2026-03-16 - 1.18.5 - fix(platform-services)
+
+fix platform service detail view navigation and log display
+
+- Add back button to platform service detail view for returning to services list
+- Fix DOM lifecycle when switching between platform services (destroy and recreate dees-chart-log)
+- Fix timestamp format for log entries to use ISO 8601 for dees-chart-log compatibility
+- Clear previous stats/logs state before fetching new platform service data
+
+## 2026-03-16 - 1.18.4 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.3 - fix(deps)
+
+bump @serve.zone/catalog to ^2.6.1
+
+- Updates the @serve.zone/catalog runtime dependency from ^2.6.0 to ^2.6.1.
+
+## 2026-03-16 - 1.18.2 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.18.0 - feat(platform-services)
+
+add platform service log retrieval and display in the services UI
+
+- add typed request support in the ops server to fetch Docker logs for platform service containers
+- store fetched platform service logs in web app state and load them when opening platform service details
+- render platform service logs in the services detail view and add sidebar icons for main navigation tabs
+
+## 2026-03-16 - 1.17.4 - fix(docs)
+
+add hello world running screenshot for documentation
+
+- Adds a new PNG asset showing the application in a running hello world state.
+- Supports project documentation or README usage without changing runtime behavior.
+
+## 2026-03-16 - 1.17.3 - fix(mongodb)
+
+downgrade the MongoDB service image to 4.4 and use the legacy mongo shell for container operations
+
+- changes the default MongoDB container image from mongo:7 to mongo:4.4
+- replaces mongosh with mongo for health checks, provisioning, and deprovisioning inside the container
+
+## 2026-03-16 - 1.17.2 - fix(platform-services)
+
+provision ClickHouse, MinIO, and MongoDB resources via docker exec instead of host port access
+
+- switch ClickHouse provisioning and teardown to in-container client commands to avoid host port mapping issues
+- replace MinIO host-side S3 API calls with in-container mc commands for bucket creation and removal
+- run MongoDB provisioning and deprovisioning through mongosh inside the container and improve docker exec failure reporting
+
+## 2026-03-16 - 1.17.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.17.0 - feat(web/services)
+
+add deploy service action to the services view
+
+- Adds a prominent "Deploy Service" button to the services page header.
+- Routes users into the create service view directly from the services listing.
+- Includes a new service creation form screenshot asset for the updated interface.
+
+## 2026-03-16 - 1.16.0 - feat(services)
+
+add platform service navigation and stats in the services UI
+
+- add platform service stats state and fetch action
+- show platform services in the services list and open a platform detail view
+- enable dashboard clicks to jump directly to the selected platform service
+- refresh platform service stats after start and restart actions
+- bump @serve.zone/catalog to ^2.6.0 for the new platform service UI components
+
+## 2026-03-16 - 1.15.3 - fix(install)
+
+refresh systemd service configuration before restarting previously running installations
+
+- Re-enable the systemd service during updates so unit file changes are applied before restart
+- Add a log message indicating the service configuration is being refreshed
+
+## 2026-03-16 - 1.15.2 - fix(systemd)
+
+set HOME and DENO_DIR for the systemd service environment
+
+- Adds HOME=/root to the generated onebox systemd unit
+- Adds DENO_DIR=/root/.cache/deno so Deno cache paths are available when running as a service
+
+## 2026-03-16 - 1.15.1 - fix(systemd)
+
+move Docker installation and swarm initialization to systemd enable flow
+
+- Ensures Docker is installed before writing and enabling the systemd unit that depends on docker.service.
+- Removes Docker auto-installation from Onebox initialization so setup happens in the service management path.
+
+## 2026-03-16 - 1.15.0 - feat(systemd)
+
+replace smartdaemon-based service management with native systemd commands
+
+- adds a dedicated OneboxSystemd manager for enabling, disabling, starting, stopping, checking status, and following logs
+- introduces a new `onebox systemd` CLI command set and updates install and help output to use it
+- removes the smartdaemon dependency and related service management code
+
+## 2026-03-16 - 1.14.10 - fix(services)
+
+stop auto-update monitoring during shutdown
+
+- Track the auto-update polling interval in the services manager
+- Clear the auto-update interval when Onebox shuts down to prevent background checks after shutdown
+
+## 2026-03-16 - 1.14.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.6 - fix(project)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.5 - fix(onebox)
+
+move Docker auto-install and swarm initialization into Onebox startup flow
+
+- removes Docker setup from daemon service installation
+- ensures Docker is installed before Docker initialization during Onebox startup
+- preserves automatic Docker Swarm initialization on fresh servers
+
+## 2026-03-16 - 1.14.4 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.3 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.2 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.1 - fix(repo)
+
+no changes to commit
+
+## 2026-03-16 - 1.14.0 - feat(daemon)
+
+auto-install Docker and initialize Swarm during daemon service setup
+
+- Adds a Docker availability check before installing the Onebox daemon service
+- Installs Docker automatically when it is missing using the standard installation script
+- Attempts to initialize Docker Swarm after installation and handles already-initialized environments gracefully
+
+## 2026-03-16 - 1.13.17 - fix(ci)
+
+remove forced container image pulling from Gitea workflow jobs
+
+- Drops the `--pull always` container option from CI, npm publish, and release workflows.
+- Keeps workflow container images unchanged while avoiding forced pulls on every job run.
+
+## 2026-03-16 - 1.13.16 - fix(ci)
+
+refresh workflow container images on every run and bump @apiclient.xyz/docker to ^5.1.1
+
+- add --pull always to CI, release, and npm publish workflow containers to avoid stale images
+- update @apiclient.xyz/docker from ^5.1.0 to ^5.1.1 in deno.json
+
+## 2026-03-15 - 1.13.15 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.14 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.13 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.12 - fix(ci)
+
+run pnpm install with --ignore-scripts in CI and release workflows
+
+- Update CI workflow dependency installation steps to skip lifecycle scripts during builds.
+- Apply the same install change to the release workflow for consistent automation behavior.
+
+## 2026-03-15 - 1.13.11 - fix(project)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.10 - fix(deps)
+
+bump @git.zone/tsdeno to ^1.2.0
+
+- Updates the tsdeno development dependency from ^1.1.1 to ^1.2.0.
+
+## 2026-03-15 - 1.13.9 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.8 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.7 - fix(repo)
+
+no changes to commit
+
+## 2026-03-15 - 1.13.6 - fix(ci)
+
+correct workflow container image registry path
+
+- Update Gitea CI, release, and npm publish workflows to use the corrected ht-docker-node image path
+- Align all workflow container references from hosttoday to host.today to prevent pipeline image resolution issues
+
+## 2026-03-15 - 1.13.5 - fix(workflows)
+
+switch Gitea workflow containers from ht-docker-dbase to ht-docker-node
+
+- Updates the CI, release, and npm publish workflows to use the Node-focused container image consistently.
+- Aligns workflow runtime images with the project's Node and Deno build and publish steps.
+
+## 2026-03-15 - 1.13.4 - fix(ci)
+
+run workflows in the shared build container and enable corepack for pnpm installs
+
+- adds the ht-docker-dbase container image to CI, release, and npm publish workflows
+- enables corepack before pnpm install in build and release jobs to ensure package manager availability
+
+## 2026-03-15 - 1.13.3 - fix(build)
+
+replace custom Deno compile scripts with tsdeno-based binary builds in CI and release workflows
+
+- adds @git.zone/tsdeno as a dev dependency and configures compile targets in npmextra.json
+- updates CI and release workflows to install Node.js dependencies before running tsdeno compile
+- removes the legacy scripts/compile-all.sh script and points the compile task to tsdeno compile
+
+## 2026-03-15 - 1.13.2 - fix(scripts)
+
+install production dependencies before compiling binaries and exclude local node_modules from builds
+
+- Adds a dependency installation step using the application entrypoint before cross-platform compilation
+- Updates all deno compile targets to use --node-modules-dir=none to avoid bundling local node_modules
+
+## 2026-03-15 - 1.13.1 - fix(deno)
+
+remove nodeModulesDir from Deno configuration
+
+- Drops the explicit nodeModulesDir setting from deno.json.
+- Keeps the package version unchanged at 1.13.0 while simplifying runtime configuration.
+
+## 2026-03-15 - 1.13.0 - feat(install)
+
+improve installer with version selection, service restart handling, and upgrade documentation
+
+- Adds installer command-line options for help, specific version selection, and custom install directory.
+- Fetches the latest release from the Gitea API when no version is provided and installs the matching platform binary.
+- Preserves Onebox data directories, stops and restarts the systemd service during updates, and refreshes installation instructions in the README including upgrade usage.
+
+## 2026-03-15 - 1.12.1 - fix(package.json)
+
+update package metadata
+
+- Single metadata-only file changed (+1, -1)
+- No source code or runtime behavior modified; safe patch release
+
+## 2026-03-15 - 1.12.0 - feat(cli,release)
+
+add self-upgrade command and automate CI, release, and npm publishing workflows
+
+- adds a new `onebox upgrade` CLI command that checks the latest release and reinstalls the current binary via the installer script
+- introduces Gitea CI workflows for type checks, build verification, multi-platform binary compilation, release creation, and npm publishing
+- adds a reusable release template describing installation options, supported platforms, and checksum availability
+
+## 2026-03-03 - 1.11.0 - feat(services)
+
+map backend service data to UI components, add stats & logs parsing, fetch service stats, and fix logs request param
+
+- Fix: rename service logs request property from 'lines' to 'tail' when calling typedRequest
+- Add data transformation helpers: formatBytes, parseImageString, mapStatus, toServiceDetail, toServiceStats, parseLogs
+- Transform service list and detail props to match @serve.zone/catalog component interfaces (map status, image, repo/tag, timestamps, registry)
+- Dispatch fetchServiceStatsAction on service click and surface transformed stats with default values to avoid nulls
+- Parse and normalize logs into timestamp/message pairs for the detail view
+
+## 2026-03-02 - 1.10.3 - fix(bin)
+
+make bin/onebox-wrapper.js executable
+
+- Metadata-only change: file mode updated for bin/onebox-wrapper.js to include the executable bit
+- No source or behavior changes to the code
+
+## 2026-03-02 - 1.10.2 - fix(build)
+
+update build/watch configuration, switch to esbuild bundler and tswatch, and bump catalog and tooling dependencies
+
+- Switch watch script to 'tswatch' (replaced previous concurrently command invoking deno + tswatch).
+- npmextra.json: set bundler to 'esbuild', enable production mode, include html/index.html in the bundle, and extend watchPatterns to include ./html/\*_/_.
+- Backend watcher: expanded watch globs and changed command to include --unstable-ffi and runtime flags (--ephemeral --monitor); restart and debounce kept.
+- Bump runtime deps: @design.estate/dees-catalog -> ^3.43.3, @serve.zone/catalog -> ^2.5.0.
+- Bump devDependencies: @git.zone/tsbundle -> ^2.9.0, @git.zone/tswatch -> ^3.2.0.
+
+## 2026-02-24 - 1.10.1 - fix(package.json)
+
+update package metadata
+
+- Single metadata-only file changed (+1 -1)
+- No source code or runtime behavior modified; safe patch release
+- Current package version is 1.10.0; recommend patch bump to 1.10.1
+
+## 2026-02-24 - 1.10.0 - feat(opsserver)
+
+introduce OpsServer (TypedRequest API) and new lightweight web UI; replace legacy Angular UI and add typed interfaces
+
+- Add OpsServer (ts/opsserver) with TypedRequest handlers for admin, services, platform, dns, domains, registry, network, backups, schedules, settings and logs.
+- Integrate typedrequest/typedserver and smartjwt/smartguard plugins (ts/plugins.ts) and add comprehensive ts_interfaces for requests and data shapes.
+- Replace legacy HTTP server usage with OpsServer throughout daemon, Onebox class and CLI (ts/classes/daemon.ts, ts/classes/onebox.ts, ts/cli.ts).
+- Implement log streaming via VirtualStream and support for downloading/restoring backups and registry token management within handlers.
+- Introduce new web UI built with dees-element web components under ts_web (ob-app-shell and views) and bundle/watch tooling (npmextra.json, tsbundle/tswatch integration).
+- Update package.json: add build/watch scripts, tsbundle/tswatch dev deps and new runtime dependencies for typedrequest and catalog components.
+- Remove large Angular-based ui application and related services/components in ui/ (major cleanup of Angular code and assets).
+- Note: This adds many new endpoints and internal API changes (TypedRequest-based); consumers of the old UI/HTTP endpoints should migrate to the new OpsServer TypedRequest API and web components.
+
+## 2025-12-03 - 1.9.2 - fix(ui)
+
+Add VS Code configs for the UI workspace and normalize dark theme CSS variables
+
+- Add VS Code workspace files under ui/.vscode:
+- - extensions.json: recommend the Angular language support extension
+- - launch.json: Chrome launch configurations for 'ng serve' and 'ng test' (preLaunchTask hooks)
+- - tasks.json: npm 'start' and 'test' tasks with a background TypeScript problem matcher to improve dev workflow
+- Update ui/src/styles.css dark theme variables to use neutral black/gray HSL values for background, foreground, cards, popovers, accents, borders, inputs and ring to improve contrast and consistency
+
+## 2025-11-27 - 1.9.1 - fix(ui)
+
+Correct import success toast and add VS Code launch/tasks recommendations for the UI
+
+- Fix backup import success toast in backups-tab.component to reference response.data.service.name (previously response.data.serviceName), preventing incorrect service name display.
+- Add VS Code workspace settings for the UI: extensions recommendation, launch configurations for 'ng serve' and 'ng test', and npm tasks for start/test to simplify local development and debugging.
+
+## 2025-11-27 - 1.9.0 - feat(backups)
+
+Add backup import API and improve backup download/import flow in UI
+
+- Backend: add /api/backups/import endpoint to accept multipart file uploads or JSON with a URL and import backups (saves temp file, validates .tar.enc, calls backupManager.restoreBackup in import mode).
+- Backend: server-side import handler downloads remote backup URLs, stores temporary file, invokes restore/import logic and cleans up temp files.
+- Frontend: add downloadBackup, importBackupFromFile and importBackupFromUrl methods to ApiService; trigger browser download using Blob and object URL with Authorization header.
+- Frontend: replace raw download link in service detail UI with a Download button that calls downloadBackup and shows success/error toasts.
+- Dev: add VS Code launch, tasks and recommended extensions for the ui workspace to simplify local development.
+
+## 2025-11-27 - 1.8.0 - feat(backup)
+
+Add backup scheduling system with GFS retention, API and UI integration
+
+- Introduce backup scheduling subsystem (BackupScheduler) and integrate it into Onebox lifecycle (init & shutdown)
+- Extend BackupManager.createBackup to accept schedule metadata (scheduleId) so scheduled runs are tracked
+- Add GFS-style retention policy support (IRetentionPolicy + RETENTION_PRESETS) and expose per-tier retention in types
+- Database migrations and repository changes: create backups and backup_schedules tables, add schedule_id, per-tier retention columns, and scope (all/pattern/service) support (migrations up to version 12)
+- HTTP API: add backup schedule endpoints (GET/POST/PUT/DELETE /api/backup-schedules), trigger endpoint (/api/backup-schedules/:id/trigger), and service-scoped schedule endpoints
+- UI: add API client methods for backup schedules and register a Backups tab in Services UI to surface schedules/backups
+- Add task scheduling dependency (@push.rocks/taskbuffer) and export it via plugins.ts; update deno.json accordingly
+- Type and repository updates across codebase to support schedule-aware backups, schedule CRUD, and retention enforcement
+
+## 2025-11-27 - 1.7.0 - feat(backup)
+
+Add backup system: BackupManager, DB schema, API endpoints and UI support
+
+Introduce a complete service backup/restore subsystem with encrypted archives, database records and REST endpoints. Implements BackupManager with export/import for service config, platform resources (MongoDB, MinIO, ClickHouse), and Docker images; adds BackupRepository and migrations for backups table and include_image_in_backup; integrates backup flows into the HTTP API and the UI client; exposes backup password management and restore modes (restore/import/clone). Wire BackupManager into Onebox initialization.
+
+- Add BackupManager implementing create/restore/export/import/encrypt/decrypt workflows (service config, platform resource dumps, Docker image export/import) and support for restore modes: restore, import, clone.
+- Add BackupRepository and database migrations: create backups table and add include_image_in_backup column to services; database API methods for create/get/list/delete backups.
+- Add HTTP API endpoints for backup management: list/create/get/download/delete backups, restore backups (/api/backups/restore) and backup password endpoints (/api/settings/backup-password).
+- Update UI ApiService and types: add IBackup, IRestoreOptions, IRestoreResult, IBackupPasswordStatus and corresponding ApiService methods (getBackups, createBackup, getBackup, deleteBackup, getBackupDownloadUrl, restoreBackup, setBackupPassword, checkBackupPassword).
+- Expose includeImageInBackup flag on service model and persist it in ServiceRepository (defaults to true for existing rows); service update flow supports toggling this option.
+- Integrate BackupManager into Onebox core (initialized in Onebox constructor) and wire HTTP handlers to use the new manager; add DB repository export/import glue so backups are stored and referenced by ID.
+
+## 2025-11-27 - 1.6.0 - feat(ui.dashboard)
+
+Add Resource Usage card to dashboard and make dashboard cards full-height; add VSCode launch/tasks/config
+
+- Introduce ResourceUsageCardComponent and include it as a full-width row in the dashboard layout.
+- Make several dashboard card components (Certificates, Traffic, Platform Services) full-height by adding host classes and applying h-full to ui-card elements for consistent card sizing.
+- Reflow dashboard rows (insert Resource Usage as a dedicated row and update row numbering) to improve visual layout.
+- Add VSCode workspace configuration: recommended Angular extension, launch configurations for ng serve/ng test, and npm tasks to run/start the UI in development.
+
+## 2025-11-27 - 1.5.0 - feat(network)
+
+Add traffic stats endpoint and dashboard UI; enhance platform services and certificate health reporting
+
+- Add /api/network/traffic-stats GET endpoint to the HTTP API with an optional minutes query parameter (validated, 1-60).
+- Implement traffic statistics aggregation in CaddyLogReceiver using rolling per-minute buckets (requestCount, errorCount, avgResponseTime, totalBytes, statusCounts, requestsPerMinute, errorRate).
+- Expose getTrafficStats(minutes?) in the Angular ApiService and add ITrafficStats type to the client API types.
+- Add dashboard UI components: TrafficCard, PlatformServicesCard, CertificatesCard and integrate them into the main Dashboard (including links to Platform Services).
+- Enhance system status data: platformServices entries now include displayName and resourceCount; add certificateHealth summary (valid, expiringSoon, expired, expiringDomains) returned by Onebox status.
+- Platform services manager and Onebox code updated to surface provider information and resource counts for the UI.
+- Add VSCode workspace launch/tasks recommendations for the UI development environment.
+
+## 2025-11-26 - 1.4.0 - feat(platform-services)
+
+Add ClickHouse platform service support and improve related healthchecks and tooling
+
+- Add ClickHouse as a first-class platform service: register provider, provision/cleanup support and env var injection
+- Expose ClickHouse endpoints in the HTTP API routing (list/get/start/stop/stats) and map default port (8123)
+- Enable services to request ClickHouse as a platform requirement (enableClickHouse / platformRequirements) during deploy/provision flows
+- Fix ClickHouse container health check to use absolute wget path (/usr/bin/wget) for more reliable in-container checks
+- Add VS Code workspace launch/tasks/extensions configs for the UI (ui/.vscode/\*) to improve local dev experience
+
 ## 2025-11-26 - 1.3.0 - feat(platform-services)
+
 Add ClickHouse platform service support (provider, types, provisioning, UI and port mappings)

 - Introduce ClickHouse as a first-class platform service: added ClickHouseProvider and registered it in PlatformServicesManager
 - Support provisioning ClickHouse resources for user services and storing encrypted credentials in platform_resources
 - Add ClickHouse to core types (TPlatformServiceType, IPlatformRequirements, IServiceDeployOptions) and service DB handling so services can request ClickHouse
- Inject ClickHouse-related environment variables into deployed services (CLICKHOUSE_* mappings) when provisioning resources
+- Inject ClickHouse-related environment variables into deployed services (CLICKHOUSE\_\* mappings) when provisioning resources
 - Expose ClickHouse default port (8123) in platform port mappings / network targets
 - UI: add checkbox and description for enabling ClickHouse during service creation; form now submits enableClickHouse
 - Add VS Code recommendations and launch/tasks for the UI development workflow

 ## 2025-11-26 - 1.2.1 - fix(platform-services/minio)
+
 Improve MinIO provider: reuse existing data and credentials, use host-bound port for provisioning, and safer provisioning/deprovisioning

 - MinIO provider now detects existing data directory and will reuse stored admin credentials when available instead of regenerating them.
@@ -22,15 +584,17 @@ Improve MinIO provider: reuse existing data and credentials, use host-bound port
 - Added VSCode workspace files (extensions, launch, tasks) for the ui project to improve developer experience.

 ## 2025-11-26 - 1.2.0 - feat(ui)
+
 Sync UI tab state with URL and update routes/links

- Add VSCode workspace recommendations, launch and tasks configs for the UI (ui/.vscode/*)
+- Add VSCode workspace recommendations, launch and tasks configs for the UI (ui/.vscode/\*)
 - Update Angular routes to support tab URL segments and default redirects for services, network and registries
 - Change service detail route to use explicit 'detail/:name' path and update links accordingly
 - Make ServicesList, Registries and Network components read tab from route params and navigate on tab changes; add ngOnDestroy to unsubscribe
 - Update Domain detail template link to point to the new services detail route

 ## 2025-11-26 - 1.1.0 - feat(platform-services)
+
 Add platform service log streaming, improve health checks and provisioning robustness

 - Add WebSocket log streaming support for platform services (backend + UI) to stream MinIO/MongoDB/Caddy logs in real time
@@ -50,6 +614,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]

 ### Added
+
 - Initial project structure
 - Core architecture classes
 - Docker container management
@@ -68,4 +633,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.0.0] - TBD

 ### Added
+
 - First stable release
@@ -1,12 +1,11 @@
 {
  "name": "@serve.zone/onebox",
-  "version": "1.3.0",
+  "version": "1.24.2",
  "exports": "./mod.ts",
-  "nodeModulesDir": "auto",
  "tasks": {
    "test": "deno test --allow-all test/",
    "test:watch": "deno test --allow-all --watch test/",
-    "compile": "bash scripts/compile-all.sh",
+    "compile": "tsdeno compile",
    "dev": "pnpm run watch"
  },
  "imports": {
@@ -16,12 +15,19 @@
    "@std/assert": "jsr:@std/assert@^1.0.15",
    "@std/encoding": "jsr:@std/encoding@^1.0.10",
    "@db/sqlite": "jsr:@db/sqlite@0.12.0",
-    "@push.rocks/smartdaemon": "npm:@push.rocks/smartdaemon@^2.1.0",
-    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.0",
+    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.1",
    "@apiclient.xyz/cloudflare": "npm:@apiclient.xyz/cloudflare@6.4.3",
    "@push.rocks/smartacme": "npm:@push.rocks/smartacme@^8.0.0",
    "@push.rocks/smartregistry": "npm:@push.rocks/smartregistry@^2.2.0",
-    "@push.rocks/smarts3": "npm:@push.rocks/smarts3@^5.1.0"
+    "@push.rocks/smartstorage": "npm:@push.rocks/smartstorage@^6.3.0",
+    "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^3.1.0",
+    "@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
+    "@api.global/typedrequest": "npm:@api.global/typedrequest@^3.2.6",
+    "@api.global/typedserver": "npm:@api.global/typedserver@^8.3.1",
+    "@push.rocks/smartguard": "npm:@push.rocks/smartguard@^3.1.0",
+    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.1",
+    "@api.global/typedsocket": "npm:@api.global/typedsocket@^4.1.2",
+    "@serve.zone/containerarchive": "npm:@serve.zone/containerarchive@^0.1.3"
  },
  "compilerOptions": {
    "lib": [
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta
+      name="viewport"
+      content="user-scalable=0, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height"
+    />
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="theme-color" content="#000000" />
+    <title>Onebox</title>
+    <link rel="preconnect" href="https://assetbroker.lossless.one/" crossorigin>
+    <link rel="stylesheet" href="https://assetbroker.lossless.one/fonts/fonts.css">
+    <style>
+      html {
+        -ms-text-size-adjust: 100%;
+        -webkit-text-size-adjust: 100%;
+      }
+      body {
+        position: relative;
+        background: #000;
+        margin: 0px;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+      <p style="color: #fff; text-align: center; margin-top: 100px;">
+        JavaScript is required to run the Onebox dashboard.
+      </p>
+    </noscript>
+  </body>
+  <script defer type="module" src="/bundle.js"></script>
+</html>
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta
+      name="viewport"
+      content="user-scalable=0, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height"
+    />
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="theme-color" content="#000000" />
+    <title>Onebox</title>
+    <link rel="preconnect" href="https://assetbroker.lossless.one/" crossorigin>
+    <link rel="stylesheet" href="https://assetbroker.lossless.one/fonts/fonts.css">
+    <style>
+      html {
+        -ms-text-size-adjust: 100%;
+        -webkit-text-size-adjust: 100%;
+      }
+      body {
+        position: relative;
+        background: #000;
+        margin: 0px;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+      <p style="color: #fff; text-align: center; margin-top: 100px;">
+        JavaScript is required to run the Onebox dashboard.
+      </p>
+    </noscript>
+  </body>
+  <script defer type="module" src="/bundle.js"></script>
+</html>
@@ -1,192 +1,310 @@
 #!/bin/bash
+
+# Onebox Installer Script
+# Downloads and installs pre-compiled Onebox binary from Gitea releases
 #
-# Onebox installer script
+# Usage:
+#   Direct piped installation (recommended):
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
 #
+#   With version specification:
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0
+#
+# Options:
+#   -h, --help             Show this help message
+#   --version VERSION      Install specific version (e.g., v1.11.0)
+#   --install-dir DIR      Installation directory (default: /opt/onebox)

 set -e

-# Configuration
-REPO_URL="https://code.foss.global/serve.zone/onebox"
+# Default values
+SHOW_HELP=0
+SPECIFIED_VERSION=""
 INSTALL_DIR="/opt/onebox"
-BIN_LINK="/usr/local/bin/onebox"
+GITEA_BASE_URL="https://code.foss.global"
+GITEA_REPO="serve.zone/onebox"
+SERVICE_NAME="onebox"

-# Colors
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -h|--help)
+      SHOW_HELP=1
+      shift
+      ;;
+    --version)
+      SPECIFIED_VERSION="$2"
+      shift 2
+      ;;
+    --install-dir)
+      INSTALL_DIR="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown option: $1"
+      echo "Use -h or --help for usage information"
+      exit 1
+      ;;
+  esac
+done

-# Functions
-error() {
-    echo -e "${RED}Error: $1${NC}" >&2
-    exit 1
-}
-
-info() {
-    echo -e "${GREEN}$1${NC}"
-}
-
-warn() {
-    echo -e "${YELLOW}$1${NC}"
-}
-
-# Detect platform and architecture
-detect_platform() {
-    OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-    ARCH=$(uname -m)
-
-    case "$OS" in
-        linux)
-            PLATFORM="linux"
-            ;;
-        darwin)
-            PLATFORM="macos"
-            ;;
-        *)
-            error "Unsupported operating system: $OS"
-            ;;
-    esac
-
-    case "$ARCH" in
-        x86_64|amd64)
-            ARCH="x64"
-            ;;
-        aarch64|arm64)
-            ARCH="arm64"
-            ;;
-        *)
-            error "Unsupported architecture: $ARCH"
-            ;;
-    esac
-
-    BINARY_NAME="onebox-${PLATFORM}-${ARCH}"
-}
-
-# Get latest version from Gitea API
-get_latest_version() {
-    info "Fetching latest version..."
-    VERSION=$(curl -s "${REPO_URL}/releases" | grep -o '"tag_name":"v[^"]*' | head -1 | cut -d'"' -f4 | cut -c2-)
-
-    if [ -z "$VERSION" ]; then
-        warn "Could not fetch latest version, using 'main' branch"
-        VERSION="main"
-    else
-        info "Latest version: v${VERSION}"
-    fi
-}
+if [ $SHOW_HELP -eq 1 ]; then
+  echo "Onebox Installer Script"
+  echo "Downloads and installs pre-compiled Onebox binary"
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "Options:"
+  echo "  -h, --help             Show this help message"
+  echo "  --version VERSION      Install specific version (e.g., v1.11.0)"
+  echo "  --install-dir DIR      Installation directory (default: /opt/onebox)"
+  echo ""
+  echo "Examples:"
+  echo "  # Install latest version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+  echo ""
+  echo "  # Install specific version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0"
+  exit 0
+fi

 # Check if running as root
-check_root() {
-    if [ "$EUID" -ne 0 ]; then
-        error "This script must be run as root (use sudo)"
-    fi
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root (sudo bash install.sh or pipe to sudo bash)"
+  exit 1
+fi
+
+# Helper function to detect OS and architecture
+detect_platform() {
+  local os=$(uname -s)
+  local arch=$(uname -m)
+
+  # Map OS
+  case "$os" in
+    Linux)
+      os_name="linux"
+      ;;
+    Darwin)
+      os_name="macos"
+      ;;
+    MINGW*|MSYS*|CYGWIN*)
+      os_name="windows"
+      ;;
+    *)
+      echo "Error: Unsupported operating system: $os"
+      echo "Supported: Linux, macOS, Windows"
+      exit 1
+      ;;
+  esac
+
+  # Map architecture
+  case "$arch" in
+    x86_64|amd64)
+      arch_name="x64"
+      ;;
+    aarch64|arm64)
+      arch_name="arm64"
+      ;;
+    *)
+      echo "Error: Unsupported architecture: $arch"
+      echo "Supported: x86_64/amd64 (x64), aarch64/arm64 (arm64)"
+      exit 1
+      ;;
+  esac
+
+  # Construct binary name
+  if [ "$os_name" = "windows" ]; then
+    echo "onebox-${os_name}-${arch_name}.exe"
+  else
+    echo "onebox-${os_name}-${arch_name}"
+  fi
 }

+# Get latest release version from Gitea API
+get_latest_version() {
+  echo "Fetching latest release version from Gitea..." >&2
+
+  local api_url="${GITEA_BASE_URL}/api/v1/repos/${GITEA_REPO}/releases/latest"
+  local response=$(curl -sSL "$api_url" 2>/dev/null)
+
+  if [ $? -ne 0 ] || [ -z "$response" ]; then
+    echo "Error: Failed to fetch latest release information from Gitea API" >&2
+    echo "URL: $api_url" >&2
+    exit 1
+  fi
+
+  # Extract tag_name from JSON response
+  local version=$(echo "$response" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
+
+  if [ -z "$version" ]; then
+    echo "Error: Could not determine latest version from API response" >&2
+    exit 1
+  fi
+
+  echo "$version"
+}
+
+# Main installation process
+echo "================================================"
+echo "  Onebox Installation Script"
+echo "================================================"
+echo ""
+
+# Detect platform
+BINARY_NAME=$(detect_platform)
+echo "Detected platform: $BINARY_NAME"
+echo ""
+
+# Determine version to install
+if [ -n "$SPECIFIED_VERSION" ]; then
+  VERSION="$SPECIFIED_VERSION"
+  echo "Installing specified version: $VERSION"
+else
+  VERSION=$(get_latest_version)
+  echo "Installing latest version: $VERSION"
+fi
+echo ""
+
+# Construct download URL
+DOWNLOAD_URL="${GITEA_BASE_URL}/${GITEA_REPO}/releases/download/${VERSION}/${BINARY_NAME}"
+echo "Download URL: $DOWNLOAD_URL"
+echo ""
+
+# Check if service is running and stop it
+SERVICE_WAS_RUNNING=0
+if systemctl is-enabled --quiet "$SERVICE_NAME" 2>/dev/null || systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+  SERVICE_WAS_RUNNING=1
+  if systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    echo "Stopping Onebox service..."
+    systemctl stop "$SERVICE_NAME"
+  fi
+fi
+
+# Clean installation directory - ensure only binary exists
+if [ -d "$INSTALL_DIR" ]; then
+  echo "Cleaning installation directory: $INSTALL_DIR"
+  rm -rf "$INSTALL_DIR"
+fi
+
+# Create fresh installation directory
+echo "Creating installation directory: $INSTALL_DIR"
+mkdir -p "$INSTALL_DIR"
+
 # Download binary
-download_binary() {
-    info "Downloading Onebox ${VERSION} for ${PLATFORM}-${ARCH}..."
+echo "Downloading Onebox binary..."
+TEMP_FILE="$INSTALL_DIR/onebox.download"
+curl -sSL "$DOWNLOAD_URL" -o "$TEMP_FILE"

-    # Create temp directory
-    TMP_DIR=$(mktemp -d)
-    TMP_FILE="${TMP_DIR}/${BINARY_NAME}"
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to download binary from $DOWNLOAD_URL"
+  echo ""
+  echo "Please check:"
+  echo "  1. Your internet connection"
+  echo "  2. The specified version exists: ${GITEA_BASE_URL}/${GITEA_REPO}/releases"
+  echo "  3. The platform binary is available for this release"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi

-    # Try release download first
-    if [ "$VERSION" != "main" ]; then
-        DOWNLOAD_URL="${REPO_URL}/releases/download/v${VERSION}/${BINARY_NAME}"
-    else
-        DOWNLOAD_URL="${REPO_URL}/raw/branch/main/dist/binaries/${BINARY_NAME}"
-    fi
+# Check if download was successful (file exists and not empty)
+if [ ! -s "$TEMP_FILE" ]; then
+  echo "Error: Downloaded file is empty or does not exist"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi

-    if ! curl -L -f -o "$TMP_FILE" "$DOWNLOAD_URL"; then
-        error "Failed to download binary from $DOWNLOAD_URL"
-    fi
+# Move to final location
+BINARY_PATH="$INSTALL_DIR/onebox"
+mv "$TEMP_FILE" "$BINARY_PATH"

-    # Verify download
-    if [ ! -f "$TMP_FILE" ] || [ ! -s "$TMP_FILE" ]; then
-        error "Downloaded file is empty or missing"
-    fi
+if [ $? -ne 0 ] || [ ! -f "$BINARY_PATH" ]; then
+  echo "Error: Failed to move binary to $BINARY_PATH"
+  rm -f "$TEMP_FILE" 2>/dev/null
+  exit 1
+fi

-    info "✓ Download complete"
-}
+# Make executable
+chmod +x "$BINARY_PATH"

-# Install binary
-install_binary() {
-    info "Installing Onebox to ${INSTALL_DIR}..."
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to make binary executable"
+  exit 1
+fi

-    # Create install directory
-    mkdir -p "$INSTALL_DIR"
+echo "Binary installed successfully to: $BINARY_PATH"
+echo ""

-    # Copy binary
-    cp "$TMP_FILE" "${INSTALL_DIR}/onebox"
-    chmod +x "${INSTALL_DIR}/onebox"
+# Check if /usr/local/bin is in PATH
+if [[ ":$PATH:" == *":/usr/local/bin:"* ]]; then
+  BIN_DIR="/usr/local/bin"
+else
+  BIN_DIR="/usr/bin"
+fi

-    # Create symlink
-    ln -sf "${INSTALL_DIR}/onebox" "$BIN_LINK"
+# Create symlink for global access
+ln -sf "$BINARY_PATH" "$BIN_DIR/onebox"
+echo "Symlink created: $BIN_DIR/onebox -> $BINARY_PATH"
+echo ""

-    # Cleanup temp files
-    rm -rf "$TMP_DIR"
+# Create data directories
+mkdir -p /var/lib/onebox
+mkdir -p /var/www/certbot

-    info "✓ Installation complete"
-}
+# Re-enable and restart service if it was previously running (refreshes unit file)
+if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+  echo "Refreshing systemd service..."
+  onebox systemd enable
+  echo "Restarting Onebox service..."
+  systemctl restart "$SERVICE_NAME"
+  echo "Service restarted successfully."
+  echo ""
+fi

-# Initialize database and config
-initialize() {
-    info "Initializing Onebox..."
+echo "================================================"
+echo "  Onebox Installation Complete!"
+echo "================================================"
+echo ""
+echo "Installation details:"
+echo "  Binary location: $BINARY_PATH"
+echo "  Symlink location: $BIN_DIR/onebox"
+echo "  Version: $VERSION"
+echo ""

-    # Create data directory
-    mkdir -p /var/lib/onebox
-
-    # Create certbot directory for ACME challenges
-    mkdir -p /var/www/certbot
-
-    info "✓ Initialization complete"
-}
-
-# Print success message
-print_success() {
-    echo ""
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    info "  Onebox installed successfully!"
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    echo ""
-    echo "Next steps:"
-    echo ""
-    echo "1. Configure Cloudflare (optional):"
-    echo "   onebox config set cloudflareAPIKey <key>"
-    echo "   onebox config set cloudflareEmail <email>"
-    echo "   onebox config set cloudflareZoneID <zone-id>"
-    echo "   onebox config set serverIP <your-server-ip>"
-    echo ""
-    echo "2. Configure ACME email:"
-    echo "   onebox config set acmeEmail <your@email.com>"
-    echo ""
-    echo "3. Install daemon:"
-    echo "   onebox daemon install"
-    echo ""
-    echo "4. Start daemon:"
-    echo "   onebox daemon start"
-    echo ""
-    echo "5. Deploy your first service:"
-    echo "   onebox service add myapp --image nginx:latest --domain app.example.com"
-    echo ""
-    echo "Web UI: http://localhost:3000"
-    echo "Default credentials: admin / admin"
-    echo ""
-}
-
-# Main installation flow
-main() {
-    info "Onebox Installer"
-    echo ""
-
-    check_root
-    detect_platform
-    get_latest_version
-    download_binary
-    install_binary
-    initialize
-    print_success
-}
-
-# Run main function
-main
+# Check if database exists (indicates existing installation)
+if [ -f "/var/lib/onebox/onebox.db" ]; then
+  echo "Data directory: /var/lib/onebox (preserved)"
+  echo ""
+  echo "Your existing data has been preserved."
+  if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+    echo "The service has been restarted with your current settings."
+  else
+    echo "Start the service with: onebox systemd start"
+  fi
+else
+  echo "Get started:"
+  echo ""
+  echo "  onebox --version"
+  echo "  onebox --help"
+  echo ""
+  echo "  1. Configure Cloudflare (optional):"
+  echo "     onebox config set cloudflareAPIKey <key>"
+  echo "     onebox config set cloudflareEmail <email>"
+  echo "     onebox config set cloudflareZoneID <zone-id>"
+  echo "     onebox config set serverIP <your-server-ip>"
+  echo ""
+  echo "  2. Configure ACME email:"
+  echo "     onebox config set acmeEmail <your@email.com>"
+  echo ""
+  echo "  3. Enable systemd service:"
+  echo "     onebox systemd enable"
+  echo ""
+  echo "  4. Start service:"
+  echo "     onebox systemd start"
+  echo ""
+  echo "  5. Deploy your first service:"
+  echo "     onebox service add myapp --image nginx:latest --domain app.example.com"
+  echo ""
+  echo "  Web UI: http://localhost:3000"
+  echo "  Default credentials: admin / admin"
+fi
+echo ""
@@ -1,6 +1,6 @@
 {
  "name": "@serve.zone/onebox",
-  "version": "1.3.0",
+  "version": "1.24.2",
  "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
  "main": "mod.ts",
  "type": "module",
@@ -9,7 +9,9 @@
  },
  "scripts": {
    "postinstall": "node scripts/install-binary.js",
-    "watch": "concurrently --kill-others --names \"BACKEND,UI\" --prefix-colors \"cyan,magenta\" \"deno run --allow-all --unstable-ffi --watch mod.ts server --ephemeral --monitor\" \"cd ui && pnpm run watch\""
+    "watch": "tswatch",
+    "build": "tsbundle",
+    "bundle": "tsbundle"
  },
  "keywords": [
    "docker",
@@ -51,8 +53,20 @@
    "arm64"
  ],
  "packageManager": "pnpm@10.18.1+sha512.77a884a165cbba2d8d1c19e3b4880eee6d2fcabd0d879121e282196b80042351d5eb3ca0935fa599da1dc51265cc68816ad2bddd2a2de5ea9fdf92adbec7cd34",
-  "dependencies": {},
+  "dependencies": {
+    "@api.global/typedrequest-interfaces": "^3.0.19",
+    "@api.global/typedsocket": "^4.1.2",
+    "@design.estate/dees-catalog": "^3.49.0",
+    "@design.estate/dees-element": "^2.1.6",
+    "@serve.zone/catalog": "^2.9.0"
+  },
  "devDependencies": {
-    "concurrently": "^9.1.2"
+    "@git.zone/tsbundle": "^2.10.0",
+    "@git.zone/tsdeno": "^1.3.1",
+    "@git.zone/tswatch": "^3.3.2"
+  },
+  "private": true,
+  "pnpm": {
+    "overrides": {}
  }
 }
@@ -3,6 +3,7 @@
 ## SSL Certificate Storage (November 2025)

 SSL certificates are now stored directly in the SQLite database as PEM content instead of file paths:
+
 - `ISslCertificate` and `ICertificate` interfaces use `certPem`, `keyPem`, `fullchainPem` properties
 - Database migration 8 converted the `certificates` table schema
 - No filesystem storage for certificates - everything in DB
@@ -16,6 +17,7 @@ SSL certificates are now stored directly in the SQLite database as PEM content i
 The database layer has been refactored into a repository pattern:

 **Directory Structure:**
+
 ```
 ts/database/
 ├── index.ts              # Main OneboxDatabase class (composes repositories, handles migrations)
@@ -32,10 +34,12 @@ ts/database/
 ```

 **Import paths:**
+
 - Main: `import { OneboxDatabase } from './database/index.ts'`
 - Legacy (deprecated): `import { OneboxDatabase } from './classes/database.ts'` (re-exports from new location)

 **API Compatibility:**
+
 - The `OneboxDatabase` class maintains the same public API
 - All methods delegate to the appropriate repository
 - No breaking changes for existing code
@@ -49,6 +53,7 @@ Migration 8 converted certificate storage from file paths to PEM content.
 The reverse proxy uses **Caddy** running as a Docker Swarm service for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.

 **Architecture:**
+
 - Caddy runs as Docker Swarm service (`onebox-caddy`) on the overlay network
 - No binary download required - uses `caddy:2-alpine` Docker image
 - Configuration pushed dynamically via Caddy Admin API (port 2019)
@@ -57,10 +62,12 @@ The reverse proxy uses **Caddy** running as a Docker Swarm service for productio
 - Services reached by Docker service name (e.g., `onebox-hello-world:80`)

 **Key files:**
+
 - `ts/classes/caddy.ts` - CaddyManager class for Docker service and Admin API
 - `ts/classes/reverseproxy.ts` - Delegates to CaddyManager

 **Certificate workflow:**
+
 1. `CertRequirementManager` creates requirements for domains
 2. Daemon processes requirements via `certmanager.ts`
 3. Certificates stored in database (PEM content)
@@ -68,16 +75,19 @@ The reverse proxy uses **Caddy** running as a Docker Swarm service for productio
 5. Caddy serves TLS with the loaded certificates (no volume mounts needed)

 **Docker Service Configuration:**
+
 - Service name: `onebox-caddy`
 - Image: `caddy:2-alpine`
 - Network: `onebox-network` (overlay, attachable)
 - Startup: Writes initial config with `admin.listen: 0.0.0.0:2019` for host access

 **Port Mapping:**
+
 - Dev mode: HTTP on 8080, HTTPS on 8443, Admin on 2019
 - Production: HTTP on 80, HTTPS on 443, Admin on 2019
 - All ports use `PublishMode: 'host'` for direct binding

 **Log Receiver:**
+
 - Caddy sends access logs to `tcp/172.17.0.1:9999` (Docker bridge gateway)
 - `CaddyLogReceiver` on host receives and processes logs
@@ -22,6 +22,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ## Features ✨

 ### Core Platform
+
 - 🐳 **Docker Swarm Management** - Deploy, scale, and orchestrate services with Swarm mode
 - 🌐 **Caddy Reverse Proxy** - Production-grade proxy running as Docker service with SNI, HTTP/2, HTTP/3
 - 🔒 **Automatic SSL Certificates** - Let's Encrypt integration with hot-reload and renewal monitoring
@@ -30,6 +31,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - 🔄 **Real-time WebSocket Updates** - Live service status, logs, and system events

 ### Monitoring & Management
+
 - 📊 **Metrics Collection** - Historical CPU, memory, and network stats (every 60s)
 - 📝 **Centralized Logging** - Container logs with streaming and retention policies
 - 🎨 **Angular Web UI** - Modern, responsive interface with real-time updates
@@ -37,6 +39,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - 💾 **SQLite Database** - Embedded, zero-configuration storage

 ### Developer Experience
+
 - 🚀 **Auto-update on Push** - Push to registry and services update automatically
 - 🔐 **Private Registry Support** - Use Docker Hub, Gitea, or custom registries
 - 🔄 **Systemd Integration** - Run as a daemon with auto-restart
@@ -47,10 +50,11 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ### Installation

 ```bash
-# Download the latest release for your platform
-curl -sSL https://code.foss.global/serve.zone/onebox/releases/latest/download/onebox-linux-x64 -o onebox
-chmod +x onebox
-sudo mv onebox /usr/local/bin/
+# One-line install (recommended)
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+
+# Install a specific version
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0

 # Or install from npm
 pnpm install -g @serve.zone/onebox
@@ -74,6 +78,7 @@ onebox service add myapp \
 Open `http://localhost:3000` in your browser.

 **Default credentials:**
+
 - Username: `admin`
 - Password: `admin`

@@ -129,15 +134,15 @@ Onebox is built with modern technologies for performance and developer experienc

 ### Core Components

-| Component | Description |
-|-----------|-------------|
-| **Deno Runtime** | Modern TypeScript with built-in security |
+| Component               | Description                                                          |
+| ----------------------- | -------------------------------------------------------------------- |
+| **Deno Runtime**        | Modern TypeScript with built-in security                             |
 | **Caddy Reverse Proxy** | Docker Swarm service with HTTP/2, HTTP/3, SNI, and WebSocket support |
-| **Docker Swarm** | Container orchestration (all workloads run as services) |
-| **SQLite Database** | Configuration, metrics, and user data |
-| **WebSocket Server** | Real-time bidirectional communication |
-| **Let's Encrypt** | Automatic SSL certificate management |
-| **Cloudflare API** | DNS record automation |
+| **Docker Swarm**        | Container orchestration (all workloads run as services)              |
+| **SQLite Database**     | Configuration, metrics, and user data                                |
+| **WebSocket Server**    | Real-time bidirectional communication                                |
+| **Let's Encrypt**       | Automatic SSL certificate management                                 |
+| **Cloudflare API**      | DNS record automation                                                |

 ## CLI Reference 📖

@@ -242,6 +247,13 @@ onebox config set cloudflareZoneID your-zone-id
 onebox status
 ```

+### Upgrade
+
+```bash
+# Upgrade to the latest version (requires root)
+sudo onebox upgrade
+```
+
 ## Configuration 🔧

 ### System Requirements
@@ -254,11 +266,11 @@ onebox status

 ### Data Locations

-| Data | Location |
-|------|----------|
-| **Database** | `./onebox.db` (or custom path) |
-| **SSL Certificates** | Managed by CertManager |
-| **Registry Data** | `./.nogit/registry-data` |
+| Data                 | Location                       |
+| -------------------- | ------------------------------ |
+| **Database**         | `./onebox.db` (or custom path) |
+| **SSL Certificates** | Managed by CertManager         |
+| **Registry Data**    | `./.nogit/registry-data`       |

 ### Environment Variables

@@ -347,62 +359,69 @@ onebox/
 The HTTP server exposes a comprehensive REST API:

 #### Authentication
-| Method | Endpoint | Description |
-|--------|----------|-------------|
+
+| Method | Endpoint          | Description                         |
+| ------ | ----------------- | ----------------------------------- |
 | `POST` | `/api/auth/login` | User authentication (returns token) |

 #### Services
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/services` | List all services |
-| `POST` | `/api/services` | Create/deploy service |
-| `GET` | `/api/services/:name` | Get service details |
-| `PUT` | `/api/services/:name` | Update service |
-| `DELETE` | `/api/services/:name` | Delete service |
-| `POST` | `/api/services/:name/start` | Start service |
-| `POST` | `/api/services/:name/stop` | Stop service |
-| `POST` | `/api/services/:name/restart` | Restart service |
-| `GET` | `/api/services/:name/logs` | Get service logs |
-| `WS` | `/api/services/:name/logs/stream` | Stream logs via WebSocket |
+
+| Method   | Endpoint                          | Description               |
+| -------- | --------------------------------- | ------------------------- |
+| `GET`    | `/api/services`                   | List all services         |
+| `POST`   | `/api/services`                   | Create/deploy service     |
+| `GET`    | `/api/services/:name`             | Get service details       |
+| `PUT`    | `/api/services/:name`             | Update service            |
+| `DELETE` | `/api/services/:name`             | Delete service            |
+| `POST`   | `/api/services/:name/start`       | Start service             |
+| `POST`   | `/api/services/:name/stop`        | Stop service              |
+| `POST`   | `/api/services/:name/restart`     | Restart service           |
+| `GET`    | `/api/services/:name/logs`        | Get service logs          |
+| `WS`     | `/api/services/:name/logs/stream` | Stream logs via WebSocket |

 #### SSL Certificates
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/ssl/list` | List all certificates |
-| `GET` | `/api/ssl/:domain` | Get certificate details |
-| `POST` | `/api/ssl/obtain` | Request new certificate |
+
+| Method | Endpoint                 | Description             |
+| ------ | ------------------------ | ----------------------- |
+| `GET`  | `/api/ssl/list`          | List all certificates   |
+| `GET`  | `/api/ssl/:domain`       | Get certificate details |
+| `POST` | `/api/ssl/obtain`        | Request new certificate |
 | `POST` | `/api/ssl/:domain/renew` | Force renew certificate |

 #### Domains
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/domains` | List all domains |
-| `GET` | `/api/domains/:domain` | Get domain details |
-| `POST` | `/api/domains/sync` | Sync domains from Cloudflare |
+
+| Method | Endpoint               | Description                  |
+| ------ | ---------------------- | ---------------------------- |
+| `GET`  | `/api/domains`         | List all domains             |
+| `GET`  | `/api/domains/:domain` | Get domain details           |
+| `POST` | `/api/domains/sync`    | Sync domains from Cloudflare |

 #### DNS Records
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/dns` | List DNS records |
-| `POST` | `/api/dns` | Create DNS record |
-| `DELETE` | `/api/dns/:domain` | Delete DNS record |
-| `POST` | `/api/dns/sync` | Sync DNS from Cloudflare |
+
+| Method   | Endpoint           | Description              |
+| -------- | ------------------ | ------------------------ |
+| `GET`    | `/api/dns`         | List DNS records         |
+| `POST`   | `/api/dns`         | Create DNS record        |
+| `DELETE` | `/api/dns/:domain` | Delete DNS record        |
+| `POST`   | `/api/dns/sync`    | Sync DNS from Cloudflare |

 #### Registry
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/registry/tags/:service` | Get registry tags for service |
-| `GET` | `/api/registry/tokens` | List registry tokens |
-| `POST` | `/api/registry/tokens` | Create registry token |
-| `DELETE` | `/api/registry/tokens/:id` | Delete registry token |
+
+| Method   | Endpoint                      | Description                   |
+| -------- | ----------------------------- | ----------------------------- |
+| `GET`    | `/api/registry/tags/:service` | Get registry tags for service |
+| `GET`    | `/api/registry/tokens`        | List registry tokens          |
+| `POST`   | `/api/registry/tokens`        | Create registry token         |
+| `DELETE` | `/api/registry/tokens/:id`    | Delete registry token         |

 #### System
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| `GET` | `/api/status` | System status |
-| `GET` | `/api/settings` | Get settings |
-| `PUT` | `/api/settings` | Update settings |
-| `WS` | `/api/ws` | WebSocket for real-time updates |
+
+| Method | Endpoint        | Description                     |
+| ------ | --------------- | ------------------------------- |
+| `GET`  | `/api/status`   | System status                   |
+| `GET`  | `/api/settings` | Get settings                    |
+| `PUT`  | `/api/settings` | Update settings                 |
+| `WS`   | `/api/ws`       | WebSocket for real-time updates |

 ### WebSocket Messages

@@ -1,56 +0,0 @@
-#!/bin/bash
-#
-# Compile Onebox for all platforms
-#
-
-set -e
-
-VERSION=$(grep '"version"' deno.json | cut -d'"' -f4)
-echo "Compiling Onebox v${VERSION} for all platforms..."
-
-# Create dist directory
-mkdir -p dist/binaries
-
-# Compile for each platform
-echo "Compiling for Linux x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-x64" \
-  --target x86_64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for Linux ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-arm64" \
-  --target aarch64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for macOS x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-x64" \
-  --target x86_64-apple-darwin \
-  mod.ts
-
-echo "Compiling for macOS ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-arm64" \
-  --target aarch64-apple-darwin \
-  mod.ts
-
-echo "Compiling for Windows x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-windows-x64.exe" \
-  --target x86_64-pc-windows-msvc \
-  mod.ts
-
-echo ""
-echo "✓ Compilation complete!"
-echo ""
-echo "Binaries:"
-ls -lh dist/binaries/
-echo ""
-echo "Next steps:"
-echo "1. Test binaries on their respective platforms"
-echo "2. Create git tag: git tag v${VERSION}"
-echo "3. Push tag: git push origin v${VERSION}"
-echo "4. Upload binaries to Gitea release"
-echo "5. Publish to npm: pnpm publish"
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/onebox',
-  version: '1.3.0',
+  version: '1.24.2',
  description: 'Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers'
 }
@@ -0,0 +1,73 @@
+/**
+ * App Store type definitions
+ */
+
+export interface ICatalog {
+  schemaVersion: number;
+  updatedAt: string;
+  apps: ICatalogApp[];
+}
+
+export interface ICatalogApp {
+  id: string;
+  name: string;
+  description: string;
+  category: string;
+  iconName?: string;
+  iconUrl?: string;
+  latestVersion: string;
+  tags?: string[];
+}
+
+export interface IAppMeta {
+  id: string;
+  name: string;
+  description: string;
+  category: string;
+  iconName?: string;
+  latestVersion: string;
+  versions: string[];
+  maintainer?: string;
+  links?: Record<string, string>;
+}
+
+export interface IAppVersionConfig {
+  image: string;
+  port: number;
+  envVars?: Array<{ key: string; value: string; description: string; required?: boolean }>;
+  volumes?: string[];
+  platformRequirements?: {
+    mongodb?: boolean;
+    s3?: boolean;
+    clickhouse?: boolean;
+    redis?: boolean;
+    mariadb?: boolean;
+  };
+  minOneboxVersion?: string;
+}
+
+export interface IMigrationContext {
+  service: {
+    name: string;
+    image: string;
+    envVars: Record<string, string>;
+    port: number;
+  };
+  fromVersion: string;
+  toVersion: string;
+}
+
+export interface IMigrationResult {
+  success: boolean;
+  envVars?: Record<string, string>;
+  image?: string;
+  warnings: string[];
+}
+
+export interface IUpgradeableService {
+  serviceName: string;
+  appTemplateId: string;
+  currentVersion: string;
+  latestVersion: string;
+  hasMigration: boolean;
+}
@@ -0,0 +1,335 @@
+/**
+ * App Store Manager
+ * Fetches, caches, and serves app templates from the remote appstore-apptemplates repo.
+ * The remote repo is the single source of truth — no fallback catalog.
+ */
+
+import type {
+  ICatalog,
+  ICatalogApp,
+  IAppMeta,
+  IAppVersionConfig,
+  IMigrationContext,
+  IMigrationResult,
+  IUpgradeableService,
+} from './appstore-types.ts';
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+import type { Onebox } from './onebox.ts';
+import type { IService } from '../types.ts';
+
+export class AppStoreManager {
+  private oneboxRef: Onebox;
+  private catalogCache: ICatalog | null = null;
+  private lastFetchTime = 0;
+  private readonly repoBaseUrl = 'https://code.foss.global/serve.zone/appstore-apptemplates/raw/branch/main';
+  private readonly cacheTtlMs = 5 * 60 * 1000; // 5 minutes
+
+  constructor(oneboxRef: Onebox) {
+    this.oneboxRef = oneboxRef;
+  }
+
+  async init(): Promise<void> {
+    try {
+      await this.getCatalog();
+      logger.info(`App Store initialized with ${this.catalogCache?.apps.length || 0} templates`);
+    } catch (error) {
+      logger.warn(`App Store initialization failed: ${getErrorMessage(error)}`);
+      logger.warn('App Store will retry on next request');
+    }
+  }
+
+  /**
+   * Get the catalog (cached, refreshes after TTL)
+   */
+  async getCatalog(): Promise<ICatalog> {
+    const now = Date.now();
+    if (this.catalogCache && (now - this.lastFetchTime) < this.cacheTtlMs) {
+      return this.catalogCache;
+    }
+
+    try {
+      const catalog = await this.fetchJson('catalog.json') as ICatalog;
+      if (catalog && catalog.apps && Array.isArray(catalog.apps)) {
+        this.catalogCache = catalog;
+        this.lastFetchTime = now;
+        return catalog;
+      }
+      throw new Error('Invalid catalog format');
+    } catch (error) {
+      logger.warn(`Failed to fetch remote catalog: ${getErrorMessage(error)}`);
+      // Return cached if available, otherwise return empty catalog
+      if (this.catalogCache) {
+        return this.catalogCache;
+      }
+      return { schemaVersion: 1, updatedAt: '', apps: [] };
+    }
+  }
+
+  /**
+   * Get the catalog apps list (convenience method for the API)
+   */
+  async getApps(): Promise<ICatalogApp[]> {
+    const catalog = await this.getCatalog();
+    return catalog.apps;
+  }
+
+  /**
+   * Fetch app metadata (versions list, etc.)
+   */
+  async getAppMeta(appId: string): Promise<IAppMeta> {
+    try {
+      return await this.fetchJson(`apps/${appId}/app.json`) as IAppMeta;
+    } catch (error) {
+      throw new Error(`Failed to fetch metadata for app '${appId}': ${getErrorMessage(error)}`);
+    }
+  }
+
+  /**
+   * Fetch full config for an app version
+   */
+  async getAppVersionConfig(appId: string, version: string): Promise<IAppVersionConfig> {
+    try {
+      return await this.fetchJson(`apps/${appId}/versions/${version}/config.json`) as IAppVersionConfig;
+    } catch (error) {
+      throw new Error(`Failed to fetch config for ${appId}@${version}: ${getErrorMessage(error)}`);
+    }
+  }
+
+  /**
+   * Compare deployed services against catalog to find those with available upgrades
+   */
+  async getUpgradeableServices(): Promise<IUpgradeableService[]> {
+    const catalog = await this.getCatalog();
+    const services = this.oneboxRef.database.getAllServices();
+    const upgradeable: IUpgradeableService[] = [];
+
+    for (const service of services) {
+      if (!service.appTemplateId || !service.appTemplateVersion) continue;
+
+      const catalogApp = catalog.apps.find(a => a.id === service.appTemplateId);
+      if (!catalogApp) continue;
+
+      if (catalogApp.latestVersion !== service.appTemplateVersion) {
+        // Check if a migration script exists
+        const hasMigration = await this.hasMigrationScript(
+          service.appTemplateId,
+          service.appTemplateVersion,
+          catalogApp.latestVersion,
+        );
+
+        upgradeable.push({
+          serviceName: service.name,
+          appTemplateId: service.appTemplateId,
+          currentVersion: service.appTemplateVersion,
+          latestVersion: catalogApp.latestVersion,
+          hasMigration,
+        });
+      }
+    }
+
+    return upgradeable;
+  }
+
+  /**
+   * Check if a migration script exists for a specific version transition
+   */
+  async hasMigrationScript(appId: string, fromVersion: string, toVersion: string): Promise<boolean> {
+    try {
+      const scriptPath = `apps/${appId}/versions/${toVersion}/migrate-from-${fromVersion}.ts`;
+      await this.fetchText(scriptPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Execute a migration in a sandboxed Deno child process
+   */
+  async executeMigration(service: IService, fromVersion: string, toVersion: string): Promise<IMigrationResult> {
+    const appId = service.appTemplateId;
+    if (!appId) {
+      throw new Error('Service has no appTemplateId');
+    }
+
+    // Fetch the migration script
+    const scriptPath = `apps/${appId}/versions/${toVersion}/migrate-from-${fromVersion}.ts`;
+    let scriptContent: string;
+    try {
+      scriptContent = await this.fetchText(scriptPath);
+    } catch {
+      // No migration script — do a simple config-based upgrade
+      logger.info(`No migration script for ${appId} ${fromVersion} -> ${toVersion}, using config-only upgrade`);
+      const config = await this.getAppVersionConfig(appId, toVersion);
+      return {
+        success: true,
+        image: config.image,
+        envVars: undefined, // Keep existing env vars
+        warnings: [],
+      };
+    }
+
+    // Write to temp file
+    const tempFile = `/tmp/onebox-migration-${crypto.randomUUID()}.ts`;
+    await Deno.writeTextFile(tempFile, scriptContent);
+
+    try {
+      // Prepare context
+      const context: IMigrationContext = {
+        service: {
+          name: service.name,
+          image: service.image,
+          envVars: service.envVars,
+          port: service.port,
+        },
+        fromVersion,
+        toVersion,
+      };
+
+      // Execute in sandboxed Deno child process
+      const cmd = new Deno.Command('deno', {
+        args: ['run', '--allow-env', '--allow-net=none', '--allow-read=none', '--allow-write=none', tempFile],
+        stdin: 'piped',
+        stdout: 'piped',
+        stderr: 'piped',
+      });
+
+      const child = cmd.spawn();
+
+      // Write context to stdin
+      const writer = child.stdin.getWriter();
+      await writer.write(new TextEncoder().encode(JSON.stringify(context)));
+      await writer.close();
+
+      // Read result
+      const output = await child.output();
+      const exitCode = output.code;
+      const stdout = new TextDecoder().decode(output.stdout);
+      const stderr = new TextDecoder().decode(output.stderr);
+
+      if (exitCode !== 0) {
+        logger.error(`Migration script failed (exit ${exitCode}): ${stderr.substring(0, 500)}`);
+        return {
+          success: false,
+          warnings: [`Migration script failed: ${stderr.substring(0, 200)}`],
+        };
+      }
+
+      // Parse result from stdout
+      try {
+        const result = JSON.parse(stdout) as IMigrationResult;
+        result.success = true;
+        return result;
+      } catch {
+        logger.error(`Failed to parse migration output: ${stdout.substring(0, 200)}`);
+        return {
+          success: false,
+          warnings: ['Migration script produced invalid output'],
+        };
+      }
+    } finally {
+      // Cleanup temp file
+      try {
+        await Deno.remove(tempFile);
+      } catch {
+        // Ignore cleanup errors
+      }
+    }
+  }
+
+  /**
+   * Apply an upgrade: update image, env vars, recreate container
+   */
+  async applyUpgrade(
+    serviceName: string,
+    migrationResult: IMigrationResult,
+    newVersion: string,
+  ): Promise<IService> {
+    const service = this.oneboxRef.database.getServiceByName(serviceName);
+    if (!service) {
+      throw new Error(`Service not found: ${serviceName}`);
+    }
+
+    // Stop the existing container
+    if (service.containerID && service.status === 'running') {
+      await this.oneboxRef.services.stopService(serviceName);
+    }
+
+    // Update service record
+    const updates: Partial<IService> = {
+      appTemplateVersion: newVersion,
+    };
+
+    if (migrationResult.image) {
+      updates.image = migrationResult.image;
+    }
+
+    if (migrationResult.envVars) {
+      // Merge: migration result provides base, user overrides preserved
+      const mergedEnvVars = { ...migrationResult.envVars };
+      // Keep any user-set env vars that aren't in the migration result
+      for (const [key, value] of Object.entries(service.envVars)) {
+        if (!(key in mergedEnvVars)) {
+          mergedEnvVars[key] = value;
+        }
+      }
+      updates.envVars = mergedEnvVars;
+    }
+
+    this.oneboxRef.database.updateService(service.id!, updates);
+
+    // Pull new image if changed
+    const newImage = migrationResult.image || service.image;
+    if (migrationResult.image && migrationResult.image !== service.image) {
+      await this.oneboxRef.docker.pullImage(newImage);
+    }
+
+    // Recreate and start container
+    const updatedService = this.oneboxRef.database.getServiceByName(serviceName)!;
+
+    // Remove old container
+    if (service.containerID) {
+      try {
+        await this.oneboxRef.docker.removeContainer(service.containerID, true);
+      } catch {
+        // Container might already be gone
+      }
+    }
+
+    // Create new container
+    const containerID = await this.oneboxRef.docker.createContainer(updatedService);
+    this.oneboxRef.database.updateService(service.id!, { containerID, status: 'starting' });
+
+    // Start container
+    await this.oneboxRef.docker.startContainer(containerID);
+    this.oneboxRef.database.updateService(service.id!, { status: 'running' });
+
+    logger.success(`Service '${serviceName}' upgraded to template version ${newVersion}`);
+    return this.oneboxRef.database.getServiceByName(serviceName)!;
+  }
+
+  /**
+   * Fetch JSON from the remote repo
+   */
+  private async fetchJson(path: string): Promise<unknown> {
+    const url = `${this.repoBaseUrl}/${path}`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status} for ${url}`);
+    }
+    return response.json();
+  }
+
+  /**
+   * Fetch text from the remote repo
+   */
+  private async fetchText(path: string): Promise<string> {
+    const url = `${this.repoBaseUrl}/${path}`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status} for ${url}`);
+    }
+    return response.text();
+  }
+}
@@ -0,0 +1,705 @@
+/**
+ * Backup Scheduler for Onebox
+ *
+ * Uses @push.rocks/taskbuffer for cron-based scheduled backups
+ * with GFS (Grandfather-Father-Son) time-window based retention scheme.
+ */
+
+import * as plugins from '../plugins.ts';
+import type {
+  IBackupSchedule,
+  IBackupScheduleCreate,
+  IBackupScheduleUpdate,
+  IService,
+  IRetentionPolicy,
+} from '../types.ts';
+import { RETENTION_PRESETS } from '../types.ts';
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+import type { Onebox } from './onebox.ts';
+
+export class BackupScheduler {
+  private oneboxRef: Onebox;
+  private taskManager!: plugins.taskbuffer.TaskManager;
+  private scheduledTasks: Map<number, plugins.taskbuffer.Task> = new Map();
+  private initialized = false;
+
+  constructor(oneboxRef: Onebox) {
+    this.oneboxRef = oneboxRef;
+    // TaskManager is created in init() to avoid log spam before ready
+  }
+
+  /**
+   * Initialize the scheduler and load enabled schedules
+   */
+  async init(): Promise<void> {
+    if (this.initialized) {
+      logger.warn('BackupScheduler already initialized');
+      return;
+    }
+
+    try {
+      // Create TaskManager here (not in constructor) to avoid "no cronjobs" log spam
+      this.taskManager = new plugins.taskbuffer.TaskManager();
+
+      // Add heartbeat task immediately to prevent "no cronjobs specified" log spam
+      // This runs hourly and does nothing, but keeps taskbuffer happy
+      const heartbeatTask = new plugins.taskbuffer.Task({
+        name: 'backup-scheduler-heartbeat',
+        taskFunction: async () => {
+          // No-op heartbeat task
+        },
+      });
+      this.taskManager.addAndScheduleTask(heartbeatTask, '0 * * * *'); // Hourly
+
+      // Load all enabled schedules from database
+      const schedules = this.oneboxRef.database.getEnabledBackupSchedules();
+
+      for (const schedule of schedules) {
+        await this.registerTask(schedule);
+      }
+
+      // Add periodic archive prune task (runs daily at 3 AM)
+      const pruneTask = new plugins.taskbuffer.Task({
+        name: 'backup-archive-prune',
+        taskFunction: async () => {
+          await this.pruneArchive();
+        },
+      });
+      this.taskManager.addAndScheduleTask(pruneTask, '0 3 * * *');
+
+      // Start the task manager (activates cron scheduling)
+      await this.taskManager.start();
+
+      this.initialized = true;
+      logger.info(`Backup scheduler started with ${schedules.length} enabled schedule(s)`);
+    } catch (error) {
+      logger.error(`Failed to initialize backup scheduler: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop the scheduler
+   */
+  async stop(): Promise<void> {
+    if (!this.initialized || !this.taskManager) return;
+
+    try {
+      await this.taskManager.stop();
+      this.scheduledTasks.clear();
+      this.initialized = false;
+      logger.info('Backup scheduler stopped');
+    } catch (error) {
+      logger.error(`Failed to stop backup scheduler: ${getErrorMessage(error)}`);
+    }
+  }
+
+  /**
+   * Create a new backup schedule
+   */
+  async createSchedule(request: IBackupScheduleCreate): Promise<IBackupSchedule> {
+    // Validate based on scope type
+    let serviceId: number | undefined;
+    let serviceName: string | undefined;
+
+    switch (request.scopeType) {
+      case 'service':
+        // Validate service exists
+        if (!request.serviceName) {
+          throw new Error('serviceName is required for service-specific schedules');
+        }
+        const service = this.oneboxRef.database.getServiceByName(request.serviceName);
+        if (!service) {
+          throw new Error(`Service not found: ${request.serviceName}`);
+        }
+        serviceId = service.id!;
+        serviceName = service.name;
+        break;
+
+      case 'pattern':
+        // Validate pattern is provided
+        if (!request.scopePattern) {
+          throw new Error('scopePattern is required for pattern-based schedules');
+        }
+        // Validate pattern matches at least one service
+        const matchingServices = this.getServicesMatchingPattern(request.scopePattern);
+        if (matchingServices.length === 0) {
+          logger.warn(`Pattern "${request.scopePattern}" currently matches no services`);
+        }
+        break;
+
+      case 'all':
+        // No validation needed for global schedules
+        break;
+
+      default:
+        throw new Error(`Invalid scope type: ${request.scopeType}`);
+    }
+
+    // Use provided cron expression
+    const cronExpression = request.cronExpression;
+
+    // Calculate next run time
+    const nextRunAt = this.calculateNextRun(cronExpression);
+
+    // Create schedule in database
+    const schedule = this.oneboxRef.database.createBackupSchedule({
+      scopeType: request.scopeType,
+      scopePattern: request.scopePattern,
+      serviceId,
+      serviceName,
+      cronExpression,
+      retention: request.retention,
+      enabled: request.enabled !== false,
+      lastRunAt: null,
+      nextRunAt,
+      lastStatus: null,
+      lastError: null,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    });
+
+    // Register task if enabled
+    if (schedule.enabled) {
+      await this.registerTask(schedule);
+    }
+
+    const scopeDesc = this.getScopeDescription(schedule);
+    const retentionDesc = this.getRetentionDescription(schedule.retention);
+    logger.info(`Backup schedule created: ${schedule.id} for ${scopeDesc} (${retentionDesc})`);
+    return schedule;
+  }
+
+  /**
+   * Update an existing backup schedule
+   */
+  async updateSchedule(scheduleId: number, updates: IBackupScheduleUpdate): Promise<IBackupSchedule> {
+    const schedule = this.oneboxRef.database.getBackupScheduleById(scheduleId);
+    if (!schedule) {
+      throw new Error(`Backup schedule not found: ${scheduleId}`);
+    }
+
+    // Deschedule existing task if present
+    await this.descheduleTask(scheduleId);
+
+    // Update database
+    this.oneboxRef.database.updateBackupSchedule(scheduleId, updates);
+
+    // Get updated schedule
+    const updatedSchedule = this.oneboxRef.database.getBackupScheduleById(scheduleId)!;
+
+    // Calculate new next run time if cron changed
+    if (updates.cronExpression) {
+      const nextRunAt = this.calculateNextRun(updatedSchedule.cronExpression);
+      this.oneboxRef.database.updateBackupSchedule(scheduleId, { nextRunAt });
+    }
+
+    // Re-register task if enabled
+    if (updatedSchedule.enabled) {
+      await this.registerTask(updatedSchedule);
+    }
+
+    logger.info(`Backup schedule updated: ${scheduleId}`);
+    return this.oneboxRef.database.getBackupScheduleById(scheduleId)!;
+  }
+
+  /**
+   * Delete a backup schedule
+   */
+  async deleteSchedule(scheduleId: number): Promise<void> {
+    const schedule = this.oneboxRef.database.getBackupScheduleById(scheduleId);
+    if (!schedule) {
+      throw new Error(`Backup schedule not found: ${scheduleId}`);
+    }
+
+    // Deschedule task
+    await this.descheduleTask(scheduleId);
+
+    // Delete from database
+    this.oneboxRef.database.deleteBackupSchedule(scheduleId);
+
+    logger.info(`Backup schedule deleted: ${scheduleId}`);
+  }
+
+  /**
+   * Trigger immediate backup for a schedule
+   */
+  async triggerBackup(scheduleId: number): Promise<void> {
+    const schedule = this.oneboxRef.database.getBackupScheduleById(scheduleId);
+    if (!schedule) {
+      throw new Error(`Backup schedule not found: ${scheduleId}`);
+    }
+
+    logger.info(`Manually triggering backup for schedule ${scheduleId}`);
+    await this.executeBackup(schedule);
+  }
+
+  /**
+   * Get all schedules
+   */
+  getAllSchedules(): IBackupSchedule[] {
+    return this.oneboxRef.database.getAllBackupSchedules();
+  }
+
+  /**
+   * Get schedule by ID
+   */
+  getScheduleById(id: number): IBackupSchedule | null {
+    return this.oneboxRef.database.getBackupScheduleById(id);
+  }
+
+  /**
+   * Get schedules for a service
+   */
+  getSchedulesForService(serviceName: string): IBackupSchedule[] {
+    const service = this.oneboxRef.database.getServiceByName(serviceName);
+    if (!service) {
+      return [];
+    }
+    return this.oneboxRef.database.getBackupSchedulesByService(service.id!);
+  }
+
+  /**
+   * Get retention presets
+   */
+  getRetentionPresets(): typeof RETENTION_PRESETS {
+    return RETENTION_PRESETS;
+  }
+
+  // ========== Private Methods ==========
+
+  /**
+   * Register a task for a schedule
+   */
+  private async registerTask(schedule: IBackupSchedule): Promise<void> {
+    const taskName = `backup-${schedule.id}`;
+
+    const task = new plugins.taskbuffer.Task({
+      name: taskName,
+      taskFunction: async () => {
+        await this.executeBackup(schedule);
+      },
+    });
+
+    // Add and schedule the task
+    this.taskManager.addAndScheduleTask(task, schedule.cronExpression);
+    this.scheduledTasks.set(schedule.id!, task);
+
+    // Update next run time in database
+    this.updateNextRunTime(schedule.id!);
+
+    logger.debug(`Registered backup task: ${taskName} with cron: ${schedule.cronExpression}`);
+  }
+
+  /**
+   * Deschedule a task
+   */
+  private async descheduleTask(scheduleId: number): Promise<void> {
+    const task = this.scheduledTasks.get(scheduleId);
+    if (task) {
+      await this.taskManager.descheduleTask(task);
+      this.scheduledTasks.delete(scheduleId);
+      logger.debug(`Descheduled backup task for schedule ${scheduleId}`);
+    }
+  }
+
+  /**
+   * Execute a backup for a schedule
+   */
+  private async executeBackup(schedule: IBackupSchedule): Promise<void> {
+    const scopeDesc = this.getScopeDescription(schedule);
+    const servicesToBackup = this.getServicesForSchedule(schedule);
+
+    if (servicesToBackup.length === 0) {
+      logger.warn(`No services to backup for schedule ${schedule.id} (${scopeDesc})`);
+      this.oneboxRef.database.updateBackupSchedule(schedule.id!, {
+        lastRunAt: Date.now(),
+        lastStatus: 'success',
+        lastError: 'No matching services found',
+      });
+      this.updateNextRunTime(schedule.id!);
+      return;
+    }
+
+    const retentionDesc = this.getRetentionDescription(schedule.retention);
+    logger.info(`Executing scheduled backup for ${scopeDesc}: ${servicesToBackup.length} service(s) (${retentionDesc})`);
+
+    let successCount = 0;
+    let failCount = 0;
+    const errors: string[] = [];
+
+    for (const service of servicesToBackup) {
+      try {
+        // Create backup with schedule ID
+        await this.oneboxRef.backupManager.createBackup(service.name, {
+          scheduleId: schedule.id,
+        });
+
+        // Apply time-window based retention policy for this service
+        await this.applyRetention(schedule, service.id!);
+
+        successCount++;
+        logger.success(`Scheduled backup completed for ${service.name}`);
+      } catch (error) {
+        const errorMessage = getErrorMessage(error);
+        logger.error(`Scheduled backup failed for ${service.name}: ${errorMessage}`);
+        errors.push(`${service.name}: ${errorMessage}`);
+        failCount++;
+      }
+    }
+
+    // Update schedule status
+    const lastStatus = failCount === 0 ? 'success' : 'failed';
+    const lastError = errors.length > 0 ? errors.join('; ') : null;
+
+    this.oneboxRef.database.updateBackupSchedule(schedule.id!, {
+      lastRunAt: Date.now(),
+      lastStatus,
+      lastError,
+    });
+
+    if (failCount === 0) {
+      logger.success(`Scheduled backup completed for ${scopeDesc}: ${successCount} service(s)`);
+    } else {
+      logger.warn(`Scheduled backup partially failed for ${scopeDesc}: ${successCount} succeeded, ${failCount} failed`);
+    }
+
+    // Update next run time
+    this.updateNextRunTime(schedule.id!);
+  }
+
+  /**
+   * Apply time-window based retention policy
+   * Works correctly regardless of backup frequency (cron schedule)
+   */
+  private async applyRetention(schedule: IBackupSchedule, serviceId: number): Promise<void> {
+    // Get all backups for this schedule and service
+    const allBackups = this.oneboxRef.database.getBackupsByService(serviceId);
+    const backups = allBackups.filter(b => b.scheduleId === schedule.id);
+
+    if (backups.length === 0) {
+      return;
+    }
+
+    const { hourly, daily, weekly, monthly } = schedule.retention;
+    const now = Date.now();
+    const toKeep = new Set<number>();
+
+    // Hourly: Keep up to N most recent backups from last 24 hours
+    if (hourly > 0) {
+      const recentBackups = backups
+        .filter(b => now - b.createdAt < 24 * 60 * 60 * 1000)
+        .sort((a, b) => b.createdAt - a.createdAt)
+        .slice(0, hourly);
+      recentBackups.forEach(b => toKeep.add(b.id!));
+    }
+
+    // Daily: Keep oldest backup per day for last N days
+    if (daily > 0) {
+      for (let i = 0; i < daily; i++) {
+        const dayStart = this.getStartOfDay(now, i);
+        const dayEnd = dayStart + 24 * 60 * 60 * 1000;
+        const dayBackups = backups.filter(b =>
+          b.createdAt >= dayStart && b.createdAt < dayEnd
+        );
+        if (dayBackups.length > 0) {
+          // Keep oldest from this day (most representative)
+          const oldest = dayBackups.sort((a, b) => a.createdAt - b.createdAt)[0];
+          toKeep.add(oldest.id!);
+        }
+      }
+    }
+
+    // Weekly: Keep oldest backup per week for last N weeks
+    if (weekly > 0) {
+      for (let i = 0; i < weekly; i++) {
+        const weekStart = this.getStartOfWeek(now, i);
+        const weekEnd = weekStart + 7 * 24 * 60 * 60 * 1000;
+        const weekBackups = backups.filter(b =>
+          b.createdAt >= weekStart && b.createdAt < weekEnd
+        );
+        if (weekBackups.length > 0) {
+          const oldest = weekBackups.sort((a, b) => a.createdAt - b.createdAt)[0];
+          toKeep.add(oldest.id!);
+        }
+      }
+    }
+
+    // Monthly: Keep oldest backup per month for last N months
+    if (monthly > 0) {
+      for (let i = 0; i < monthly; i++) {
+        const { start, end } = this.getMonthRange(now, i);
+        const monthBackups = backups.filter(b =>
+          b.createdAt >= start && b.createdAt < end
+        );
+        if (monthBackups.length > 0) {
+          const oldest = monthBackups.sort((a, b) => a.createdAt - b.createdAt)[0];
+          toKeep.add(oldest.id!);
+        }
+      }
+    }
+
+    // Delete anything not in toKeep
+    for (const backup of backups) {
+      if (!toKeep.has(backup.id!)) {
+        try {
+          await this.oneboxRef.backupManager.deleteBackup(backup.id!);
+          const backupRef = backup.snapshotId || backup.filename;
+          logger.info(`Deleted backup ${backupRef} (retention policy)`);
+        } catch (error) {
+          const backupRef = backup.snapshotId || backup.filename;
+          logger.warn(`Failed to delete old backup ${backupRef}: ${getErrorMessage(error)}`);
+        }
+      }
+    }
+  }
+
+  /**
+   * Get start of day (midnight) for N days ago
+   */
+  private getStartOfDay(now: number, daysAgo: number): number {
+    const date = new Date(now);
+    date.setDate(date.getDate() - daysAgo);
+    date.setHours(0, 0, 0, 0);
+    return date.getTime();
+  }
+
+  /**
+   * Get start of week (Sunday midnight) for N weeks ago
+   */
+  private getStartOfWeek(now: number, weeksAgo: number): number {
+    const date = new Date(now);
+    date.setDate(date.getDate() - (weeksAgo * 7) - date.getDay());
+    date.setHours(0, 0, 0, 0);
+    return date.getTime();
+  }
+
+  /**
+   * Get month range for N months ago
+   */
+  private getMonthRange(now: number, monthsAgo: number): { start: number; end: number } {
+    const date = new Date(now);
+    date.setMonth(date.getMonth() - monthsAgo);
+    date.setDate(1);
+    date.setHours(0, 0, 0, 0);
+    const start = date.getTime();
+
+    date.setMonth(date.getMonth() + 1);
+    const end = date.getTime();
+
+    return { start, end };
+  }
+
+  /**
+   * Update next run time for a schedule
+   */
+  private updateNextRunTime(scheduleId: number): void {
+    const schedule = this.oneboxRef.database.getBackupScheduleById(scheduleId);
+    if (!schedule) return;
+
+    const nextRunAt = this.calculateNextRun(schedule.cronExpression);
+    this.oneboxRef.database.updateBackupSchedule(scheduleId, { nextRunAt });
+  }
+
+  /**
+   * Calculate next run time from cron expression
+   */
+  private calculateNextRun(cronExpression: string): number {
+    try {
+      // Get next scheduled runs from task manager
+      const scheduledTasks = this.taskManager.getScheduledTasks();
+
+      // Find our task and get its next run
+      for (const taskInfo of scheduledTasks) {
+        if (taskInfo.schedule === cronExpression && taskInfo.nextRun) {
+          return taskInfo.nextRun.getTime();
+        }
+      }
+
+      // Fallback: parse cron and calculate next occurrence
+      // Simple implementation for common patterns
+      const now = new Date();
+      const parts = cronExpression.split(' ');
+
+      if (parts.length === 5) {
+        const [minute, hour, dayOfMonth, month, dayOfWeek] = parts;
+
+        // For daily schedules (e.g., "0 2 * * *")
+        if (dayOfMonth === '*' && month === '*' && dayOfWeek === '*') {
+          const nextRun = new Date(now);
+          nextRun.setHours(parseInt(hour), parseInt(minute), 0, 0);
+          if (nextRun <= now) {
+            nextRun.setDate(nextRun.getDate() + 1);
+          }
+          return nextRun.getTime();
+        }
+
+        // For weekly schedules (e.g., "0 2 * * 0")
+        if (dayOfMonth === '*' && month === '*' && dayOfWeek !== '*') {
+          const targetDay = parseInt(dayOfWeek);
+          const nextRun = new Date(now);
+          nextRun.setHours(parseInt(hour), parseInt(minute), 0, 0);
+          const currentDay = now.getDay();
+          let daysUntilTarget = (targetDay - currentDay + 7) % 7;
+          if (daysUntilTarget === 0 && nextRun <= now) {
+            daysUntilTarget = 7;
+          }
+          nextRun.setDate(nextRun.getDate() + daysUntilTarget);
+          return nextRun.getTime();
+        }
+
+        // For monthly schedules (e.g., "0 2 1 * *")
+        if (dayOfMonth !== '*' && month === '*' && dayOfWeek === '*') {
+          const targetDay = parseInt(dayOfMonth);
+          const nextRun = new Date(now);
+          nextRun.setDate(targetDay);
+          nextRun.setHours(parseInt(hour), parseInt(minute), 0, 0);
+          if (nextRun <= now) {
+            nextRun.setMonth(nextRun.getMonth() + 1);
+          }
+          return nextRun.getTime();
+        }
+
+        // For yearly schedules (e.g., "0 2 1 1 *")
+        if (dayOfMonth !== '*' && month !== '*' && dayOfWeek === '*') {
+          const targetMonth = parseInt(month) - 1; // JavaScript months are 0-indexed
+          const targetDay = parseInt(dayOfMonth);
+          const nextRun = new Date(now);
+          nextRun.setMonth(targetMonth, targetDay);
+          nextRun.setHours(parseInt(hour), parseInt(minute), 0, 0);
+          if (nextRun <= now) {
+            nextRun.setFullYear(nextRun.getFullYear() + 1);
+          }
+          return nextRun.getTime();
+        }
+      }
+
+      // Default: next day at 2 AM
+      const fallback = new Date(now);
+      fallback.setDate(fallback.getDate() + 1);
+      fallback.setHours(2, 0, 0, 0);
+      return fallback.getTime();
+    } catch {
+      // On any error, return tomorrow at 2 AM
+      const fallback = new Date();
+      fallback.setDate(fallback.getDate() + 1);
+      fallback.setHours(2, 0, 0, 0);
+      return fallback.getTime();
+    }
+  }
+
+  /**
+   * Get services that match a schedule based on its scope type
+   */
+  private getServicesForSchedule(schedule: IBackupSchedule): IService[] {
+    const allServices = this.oneboxRef.database.getAllServices();
+
+    switch (schedule.scopeType) {
+      case 'all':
+        return allServices;
+
+      case 'pattern':
+        if (!schedule.scopePattern) return [];
+        return this.getServicesMatchingPattern(schedule.scopePattern);
+
+      case 'service':
+        if (!schedule.serviceId) return [];
+        const service = allServices.find(s => s.id === schedule.serviceId);
+        return service ? [service] : [];
+
+      default:
+        return [];
+    }
+  }
+
+  /**
+   * Get services that match a glob pattern
+   */
+  private getServicesMatchingPattern(pattern: string): IService[] {
+    const allServices = this.oneboxRef.database.getAllServices();
+    return allServices.filter(s => this.matchesGlobPattern(s.name, pattern));
+  }
+
+  /**
+   * Simple glob pattern matching (supports * and ?)
+   */
+  private matchesGlobPattern(text: string, pattern: string): boolean {
+    // Convert glob pattern to regex
+    // Escape special regex characters except * and ?
+    const regexPattern = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')  // Escape special chars
+      .replace(/\*/g, '.*')                   // * matches any characters
+      .replace(/\?/g, '.');                   // ? matches single character
+
+    const regex = new RegExp(`^${regexPattern}$`, 'i');
+    return regex.test(text);
+  }
+
+  /**
+   * Get human-readable description of a schedule's scope
+   */
+  private getScopeDescription(schedule: IBackupSchedule): string {
+    switch (schedule.scopeType) {
+      case 'all':
+        return 'all services';
+      case 'pattern':
+        return `pattern "${schedule.scopePattern}"`;
+      case 'service':
+        return `service "${schedule.serviceName}"`;
+      default:
+        return 'unknown scope';
+    }
+  }
+
+  /**
+   * Get human-readable description of retention policy
+   */
+  private getRetentionDescription(retention: IRetentionPolicy): string {
+    return `H:${retention.hourly} D:${retention.daily} W:${retention.weekly} M:${retention.monthly}`;
+  }
+
+  /**
+   * Prune the containerarchive repository to reclaim storage.
+   * Uses the most generous retention policy across all schedules.
+   */
+  private async pruneArchive(): Promise<void> {
+    const archive = this.oneboxRef.backupManager.archive;
+    if (!archive) return;
+
+    try {
+      // Compute the most generous retention across all schedules
+      const schedules = this.oneboxRef.database.getAllBackupSchedules();
+
+      // Default minimums if no schedules exist
+      let maxDays = 7;
+      let maxWeeks = 4;
+      let maxMonths = 12;
+
+      for (const schedule of schedules) {
+        if (schedule.retention.daily > maxDays) maxDays = schedule.retention.daily;
+        if (schedule.retention.weekly > maxWeeks) maxWeeks = schedule.retention.weekly;
+        if (schedule.retention.monthly > maxMonths) maxMonths = schedule.retention.monthly;
+      }
+
+      const result = await archive.prune(
+        {
+          keepDays: maxDays,
+          keepWeeks: maxWeeks,
+          keepMonths: maxMonths,
+        },
+        false, // not dry run
+      );
+
+      if (result.removedSnapshots > 0 || result.freedBytes > 0) {
+        const freedMB = Math.round(result.freedBytes / (1024 * 1024) * 10) / 10;
+        logger.info(
+          `Archive prune: removed ${result.removedSnapshots} snapshot(s), ` +
+          `${result.removedPacks} pack(s), freed ${freedMB} MB`
+        );
+      }
+    } catch (error) {
+      logger.warn(`Archive prune failed: ${getErrorMessage(error)}`);
+    }
+  }
+}
@@ -79,8 +79,84 @@ export class CaddyLogReceiver {
  private recentLogs: ICaddyAccessLog[] = [];
  private maxRecentLogs = 100;

+  // Traffic stats aggregation (hourly rolling window)
+  private trafficStats: {
+    timestamp: number;
+    requestCount: number;
+    errorCount: number; // 4xx + 5xx
+    totalDuration: number; // microseconds
+    totalSize: number; // bytes
+    statusCounts: Record<string, number>; // "2xx", "3xx", "4xx", "5xx"
+  }[] = [];
+  private maxStatsAge = 3600 * 1000; // 1 hour in ms
+  private statsInterval = 60 * 1000; // 1 minute buckets
+
  constructor(port = 9999) {
    this.port = port;
+    // Initialize first stats bucket
+    this.trafficStats.push(this.createStatsBucket());
+  }
+
+  /**
+   * Create a new stats bucket
+   */
+  private createStatsBucket(): typeof this.trafficStats[0] {
+    return {
+      timestamp: Math.floor(Date.now() / this.statsInterval) * this.statsInterval,
+      requestCount: 0,
+      errorCount: 0,
+      totalDuration: 0,
+      totalSize: 0,
+      statusCounts: { '2xx': 0, '3xx': 0, '4xx': 0, '5xx': 0 },
+    };
+  }
+
+  /**
+   * Get current stats bucket, creating new one if needed
+   */
+  private getCurrentStatsBucket(): typeof this.trafficStats[0] {
+    const now = Date.now();
+    const currentBucketTime = Math.floor(now / this.statsInterval) * this.statsInterval;
+
+    // Get or create current bucket
+    let bucket = this.trafficStats[this.trafficStats.length - 1];
+    if (!bucket || bucket.timestamp !== currentBucketTime) {
+      bucket = this.createStatsBucket();
+      this.trafficStats.push(bucket);
+
+      // Clean up old buckets
+      const cutoff = now - this.maxStatsAge;
+      while (this.trafficStats.length > 0 && this.trafficStats[0].timestamp < cutoff) {
+        this.trafficStats.shift();
+      }
+    }
+
+    return bucket;
+  }
+
+  /**
+   * Record a request in traffic stats
+   */
+  private recordTrafficStats(log: ICaddyAccessLog): void {
+    const bucket = this.getCurrentStatsBucket();
+
+    bucket.requestCount++;
+    bucket.totalDuration += log.duration;
+    bucket.totalSize += log.size || 0;
+
+    // Categorize status code
+    const statusCategory = Math.floor(log.status / 100);
+    if (statusCategory === 2) {
+      bucket.statusCounts['2xx']++;
+    } else if (statusCategory === 3) {
+      bucket.statusCounts['3xx']++;
+    } else if (statusCategory === 4) {
+      bucket.statusCounts['4xx']++;
+      bucket.errorCount++;
+    } else if (statusCategory === 5) {
+      bucket.statusCounts['5xx']++;
+      bucket.errorCount++;
+    }
  }

  /**
@@ -181,6 +257,9 @@ export class CaddyLogReceiver {
        return;
      }

+      // Always record traffic stats (before sampling) for accurate aggregation
+      this.recordTrafficStats(log);
+
      // Update adaptive sampling
      this.updateSampling();

@@ -414,4 +493,57 @@ export class CaddyLogReceiver {
      recentLogsCount: this.recentLogs.length,
    };
  }
+
+  /**
+   * Get aggregated traffic stats for the specified time range
+   * @param minutes Number of minutes to aggregate (default: 60)
+   */
+  getTrafficStats(minutes = 60): {
+    requestCount: number;
+    errorCount: number;
+    avgResponseTime: number; // in milliseconds
+    totalBytes: number;
+    statusCounts: Record<string, number>;
+    requestsPerMinute: number;
+    errorRate: number; // percentage
+  } {
+    const now = Date.now();
+    const cutoff = now - (minutes * 60 * 1000);
+
+    // Aggregate all buckets within the time range
+    let requestCount = 0;
+    let errorCount = 0;
+    let totalDuration = 0;
+    let totalBytes = 0;
+    const statusCounts: Record<string, number> = { '2xx': 0, '3xx': 0, '4xx': 0, '5xx': 0 };
+
+    for (const bucket of this.trafficStats) {
+      if (bucket.timestamp >= cutoff) {
+        requestCount += bucket.requestCount;
+        errorCount += bucket.errorCount;
+        totalDuration += bucket.totalDuration;
+        totalBytes += bucket.totalSize;
+        for (const [status, count] of Object.entries(bucket.statusCounts)) {
+          statusCounts[status] = (statusCounts[status] || 0) + count;
+        }
+      }
+    }
+
+    // Calculate averages
+    const avgResponseTime = requestCount > 0
+      ? (totalDuration / requestCount) / 1000 // Convert from microseconds to milliseconds
+      : 0;
+    const requestsPerMinute = requestCount / Math.max(minutes, 1);
+    const errorRate = requestCount > 0 ? (errorCount / requestCount) * 100 : 0;
+
+    return {
+      requestCount,
+      errorCount,
+      avgResponseTime: Math.round(avgResponseTime * 100) / 100, // Round to 2 decimal places
+      totalBytes,
+      statusCounts,
+      requestsPerMinute: Math.round(requestsPerMinute * 100) / 100,
+      errorRate: Math.round(errorRate * 100) / 100,
+    };
+  }
 }
@@ -4,9 +4,7 @@
 * Handles background monitoring, metrics collection, and automatic tasks
 */

-import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
-import { projectInfo } from '../info.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import type { Onebox } from './onebox.ts';

@@ -18,7 +16,6 @@ const FALLBACK_PID_FILE = `${FALLBACK_PID_DIR}/onebox.pid`;

 export class OneboxDaemon {
  private oneboxRef: Onebox;
-  private smartdaemon: plugins.smartdaemon.SmartDaemon | null = null;
  private running = false;
  private monitoringInterval: number | null = null;
  private statsInterval: number | null = null;
@@ -46,68 +43,6 @@ export class OneboxDaemon {
    }
  }

-  /**
-   * Install systemd service
-   */
-  async installService(): Promise<void> {
-    try {
-      logger.info('Installing Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      // Get installation directory
-      const execPath = Deno.execPath();
-
-      const service = await this.smartdaemon.addService({
-        name: 'onebox',
-        version: projectInfo.version,
-        command: `${execPath} run --allow-all ${Deno.cwd()}/mod.ts daemon start`,
-        description: 'Onebox - Self-hosted container platform',
-        workingDir: Deno.cwd(),
-      });
-
-      await service.save();
-      await service.enable();
-
-      logger.success('Onebox daemon service installed');
-      logger.info('Start with: sudo systemctl start smartdaemon_onebox');
-    } catch (error) {
-      logger.error(`Failed to install daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Uninstall systemd service
-   */
-  async uninstallService(): Promise<void> {
-    try {
-      logger.info('Uninstalling Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      const services = await this.smartdaemon.systemdManager.getServices();
-      const service = services.find(s => s.name === 'onebox');
-
-      if (service) {
-        await service.stop();
-        await service.disable();
-        await service.delete();
-      }
-
-      logger.success('Onebox daemon service uninstalled');
-    } catch (error) {
-      logger.error(`Failed to uninstall daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
  /**
   * Start daemon mode (background monitoring)
   */
@@ -131,9 +66,9 @@ export class OneboxDaemon {
      // Start monitoring loop
      this.startMonitoring();

-      // Start HTTP server
+      // Start OpsServer (serves new UI + TypedRequest API)
      const httpPort = parseInt(this.oneboxRef.database.getSetting('httpPort') || '3000', 10);
-      await this.oneboxRef.httpServer.start(httpPort);
+      await this.oneboxRef.opsServer.start(httpPort);

      logger.success('Onebox daemon started');
      logger.info(`Web UI available at http://localhost:${httpPort}`);
@@ -163,8 +98,8 @@ export class OneboxDaemon {
      // Stop monitoring
      this.stopMonitoring();

-      // Stop HTTP server
-      await this.oneboxRef.httpServer.stop();
+      // Stop OpsServer
+      await this.oneboxRef.opsServer.stop();

      // Remove PID file
      await this.removePidFile();
@@ -280,31 +215,12 @@ export class OneboxDaemon {
  }

  /**
-   * Broadcast stats to WebSocket clients (real-time updates)
+   * Broadcast stats (placeholder for future WebSocket integration via OpsServer)
   */
  private async broadcastStats(): Promise<void> {
-    try {
-      const services = this.oneboxRef.services.listServices();
-      const runningServices = services.filter(s => s.status === 'running' && s.containerID);
-
-      logger.info(`Broadcasting stats for ${runningServices.length} running services`);
-
-      for (const service of runningServices) {
-        try {
-          const stats = await this.oneboxRef.docker.getContainerStats(service.containerID!);
-          if (stats) {
-            logger.info(`Broadcasting stats for ${service.name}: CPU=${stats.cpuPercent.toFixed(1)}%, Mem=${Math.round(stats.memoryUsed / 1024 / 1024)}MB`);
-            this.oneboxRef.httpServer.broadcastStatsUpdate(service.name, stats);
-          } else {
-            logger.warn(`No stats returned for ${service.name} (containerID: ${service.containerID})`);
-          }
-        } catch (error) {
-          logger.warn(`Stats collection failed for ${service.name}: ${getErrorMessage(error)}`);
-        }
-      }
-    } catch (error) {
-      logger.error(`Broadcast stats error: ${getErrorMessage(error)}`);
-    }
+    // Stats broadcasting via WebSocket is not yet implemented in OpsServer.
+    // Metrics are still collected and stored in the DB by collectMetrics().
+    // The new UI fetches stats via TypedRequests on demand.
  }

  /**
@@ -501,36 +417,7 @@ export class OneboxDaemon {
  static async ensureNoDaemon(): Promise<void> {
    const running = await OneboxDaemon.isDaemonRunning();
    if (running) {
-      throw new Error('Daemon is already running. Please stop it first with: onebox daemon stop');
-    }
-  }
-
-  /**
-   * Get service status from systemd
-   */
-  async getServiceStatus(): Promise<string> {
-    try {
-      // Don't need smartdaemon to check status, just use systemctl directly
-      const command = new Deno.Command('systemctl', {
-        args: ['status', 'smartdaemon_onebox'],
-        stdout: 'piped',
-        stderr: 'piped',
-      });
-
-      const { code, stdout } = await command.output();
-      const output = new TextDecoder().decode(stdout);
-
-      if (code === 0 || output.includes('active (running)')) {
-        return 'running';
-      } else if (output.includes('inactive') || output.includes('dead')) {
-        return 'stopped';
-      } else if (output.includes('failed')) {
-        return 'failed';
-      } else {
-        return 'unknown';
-      }
-    } catch (error) {
-      return 'not-installed';
+      throw new Error('Daemon is already running. Please stop it first with: onebox systemd stop');
    }
  }
 }
@@ -596,18 +596,26 @@ export class OneboxDockerManager {
  async getContainerStats(containerID: string): Promise<IContainerStats | null> {
    try {
      // Try to get container directly first
-      let container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Container not found by ID — might be a Swarm service ID
+      }

      // If not found, it might be a service ID - try to get the actual container ID
      if (!container) {
        const serviceContainerId = await this.getContainerIdForService(containerID);
        if (serviceContainerId) {
-          container = await this.dockerClient!.getContainerById(serviceContainerId);
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
        }
      }

      if (!container) {
-        // Container/service not found
        return null;
      }

@@ -849,7 +857,23 @@ export class OneboxDockerManager {
    cmd: string[]
  ): Promise<{ stdout: string; stderr: string; exitCode: number }> {
    try {
-      const container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Not a direct container ID — try Swarm service lookup
+      }
+
+      if (!container) {
+        const serviceContainerId = await this.getContainerIdForService(containerID);
+        if (serviceContainerId) {
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
+        }
+      }

      if (!container) {
        throw new Error(`Container not found: ${containerID}`);
@@ -881,12 +905,12 @@ export class OneboxDockerManager {
      ]);

      const execInfo = await inspect();
-      const exitCode = execInfo.ExitCode || 0;
+      const exitCode = execInfo.ExitCode ?? -1;

      return { stdout, stderr, exitCode };
    } catch (error) {
      logger.error(`Failed to exec in container ${containerID}: ${getErrorMessage(error)}`);
-      throw error;
+      return { stdout: '', stderr: getErrorMessage(error), exitCode: -1 };
    }
  }

@@ -1011,7 +1035,23 @@ export class OneboxDockerManager {
    callback: (line: string, isError: boolean) => void
  ): Promise<void> {
    try {
-      const container = await this.dockerClient!.getContainerById(containerID);
+      let container: any = null;
+      try {
+        container = await this.dockerClient!.getContainerById(containerID);
+      } catch {
+        // Not a direct container ID — try Swarm service lookup
+      }
+
+      if (!container) {
+        const serviceContainerId = await this.getContainerIdForService(containerID);
+        if (serviceContainerId) {
+          try {
+            container = await this.dockerClient!.getContainerById(serviceContainerId);
+          } catch {
+            // Service container also not found
+          }
+        }
+      }

      if (!container) {
        throw new Error(`Container not found: ${containerID}`);
@@ -8,7 +8,15 @@ import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import type { Onebox } from './onebox.ts';
-import type { IApiResponse, ICreateRegistryTokenRequest, IRegistryTokenView, TPlatformServiceType, IContainerStats } from '../types.ts';
+import type {
+  IApiResponse,
+  ICreateRegistryTokenRequest,
+  IRegistryTokenView,
+  TPlatformServiceType,
+  IContainerStats,
+  IBackupScheduleCreate,
+  IBackupScheduleUpdate,
+} from '../types.ts';

 export class OneboxHttpServer {
  private oneboxRef: Onebox;
@@ -297,16 +305,16 @@ export class OneboxHttpServer {
    // Platform Services endpoints
    } else if (path === '/api/platform-services' && method === 'GET') {
      return await this.handleListPlatformServicesRequest();
-    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy)$/) && method === 'GET') {
+    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy|clickhouse)$/) && method === 'GET') {
      const type = path.split('/').pop()! as TPlatformServiceType;
      return await this.handleGetPlatformServiceRequest(type);
-    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy)\/start$/) && method === 'POST') {
+    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy|clickhouse)\/start$/) && method === 'POST') {
      const type = path.split('/')[3] as TPlatformServiceType;
      return await this.handleStartPlatformServiceRequest(type);
-    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy)\/stop$/) && method === 'POST') {
+    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy|clickhouse)\/stop$/) && method === 'POST') {
      const type = path.split('/')[3] as TPlatformServiceType;
      return await this.handleStopPlatformServiceRequest(type);
-    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy)\/stats$/) && method === 'GET') {
+    } else if (path.match(/^\/api\/platform-services\/(mongodb|minio|redis|postgresql|rabbitmq|caddy|clickhouse)\/stats$/) && method === 'GET') {
      const type = path.split('/')[3] as TPlatformServiceType;
      return await this.handleGetPlatformServiceStatsRequest(type);
    } else if (path.match(/^\/api\/services\/[^/]+\/platform-resources$/) && method === 'GET') {
@@ -317,6 +325,54 @@ export class OneboxHttpServer {
      return await this.handleGetNetworkTargetsRequest();
    } else if (path === '/api/network/stats' && method === 'GET') {
      return await this.handleGetNetworkStatsRequest();
+    } else if (path === '/api/network/traffic-stats' && method === 'GET') {
+      return await this.handleGetTrafficStatsRequest(new URL(req.url));
+    // Backup endpoints
+    } else if (path === '/api/backups' && method === 'GET') {
+      return await this.handleListBackupsRequest();
+    } else if (path.match(/^\/api\/services\/[^/]+\/backups$/) && method === 'GET') {
+      const serviceName = path.split('/')[3];
+      return await this.handleListServiceBackupsRequest(serviceName);
+    } else if (path.match(/^\/api\/services\/[^/]+\/backup$/) && method === 'POST') {
+      const serviceName = path.split('/')[3];
+      return await this.handleCreateBackupRequest(serviceName);
+    } else if (path.match(/^\/api\/backups\/\d+$/) && method === 'GET') {
+      const backupId = Number(path.split('/').pop());
+      return await this.handleGetBackupRequest(backupId);
+    } else if (path.match(/^\/api\/backups\/\d+\/download$/) && method === 'GET') {
+      const backupId = Number(path.split('/')[3]);
+      return await this.handleDownloadBackupRequest(backupId);
+    } else if (path.match(/^\/api\/backups\/\d+$/) && method === 'DELETE') {
+      const backupId = Number(path.split('/').pop());
+      return await this.handleDeleteBackupRequest(backupId);
+    } else if (path === '/api/backups/restore' && method === 'POST') {
+      return await this.handleRestoreBackupRequest(req);
+    } else if (path === '/api/backups/import' && method === 'POST') {
+      return await this.handleImportBackupRequest(req);
+    } else if (path === '/api/settings/backup-password' && method === 'POST') {
+      return await this.handleSetBackupPasswordRequest(req);
+    } else if (path === '/api/settings/backup-password' && method === 'GET') {
+      return await this.handleCheckBackupPasswordRequest();
+    // Backup Schedule endpoints
+    } else if (path === '/api/backup-schedules' && method === 'GET') {
+      return await this.handleListBackupSchedulesRequest();
+    } else if (path === '/api/backup-schedules' && method === 'POST') {
+      return await this.handleCreateBackupScheduleRequest(req);
+    } else if (path.match(/^\/api\/backup-schedules\/\d+$/) && method === 'GET') {
+      const scheduleId = Number(path.split('/').pop());
+      return await this.handleGetBackupScheduleRequest(scheduleId);
+    } else if (path.match(/^\/api\/backup-schedules\/\d+$/) && method === 'PUT') {
+      const scheduleId = Number(path.split('/').pop());
+      return await this.handleUpdateBackupScheduleRequest(scheduleId, req);
+    } else if (path.match(/^\/api\/backup-schedules\/\d+$/) && method === 'DELETE') {
+      const scheduleId = Number(path.split('/').pop());
+      return await this.handleDeleteBackupScheduleRequest(scheduleId);
+    } else if (path.match(/^\/api\/backup-schedules\/\d+\/trigger$/) && method === 'POST') {
+      const scheduleId = Number(path.split('/')[3]);
+      return await this.handleTriggerBackupScheduleRequest(scheduleId);
+    } else if (path.match(/^\/api\/services\/[^/]+\/backup-schedules$/) && method === 'GET') {
+      const serviceName = path.split('/')[3];
+      return await this.handleListServiceBackupSchedulesRequest(serviceName);
    } else {
      return this.jsonResponse({ success: false, error: 'Not found' }, 404);
    }
@@ -1365,6 +1421,37 @@ export class OneboxHttpServer {
    }
  }

+  /**
+   * Get traffic stats from Caddy access logs
+   */
+  private async handleGetTrafficStatsRequest(url: URL): Promise<Response> {
+    try {
+      // Get minutes parameter (default: 60)
+      const minutesParam = url.searchParams.get('minutes');
+      const minutes = minutesParam ? parseInt(minutesParam, 10) : 60;
+
+      if (isNaN(minutes) || minutes < 1 || minutes > 60) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Invalid minutes parameter. Must be between 1 and 60.',
+        }, 400);
+      }
+
+      const trafficStats = this.oneboxRef.caddyLogReceiver.getTrafficStats(minutes);
+
+      return this.jsonResponse({
+        success: true,
+        data: trafficStats,
+      });
+    } catch (error) {
+      logger.error(`Failed to get traffic stats: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to get traffic stats',
+      }, 500);
+    }
+  }
+
  /**
   * Broadcast message to all connected WebSocket clients
   */
@@ -1984,6 +2071,640 @@ export class OneboxHttpServer {
    }
  }

+  // ============ Backup Endpoints ============
+
+  /**
+   * List all backups
+   */
+  private async handleListBackupsRequest(): Promise<Response> {
+    try {
+      const backups = this.oneboxRef.backupManager.listBackups();
+      return this.jsonResponse({ success: true, data: backups });
+    } catch (error) {
+      logger.error(`Failed to list backups: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to list backups',
+      }, 500);
+    }
+  }
+
+  /**
+   * List backups for a specific service
+   */
+  private async handleListServiceBackupsRequest(serviceName: string): Promise<Response> {
+    try {
+      const service = this.oneboxRef.services.getService(serviceName);
+      if (!service) {
+        return this.jsonResponse({ success: false, error: 'Service not found' }, 404);
+      }
+
+      const backups = this.oneboxRef.backupManager.listBackups(serviceName);
+      return this.jsonResponse({ success: true, data: backups });
+    } catch (error) {
+      logger.error(`Failed to list backups for service ${serviceName}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to list backups',
+      }, 500);
+    }
+  }
+
+  /**
+   * Create a backup for a service
+   */
+  private async handleCreateBackupRequest(serviceName: string): Promise<Response> {
+    try {
+      const service = this.oneboxRef.services.getService(serviceName);
+      if (!service) {
+        return this.jsonResponse({ success: false, error: 'Service not found' }, 404);
+      }
+
+      const result = await this.oneboxRef.backupManager.createBackup(serviceName);
+
+      return this.jsonResponse({
+        success: true,
+        message: `Backup created for service ${serviceName}`,
+        data: result.backup,
+      });
+    } catch (error) {
+      logger.error(`Failed to create backup for service ${serviceName}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to create backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Get a specific backup by ID
+   */
+  private async handleGetBackupRequest(backupId: number): Promise<Response> {
+    try {
+      const backup = this.oneboxRef.database.getBackupById(backupId);
+      if (!backup) {
+        return this.jsonResponse({ success: false, error: 'Backup not found' }, 404);
+      }
+
+      return this.jsonResponse({ success: true, data: backup });
+    } catch (error) {
+      logger.error(`Failed to get backup ${backupId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to get backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Download a backup file
+   */
+  private async handleDownloadBackupRequest(backupId: number): Promise<Response> {
+    try {
+      const backup = this.oneboxRef.database.getBackupById(backupId);
+      if (!backup) {
+        return this.jsonResponse({ success: false, error: 'Backup not found' }, 404);
+      }
+
+      let downloadPath: string | null = null;
+      let tempExport = false;
+
+      if (backup.snapshotId) {
+        // ContainerArchive backup: export as encrypted tar
+        downloadPath = await this.oneboxRef.backupManager.getBackupExportPath(backupId);
+        tempExport = true;
+      } else {
+        // Legacy file-based backup
+        downloadPath = this.oneboxRef.backupManager.getBackupFilePath(backupId);
+      }
+
+      if (!downloadPath) {
+        return this.jsonResponse({ success: false, error: 'Backup file not available' }, 404);
+      }
+
+      // Check if file exists
+      try {
+        await Deno.stat(downloadPath);
+      } catch {
+        return this.jsonResponse({ success: false, error: 'Backup file not found on disk' }, 404);
+      }
+
+      const file = await Deno.readFile(downloadPath);
+      const filename = backup.filename || `${backup.serviceName}-${backup.createdAt}.tar.enc`;
+
+      // Clean up temp export file
+      if (tempExport) {
+        try { await Deno.remove(downloadPath); } catch { /* ignore */ }
+      }
+
+      return new Response(file, {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/octet-stream',
+          'Content-Disposition': `attachment; filename="${filename}"`,
+          'Content-Length': String(file.length),
+        },
+      });
+    } catch (error) {
+      logger.error(`Failed to download backup ${backupId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to download backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Delete a backup
+   */
+  private async handleDeleteBackupRequest(backupId: number): Promise<Response> {
+    try {
+      const backup = this.oneboxRef.database.getBackupById(backupId);
+      if (!backup) {
+        return this.jsonResponse({ success: false, error: 'Backup not found' }, 404);
+      }
+
+      await this.oneboxRef.backupManager.deleteBackup(backupId);
+
+      return this.jsonResponse({
+        success: true,
+        message: 'Backup deleted successfully',
+      });
+    } catch (error) {
+      logger.error(`Failed to delete backup ${backupId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to delete backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Restore a backup
+   */
+  private async handleRestoreBackupRequest(req: Request): Promise<Response> {
+    try {
+      const body = await req.json();
+      const { backupId, mode, newServiceName, overwriteExisting, skipPlatformData } = body;
+
+      if (!backupId) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Backup ID is required',
+        }, 400);
+      }
+
+      if (!mode || !['restore', 'import', 'clone'].includes(mode)) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Valid mode required: restore, import, or clone',
+        }, 400);
+      }
+
+      // Validate mode-specific requirements
+      if ((mode === 'import' || mode === 'clone') && !newServiceName) {
+        return this.jsonResponse({
+          success: false,
+          error: `New service name required for '${mode}' mode`,
+        }, 400);
+      }
+
+      const result = await this.oneboxRef.backupManager.restoreBackup(backupId, {
+        mode,
+        newServiceName,
+        overwriteExisting: overwriteExisting === true,
+        skipPlatformData: skipPlatformData === true,
+      });
+
+      return this.jsonResponse({
+        success: true,
+        message: `Backup restored successfully as service '${result.service.name}'`,
+        data: {
+          service: result.service,
+          platformResourcesRestored: result.platformResourcesRestored,
+          warnings: result.warnings,
+        },
+      });
+    } catch (error) {
+      logger.error(`Failed to restore backup: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to restore backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Import a backup from file upload or URL
+   */
+  private async handleImportBackupRequest(req: Request): Promise<Response> {
+    try {
+      const contentType = req.headers.get('content-type') || '';
+      let filePath: string | null = null;
+      let newServiceName: string | undefined;
+      let tempFile = false;
+
+      if (contentType.includes('multipart/form-data')) {
+        // Handle file upload
+        const formData = await req.formData();
+        const file = formData.get('file');
+        newServiceName = formData.get('newServiceName')?.toString() || undefined;
+
+        if (!file || !(file instanceof File)) {
+          return this.jsonResponse({
+            success: false,
+            error: 'No file provided',
+          }, 400);
+        }
+
+        // Validate file extension
+        if (!file.name.endsWith('.tar.enc')) {
+          return this.jsonResponse({
+            success: false,
+            error: 'Invalid file format. Expected .tar.enc file',
+          }, 400);
+        }
+
+        // Save to temp location
+        const tempDir = './.nogit/temp-imports';
+        await Deno.mkdir(tempDir, { recursive: true });
+        filePath = `${tempDir}/${Date.now()}-${file.name}`;
+        tempFile = true;
+
+        const arrayBuffer = await file.arrayBuffer();
+        await Deno.writeFile(filePath, new Uint8Array(arrayBuffer));
+
+        logger.info(`Saved uploaded backup to ${filePath}`);
+      } else {
+        // Handle JSON body with URL
+        const body = await req.json();
+        const { url, newServiceName: serviceName } = body;
+        newServiceName = serviceName;
+
+        if (!url) {
+          return this.jsonResponse({
+            success: false,
+            error: 'URL is required when not uploading a file',
+          }, 400);
+        }
+
+        // Download from URL
+        const tempDir = './.nogit/temp-imports';
+        await Deno.mkdir(tempDir, { recursive: true });
+
+        const urlFilename = url.split('/').pop() || 'backup.tar.enc';
+        filePath = `${tempDir}/${Date.now()}-${urlFilename}`;
+        tempFile = true;
+
+        logger.info(`Downloading backup from ${url}...`);
+        const response = await fetch(url);
+        if (!response.ok) {
+          return this.jsonResponse({
+            success: false,
+            error: `Failed to download from URL: ${response.statusText}`,
+          }, 400);
+        }
+
+        const arrayBuffer = await response.arrayBuffer();
+        await Deno.writeFile(filePath, new Uint8Array(arrayBuffer));
+
+        logger.info(`Downloaded backup to ${filePath}`);
+      }
+
+      // Import using restoreBackup with mode='import'
+      const result = await this.oneboxRef.backupManager.restoreBackup(filePath, {
+        mode: 'import',
+        newServiceName,
+        overwriteExisting: false,
+        skipPlatformData: false,
+      });
+
+      // Clean up temp file
+      if (tempFile && filePath) {
+        try {
+          await Deno.remove(filePath);
+        } catch {
+          // Ignore cleanup errors
+        }
+      }
+
+      return this.jsonResponse({
+        success: true,
+        message: `Backup imported successfully as service '${result.service.name}'`,
+        data: {
+          service: result.service,
+          platformResourcesRestored: result.platformResourcesRestored,
+          warnings: result.warnings,
+        },
+      });
+    } catch (error) {
+      logger.error(`Failed to import backup: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to import backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * Set backup encryption password
+   */
+  private async handleSetBackupPasswordRequest(req: Request): Promise<Response> {
+    try {
+      const body = await req.json();
+      const { password } = body;
+
+      if (!password || typeof password !== 'string') {
+        return this.jsonResponse({
+          success: false,
+          error: 'Password is required',
+        }, 400);
+      }
+
+      if (password.length < 8) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Password must be at least 8 characters',
+        }, 400);
+      }
+
+      // Store password in settings
+      this.oneboxRef.database.setSetting('backup_encryption_password', password);
+
+      return this.jsonResponse({
+        success: true,
+        message: 'Backup password set successfully',
+      });
+    } catch (error) {
+      logger.error(`Failed to set backup password: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to set backup password',
+      }, 500);
+    }
+  }
+
+  /**
+   * Check if backup password is configured
+   */
+  private async handleCheckBackupPasswordRequest(): Promise<Response> {
+    try {
+      const password = this.oneboxRef.database.getSetting('backup_encryption_password');
+      const isConfigured = password !== null && password.length > 0;
+
+      return this.jsonResponse({
+        success: true,
+        data: {
+          isConfigured,
+        },
+      });
+    } catch (error) {
+      logger.error(`Failed to check backup password: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to check backup password',
+      }, 500);
+    }
+  }
+
+  // ============ Backup Schedule Endpoints ============
+
+  /**
+   * List all backup schedules
+   */
+  private async handleListBackupSchedulesRequest(): Promise<Response> {
+    try {
+      const schedules = this.oneboxRef.backupScheduler.getAllSchedules();
+      return this.jsonResponse({ success: true, data: schedules });
+    } catch (error) {
+      logger.error(`Failed to list backup schedules: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to list backup schedules',
+      }, 500);
+    }
+  }
+
+  /**
+   * Create a new backup schedule
+   */
+  private async handleCreateBackupScheduleRequest(req: Request): Promise<Response> {
+    try {
+      const body = await req.json() as IBackupScheduleCreate;
+
+      // Validate scope type
+      if (!body.scopeType) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Scope type is required (all, pattern, or service)',
+        }, 400);
+      }
+
+      if (!['all', 'pattern', 'service'].includes(body.scopeType)) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Invalid scope type. Must be: all, pattern, or service',
+        }, 400);
+      }
+
+      // Validate scope-specific requirements
+      if (body.scopeType === 'service' && !body.serviceName) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Service name is required for service-specific schedules',
+        }, 400);
+      }
+
+      if (body.scopeType === 'pattern' && !body.scopePattern) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Scope pattern is required for pattern-based schedules',
+        }, 400);
+      }
+
+      if (!body.cronExpression) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Cron expression is required',
+        }, 400);
+      }
+
+      if (!body.retention) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Retention policy is required',
+        }, 400);
+      }
+
+      // Validate retention policy
+      const { hourly, daily, weekly, monthly } = body.retention;
+      if (typeof hourly !== 'number' || typeof daily !== 'number' ||
+          typeof weekly !== 'number' || typeof monthly !== 'number') {
+        return this.jsonResponse({
+          success: false,
+          error: 'Retention policy must have hourly, daily, weekly, and monthly as numbers',
+        }, 400);
+      }
+
+      if (hourly < 0 || daily < 0 || weekly < 0 || monthly < 0) {
+        return this.jsonResponse({
+          success: false,
+          error: 'Retention values must be non-negative',
+        }, 400);
+      }
+
+      const schedule = await this.oneboxRef.backupScheduler.createSchedule(body);
+
+      // Build descriptive message based on scope type
+      let scopeDesc: string;
+      switch (body.scopeType) {
+        case 'all':
+          scopeDesc = 'all services';
+          break;
+        case 'pattern':
+          scopeDesc = `pattern '${body.scopePattern}'`;
+          break;
+        case 'service':
+          scopeDesc = `service '${body.serviceName}'`;
+          break;
+      }
+
+      return this.jsonResponse({
+        success: true,
+        message: `Backup schedule created for ${scopeDesc}`,
+        data: schedule,
+      });
+    } catch (error) {
+      logger.error(`Failed to create backup schedule: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to create backup schedule',
+      }, 500);
+    }
+  }
+
+  /**
+   * Get a specific backup schedule
+   */
+  private async handleGetBackupScheduleRequest(scheduleId: number): Promise<Response> {
+    try {
+      const schedule = this.oneboxRef.backupScheduler.getScheduleById(scheduleId);
+      if (!schedule) {
+        return this.jsonResponse({ success: false, error: 'Backup schedule not found' }, 404);
+      }
+
+      return this.jsonResponse({ success: true, data: schedule });
+    } catch (error) {
+      logger.error(`Failed to get backup schedule ${scheduleId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to get backup schedule',
+      }, 500);
+    }
+  }
+
+  /**
+   * Update a backup schedule
+   */
+  private async handleUpdateBackupScheduleRequest(scheduleId: number, req: Request): Promise<Response> {
+    try {
+      const body = await req.json() as IBackupScheduleUpdate;
+
+      // Validate retention policy if provided
+      if (body.retention) {
+        const { hourly, daily, weekly, monthly } = body.retention;
+        if (typeof hourly !== 'number' || typeof daily !== 'number' ||
+            typeof weekly !== 'number' || typeof monthly !== 'number') {
+          return this.jsonResponse({
+            success: false,
+            error: 'Retention policy must have hourly, daily, weekly, and monthly as numbers',
+          }, 400);
+        }
+        if (hourly < 0 || daily < 0 || weekly < 0 || monthly < 0) {
+          return this.jsonResponse({
+            success: false,
+            error: 'Retention values must be non-negative',
+          }, 400);
+        }
+      }
+
+      const schedule = await this.oneboxRef.backupScheduler.updateSchedule(scheduleId, body);
+
+      return this.jsonResponse({
+        success: true,
+        message: 'Backup schedule updated',
+        data: schedule,
+      });
+    } catch (error) {
+      logger.error(`Failed to update backup schedule ${scheduleId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to update backup schedule',
+      }, 500);
+    }
+  }
+
+  /**
+   * Delete a backup schedule
+   */
+  private async handleDeleteBackupScheduleRequest(scheduleId: number): Promise<Response> {
+    try {
+      await this.oneboxRef.backupScheduler.deleteSchedule(scheduleId);
+
+      return this.jsonResponse({
+        success: true,
+        message: 'Backup schedule deleted',
+      });
+    } catch (error) {
+      logger.error(`Failed to delete backup schedule ${scheduleId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to delete backup schedule',
+      }, 500);
+    }
+  }
+
+  /**
+   * Trigger immediate backup for a schedule
+   */
+  private async handleTriggerBackupScheduleRequest(scheduleId: number): Promise<Response> {
+    try {
+      await this.oneboxRef.backupScheduler.triggerBackup(scheduleId);
+
+      return this.jsonResponse({
+        success: true,
+        message: 'Backup triggered successfully',
+      });
+    } catch (error) {
+      logger.error(`Failed to trigger backup for schedule ${scheduleId}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to trigger backup',
+      }, 500);
+    }
+  }
+
+  /**
+   * List backup schedules for a specific service
+   */
+  private async handleListServiceBackupSchedulesRequest(serviceName: string): Promise<Response> {
+    try {
+      const service = this.oneboxRef.services.getService(serviceName);
+      if (!service) {
+        return this.jsonResponse({ success: false, error: 'Service not found' }, 404);
+      }
+
+      const schedules = this.oneboxRef.backupScheduler.getSchedulesForService(serviceName);
+      return this.jsonResponse({ success: true, data: schedules });
+    } catch (error) {
+      logger.error(`Failed to list backup schedules for service ${serviceName}: ${getErrorMessage(error)}`);
+      return this.jsonResponse({
+        success: false,
+        error: getErrorMessage(error) || 'Failed to list backup schedules',
+      }, 500);
+    }
+  }
+
  /**
   * Helper to create JSON response
   */
@@ -14,12 +14,17 @@ import { OneboxReverseProxy } from './reverseproxy.ts';
 import { OneboxDnsManager } from './dns.ts';
 import { OneboxSslManager } from './ssl.ts';
 import { OneboxDaemon } from './daemon.ts';
+import { OneboxSystemd } from './systemd.ts';
 import { OneboxHttpServer } from './httpserver.ts';
 import { CloudflareDomainSync } from './cloudflare-sync.ts';
 import { CertRequirementManager } from './cert-requirement-manager.ts';
 import { RegistryManager } from './registry.ts';
 import { PlatformServicesManager } from './platform-services/index.ts';
+import { AppStoreManager } from './appstore.ts';
 import { CaddyLogReceiver } from './caddy-log-receiver.ts';
+import { BackupManager } from './backup-manager.ts';
+import { BackupScheduler } from './backup-scheduler.ts';
+import { OpsServer } from '../opsserver/index.ts';

 export class Onebox {
  public database: OneboxDatabase;
@@ -30,12 +35,17 @@ export class Onebox {
  public dns: OneboxDnsManager;
  public ssl: OneboxSslManager;
  public daemon: OneboxDaemon;
+  public systemd: OneboxSystemd;
  public httpServer: OneboxHttpServer;
  public cloudflareDomainSync: CloudflareDomainSync;
  public certRequirementManager: CertRequirementManager;
  public registry: RegistryManager;
  public platformServices: PlatformServicesManager;
+  public appStore: AppStoreManager;
  public caddyLogReceiver: CaddyLogReceiver;
+  public backupManager: BackupManager;
+  public backupScheduler: BackupScheduler;
+  public opsServer: OpsServer;

  private initialized = false;

@@ -51,6 +61,7 @@ export class Onebox {
    this.dns = new OneboxDnsManager(this);
    this.ssl = new OneboxSslManager(this);
    this.daemon = new OneboxDaemon(this);
+    this.systemd = new OneboxSystemd();
    this.httpServer = new OneboxHttpServer(this);
    this.registry = new RegistryManager({
      dataDir: './.nogit/registry-data',
@@ -65,8 +76,20 @@ export class Onebox {
    // Initialize platform services manager
    this.platformServices = new PlatformServicesManager(this);

+    // Initialize App Store manager
+    this.appStore = new AppStoreManager(this);
+
    // Initialize Caddy log receiver
    this.caddyLogReceiver = new CaddyLogReceiver(9999);
+
+    // Initialize Backup manager
+    this.backupManager = new BackupManager(this);
+
+    // Initialize Backup scheduler
+    this.backupScheduler = new BackupScheduler(this);
+
+    // Initialize OpsServer (TypedRequest-based server)
+    this.opsServer = new OpsServer(this);
  }

  /**
@@ -155,12 +178,36 @@ export class Onebox {
        logger.warn(`Error: ${getErrorMessage(error)}`);
      }

+      // Initialize App Store (non-critical)
+      try {
+        await this.appStore.init();
+      } catch (error) {
+        logger.warn('App Store initialization failed - app templates will be unavailable until reconnected');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
      // Login to all registries
      await this.registries.loginToAllRegistries();

      // Start auto-update monitoring for registry services
      this.services.startAutoUpdateMonitoring();

+      // Initialize BackupManager (containerarchive repository, non-critical)
+      try {
+        await this.backupManager.init();
+      } catch (error) {
+        logger.warn('BackupManager initialization failed - backups will be limited');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
+      // Initialize Backup Scheduler (non-critical)
+      try {
+        await this.backupScheduler.init();
+      } catch (error) {
+        logger.warn('Backup scheduler initialization failed - scheduled backups will be disabled');
+        logger.warn(`Error: ${getErrorMessage(error)}`);
+      }
+
      this.initialized = true;
      logger.success('Onebox initialized successfully');
    } catch (error) {
@@ -219,17 +266,111 @@ export class Onebox {
      const runningServices = services.filter((s) => s.status === 'running').length;
      const totalServices = services.length;

-      // Get platform services status
+      // Get platform services status with resource counts
      const platformServices = this.platformServices.getAllPlatformServices();
-      const platformServicesStatus = platformServices.map((ps) => ({
-        type: ps.type,
-        status: ps.status,
-      }));
+      const providers = this.platformServices.getAllProviders();
+      const platformServicesStatus = providers.map((provider) => {
+        const service = platformServices.find((s) => s.type === provider.type);
+        // For Caddy, check actual runtime status since it starts without a DB record
+        let status = service?.status || 'not-deployed';
+        if (provider.type === 'caddy') {
+          status = proxyStatus.http.running ? 'running' : 'stopped';
+        }
+        // Count resources for this platform service
+        const resourceCount = service?.id
+          ? this.database.getPlatformResourcesByPlatformService(service.id).length
+          : 0;
+        return {
+          type: provider.type,
+          displayName: provider.displayName,
+          status,
+          resourceCount,
+        };
+      });
+
+      // Get certificate health summary
+      const certificates = this.ssl.listCertificates();
+      const now = Date.now();
+      const thirtyDaysMs = 30 * 24 * 60 * 60 * 1000;
+      let validCount = 0;
+      let expiringCount = 0;
+      let expiredCount = 0;
+      const expiringDomains: { domain: string; daysRemaining: number }[] = [];
+
+      for (const cert of certificates) {
+        if (cert.expiryDate <= now) {
+          expiredCount++;
+        } else if (cert.expiryDate <= now + thirtyDaysMs) {
+          expiringCount++;
+          const daysRemaining = Math.floor((cert.expiryDate - now) / (24 * 60 * 60 * 1000));
+          expiringDomains.push({ domain: cert.domain, daysRemaining });
+        } else {
+          validCount++;
+        }
+      }
+
+      // Sort expiring domains by days remaining (ascending)
+      expiringDomains.sort((a, b) => a.daysRemaining - b.daysRemaining);
+
+      // Aggregate resource usage across all running service containers
+      let totalCpu = 0;
+      let totalMemoryUsed = 0;
+      let totalMemoryLimit = 0;
+      let totalNetworkIn = 0;
+      let totalNetworkOut = 0;
+
+      if (dockerRunning) {
+        const allServices = this.services.listServices();
+        const runningUserServices = allServices.filter((s) => s.status === 'running' && s.containerID);
+        logger.debug(`Resource stats: ${runningUserServices.length} running user services`);
+
+        const statsPromises = runningUserServices
+          .map((s) => {
+            logger.debug(`Fetching stats for user service: ${s.name} (${s.containerID})`);
+            return this.docker.getContainerStats(s.containerID!).catch((err) => {
+              logger.debug(`Stats failed for ${s.name}: ${(err as Error).message}`);
+              return null;
+            });
+          });
+
+        // Also get stats for platform service containers
+        const allPlatformServices = this.platformServices.getAllPlatformServices();
+        const runningPlatformServices = allPlatformServices.filter((s) => s.status === 'running' && s.containerId);
+        logger.debug(`Resource stats: ${runningPlatformServices.length} running platform services`);
+
+        const platformStatsPromises = runningPlatformServices
+          .map((s) => {
+            logger.debug(`Fetching stats for platform service: ${s.type} (${s.containerId})`);
+            return this.docker.getContainerStats(s.containerId!).catch((err) => {
+              logger.debug(`Stats failed for ${s.type}: ${(err as Error).message}`);
+              return null;
+            });
+          });
+
+        const allStats = await Promise.all([...statsPromises, ...platformStatsPromises]);
+        let successCount = 0;
+        for (const stats of allStats) {
+          if (stats) {
+            successCount++;
+            totalCpu += stats.cpuPercent;
+            totalMemoryUsed += stats.memoryUsed;
+            totalMemoryLimit = Math.max(totalMemoryLimit, stats.memoryLimit);
+            totalNetworkIn += stats.networkRx;
+            totalNetworkOut += stats.networkTx;
+          }
+        }
+        logger.debug(`Resource stats: ${successCount}/${allStats.length} containers returned stats. CPU: ${totalCpu}, Mem: ${totalMemoryUsed}`);
+      }

      return {
        docker: {
          running: dockerRunning,
          version: dockerRunning ? await this.docker.getDockerVersion() : null,
+          cpuUsage: Math.round(totalCpu * 10) / 10,
+          memoryUsage: totalMemoryUsed,
+          memoryTotal: totalMemoryLimit,
+          networkIn: totalNetworkIn,
+          networkOut: totalNetworkOut,
        },
        reverseProxy: proxyStatus,
        dns: {
@@ -245,6 +386,12 @@ export class Onebox {
          stopped: totalServices - runningServices,
        },
        platformServices: platformServicesStatus,
+        certificateHealth: {
+          valid: validCount,
+          expiringSoon: expiringCount,
+          expired: expiredCount,
+          expiringDomains: expiringDomains.slice(0, 5), // Top 5 expiring
+        },
      };
    } catch (error) {
      logger.error(`Failed to get system status: ${getErrorMessage(error)}`);
@@ -253,31 +400,17 @@ export class Onebox {
  }

  /**
-   * Start daemon mode
-   */
-  async startDaemon(): Promise<void> {
-    await this.daemon.start();
-  }
-
-  /**
-   * Stop daemon mode
-   */
-  async stopDaemon(): Promise<void> {
-    await this.daemon.stop();
-  }
-
-  /**
-   * Start HTTP server
+   * Start OpsServer (TypedRequest-based, serves new UI)
   */
  async startHttpServer(port?: number): Promise<void> {
-    await this.httpServer.start(port);
+    await this.opsServer.start(port || 3000);
  }

  /**
-   * Stop HTTP server
+   * Stop OpsServer
   */
  async stopHttpServer(): Promise<void> {
-    await this.httpServer.stop();
+    await this.opsServer.stop();
  }

  /**
@@ -287,11 +420,17 @@ export class Onebox {
    try {
      logger.info('Shutting down Onebox...');

+      // Stop auto-update monitoring
+      this.services.stopAutoUpdateMonitoring();
+
+      // Stop backup scheduler
+      await this.backupScheduler.stop();
+
      // Stop daemon if running
      await this.daemon.stop();

-      // Stop HTTP server if running
-      await this.httpServer.stop();
+      // Stop OpsServer if running
+      await this.opsServer.stop();

      // Stop reverse proxy if running
      await this.reverseProxy.stop();
@@ -299,6 +438,9 @@ export class Onebox {
      // Stop Caddy log receiver
      await this.caddyLogReceiver.stop();

+      // Close backup archive
+      await this.backupManager.close();
+
      // Close database
      this.database.close();

@@ -8,3 +8,6 @@ export type { IPlatformServiceProvider } from './providers/base.ts';
 export { BasePlatformServiceProvider } from './providers/base.ts';
 export { MongoDBProvider } from './providers/mongodb.ts';
 export { MinioProvider } from './providers/minio.ts';
+export { ClickHouseProvider } from './providers/clickhouse.ts';
+export { MariaDBProvider } from './providers/mariadb.ts';
+export { RedisProvider } from './providers/redis.ts';
@@ -16,6 +16,8 @@ import { MongoDBProvider } from './providers/mongodb.ts';
 import { MinioProvider } from './providers/minio.ts';
 import { CaddyProvider } from './providers/caddy.ts';
 import { ClickHouseProvider } from './providers/clickhouse.ts';
+import { MariaDBProvider } from './providers/mariadb.ts';
+import { RedisProvider } from './providers/redis.ts';
 import { logger } from '../../logging.ts';
 import { getErrorMessage } from '../../utils/error.ts';
 import { credentialEncryption } from '../encryption.ts';
@@ -41,6 +43,8 @@ export class PlatformServicesManager {
    this.registerProvider(new MinioProvider(this.oneboxRef));
    this.registerProvider(new CaddyProvider(this.oneboxRef));
    this.registerProvider(new ClickHouseProvider(this.oneboxRef));
+    this.registerProvider(new MariaDBProvider(this.oneboxRef));
+    this.registerProvider(new RedisProvider(this.oneboxRef));

    logger.info(`Platform services manager initialized with ${this.providers.size} providers`);
  }
@@ -304,6 +308,60 @@ export class PlatformServicesManager {
      logger.success(`ClickHouse provisioned for service '${service.name}'`);
    }

+    // Provision Redis if requested
+    if (requirements.redis) {
+      logger.info(`Provisioning Redis for service '${service.name}'...`);
+
+      // Ensure Redis is running
+      const redisService = await this.ensureRunning('redis');
+      const provider = this.providers.get('redis')!;
+
+      // Provision cache resource
+      const result = await provider.provisionResource(service);
+
+      // Store resource record
+      const encryptedCreds = await credentialEncryption.encrypt(result.credentials);
+      this.oneboxRef.database.createPlatformResource({
+        platformServiceId: redisService.id!,
+        serviceId: service.id!,
+        resourceType: result.type,
+        resourceName: result.name,
+        credentialsEncrypted: encryptedCreds,
+        createdAt: Date.now(),
+      });
+
+      // Merge env vars
+      Object.assign(allEnvVars, result.envVars);
+      logger.success(`Redis provisioned for service '${service.name}'`);
+    }
+
+    // Provision MariaDB if requested
+    if (requirements.mariadb) {
+      logger.info(`Provisioning MariaDB for service '${service.name}'...`);
+
+      // Ensure MariaDB is running
+      const mariadbService = await this.ensureRunning('mariadb');
+      const provider = this.providers.get('mariadb')!;
+
+      // Provision database
+      const result = await provider.provisionResource(service);
+
+      // Store resource record
+      const encryptedCreds = await credentialEncryption.encrypt(result.credentials);
+      this.oneboxRef.database.createPlatformResource({
+        platformServiceId: mariadbService.id!,
+        serviceId: service.id!,
+        resourceType: result.type,
+        resourceName: result.name,
+        credentialsEncrypted: encryptedCreds,
+        createdAt: Date.now(),
+      });
+
+      // Merge env vars
+      Object.assign(allEnvVars, result.envVars);
+      logger.success(`MariaDB provisioned for service '${service.name}'`);
+    }
+
    return allEnvVars;
  }

@@ -166,10 +166,10 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {

      // Use docker exec to run health check inside the container
      // This avoids network issues with overlay networks
-      // Note: ClickHouse image has wget but not curl
+      // Note: ClickHouse image has wget but not curl - use full path for reliability
      const result = await this.oneboxRef.docker.execInContainer(
        platformService.containerId,
-        ['wget', '-q', '-O', '-', 'http://localhost:8123/ping']
+        ['/usr/bin/wget', '-q', '-O', '-', 'http://localhost:8123/ping']
      );

      if (result.exitCode === 0) {
@@ -194,12 +194,6 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
    const containerName = this.getContainerName();

-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
-
    // Generate resource names and credentials
    const dbName = this.generateResourceName(userService.name);
    const username = this.generateResourceName(userService.name);
@@ -207,35 +201,16 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {

    logger.info(`Provisioning ClickHouse database '${dbName}' for service '${userService.name}'...`);

-    // Connect to ClickHouse via localhost and the mapped host port
-    const baseUrl = `http://127.0.0.1:${hostPort}`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const queries = [
+      `CREATE DATABASE IF NOT EXISTS ${dbName}`,
+      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`,
+      `GRANT ALL ON ${dbName}.* TO ${username}`,
+    ];

-    // Create database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE DATABASE IF NOT EXISTS ${dbName}`
-    );
-    logger.info(`Created ClickHouse database '${dbName}'`);
-
-    // Create user with access to this database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`
-    );
-    logger.info(`Created ClickHouse user '${username}'`);
-
-    // Grant permissions on the database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `GRANT ALL ON ${dbName}.* TO ${username}`
-    );
-    logger.info(`Granted permissions to user '${username}' on database '${dbName}'`);
+    for (const query of queries) {
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, query);
+    }

    logger.success(`ClickHouse database '${dbName}' provisioned with user '${username}'`);

@@ -274,37 +249,11 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {

    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);

-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
-
    logger.info(`Deprovisioning ClickHouse database '${resource.resourceName}'...`);

-    const baseUrl = `http://127.0.0.1:${hostPort}`;
-
    try {
-      // Drop the user
-      try {
-        await this.executeQuery(
-          baseUrl,
-          adminCreds.username,
-          adminCreds.password,
-          `DROP USER IF EXISTS ${credentials.username}`
-        );
-        logger.info(`Dropped ClickHouse user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop ClickHouse user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await this.executeQuery(
-        baseUrl,
-        adminCreds.username,
-        adminCreds.password,
-        `DROP DATABASE IF EXISTS ${resource.resourceName}`
-      );
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP USER IF EXISTS ${credentials.username}`);
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP DATABASE IF EXISTS ${resource.resourceName}`);
      logger.success(`ClickHouse database '${resource.resourceName}' dropped`);
    } catch (e) {
      logger.error(`Failed to deprovision ClickHouse database: ${getErrorMessage(e)}`);
@@ -313,26 +262,27 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
  }

  /**
-   * Execute a ClickHouse SQL query via HTTP interface
+   * Execute a ClickHouse SQL query via docker exec inside the container
   */
-  private async executeQuery(
-    baseUrl: string,
-    username: string,
-    password: string,
+  private async execClickHouseQuery(
+    containerId: string,
+    adminCreds: { username: string; password: string },
    query: string
  ): Promise<string> {
-    const url = `${baseUrl}/?user=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}`;
+    const result = await this.oneboxRef.docker.execInContainer(
+      containerId,
+      [
+        'clickhouse-client',
+        '--user', adminCreds.username,
+        '--password', adminCreds.password,
+        '--query', query,
+      ]
+    );

-    const response = await fetch(url, {
-      method: 'POST',
-      body: query,
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`ClickHouse query failed: ${errorText}`);
+    if (result.exitCode !== 0) {
+      throw new Error(`ClickHouse query failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
    }

-    return await response.text();
+    return result.stdout;
  }
 }
@@ -0,0 +1,279 @@
+/**
+ * MariaDB Platform Service Provider
+ */
+
+import { BasePlatformServiceProvider } from './base.ts';
+import type {
+  IService,
+  IPlatformResource,
+  IPlatformServiceConfig,
+  IProvisionedResource,
+  IEnvVarMapping,
+  TPlatformServiceType,
+  TPlatformResourceType,
+} from '../../../types.ts';
+import { logger } from '../../../logging.ts';
+import { getErrorMessage } from '../../../utils/error.ts';
+import { credentialEncryption } from '../../encryption.ts';
+import type { Onebox } from '../../onebox.ts';
+
+export class MariaDBProvider extends BasePlatformServiceProvider {
+  readonly type: TPlatformServiceType = 'mariadb';
+  readonly displayName = 'MariaDB';
+  readonly resourceTypes: TPlatformResourceType[] = ['database'];
+
+  constructor(oneboxRef: Onebox) {
+    super(oneboxRef);
+  }
+
+  getDefaultConfig(): IPlatformServiceConfig {
+    return {
+      image: 'mariadb:11',
+      port: 3306,
+      volumes: ['/var/lib/onebox/mariadb:/var/lib/mysql'],
+      environment: {
+        MARIADB_ROOT_PASSWORD: '',
+        // Password will be generated and stored encrypted
+      },
+    };
+  }
+
+  getEnvVarMappings(): IEnvVarMapping[] {
+    return [
+      { envVar: 'MARIADB_HOST', credentialPath: 'host' },
+      { envVar: 'MARIADB_PORT', credentialPath: 'port' },
+      { envVar: 'MARIADB_DATABASE', credentialPath: 'database' },
+      { envVar: 'MARIADB_USER', credentialPath: 'username' },
+      { envVar: 'MARIADB_PASSWORD', credentialPath: 'password' },
+      { envVar: 'MARIADB_URI', credentialPath: 'connectionString' },
+    ];
+  }
+
+  async deployContainer(): Promise<string> {
+    const config = this.getDefaultConfig();
+    const containerName = this.getContainerName();
+    const dataDir = '/var/lib/onebox/mariadb';
+
+    logger.info(`Deploying MariaDB platform service as ${containerName}...`);
+
+    // Check if we have existing data and stored credentials
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    let adminCredentials: { username: string; password: string };
+    let dataExists = false;
+
+    // Check if data directory has existing MariaDB data
+    try {
+      const stat = await Deno.stat(`${dataDir}/ibdata1`);
+      dataExists = stat.isFile;
+      logger.info(`MariaDB data directory exists with ibdata1 file`);
+    } catch {
+      // ibdata1 file doesn't exist, this is a fresh install
+      dataExists = false;
+    }
+
+    if (dataExists && platformService?.adminCredentialsEncrypted) {
+      // Reuse existing credentials from database
+      logger.info('Reusing existing MariaDB credentials (data directory already initialized)');
+      adminCredentials = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    } else {
+      // Generate new credentials for fresh deployment
+      logger.info('Generating new MariaDB admin credentials');
+      adminCredentials = {
+        username: 'root',
+        password: credentialEncryption.generatePassword(32),
+      };
+
+      // If data exists but we don't have credentials, we need to wipe the data
+      if (dataExists) {
+        logger.warn('MariaDB data exists but no credentials in database - wiping data directory');
+        try {
+          await Deno.remove(dataDir, { recursive: true });
+        } catch (e) {
+          logger.error(`Failed to wipe MariaDB data directory: ${getErrorMessage(e)}`);
+          throw new Error('Cannot deploy MariaDB: data directory exists without credentials');
+        }
+      }
+    }
+
+    // Ensure data directory exists
+    try {
+      await Deno.mkdir(dataDir, { recursive: true });
+    } catch (e) {
+      // Directory might already exist
+      if (!(e instanceof Deno.errors.AlreadyExists)) {
+        logger.warn(`Could not create MariaDB data directory: ${getErrorMessage(e)}`);
+      }
+    }
+
+    // Create container using Docker API
+    const envVars = [
+      `MARIADB_ROOT_PASSWORD=${adminCredentials.password}`,
+    ];
+
+    // Use Docker to create the container
+    const containerId = await this.oneboxRef.docker.createPlatformContainer({
+      name: containerName,
+      image: config.image,
+      port: config.port,
+      env: envVars,
+      volumes: config.volumes,
+      network: this.getNetworkName(),
+    });
+
+    // Store encrypted admin credentials (only update if new or changed)
+    const encryptedCreds = await credentialEncryption.encrypt(adminCredentials);
+    if (platformService) {
+      this.oneboxRef.database.updatePlatformService(platformService.id!, {
+        containerId,
+        adminCredentialsEncrypted: encryptedCreds,
+        status: 'starting',
+      });
+    }
+
+    logger.success(`MariaDB container created: ${containerId}`);
+    return containerId;
+  }
+
+  async stopContainer(containerId: string): Promise<void> {
+    logger.info(`Stopping MariaDB container ${containerId}...`);
+    await this.oneboxRef.docker.stopContainer(containerId);
+    logger.success('MariaDB container stopped');
+  }
+
+  async healthCheck(): Promise<boolean> {
+    try {
+      logger.info('MariaDB health check: starting...');
+      const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+      if (!platformService) {
+        logger.info('MariaDB health check: platform service not found in database');
+        return false;
+      }
+      if (!platformService.adminCredentialsEncrypted) {
+        logger.info('MariaDB health check: no admin credentials stored');
+        return false;
+      }
+      if (!platformService.containerId) {
+        logger.info('MariaDB health check: no container ID in database record');
+        return false;
+      }
+
+      logger.info(`MariaDB health check: using container ID ${platformService.containerId.substring(0, 12)}...`);
+      const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+      // Use docker exec to run health check inside the container
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['mariadb-admin', 'ping', '-u', 'root', `-p${adminCreds.password}`]
+      );
+
+      if (result.exitCode === 0) {
+        logger.info('MariaDB health check: success');
+        return true;
+      } else {
+        logger.info(`MariaDB health check failed: exit code ${result.exitCode}, stderr: ${result.stderr.substring(0, 200)}`);
+        return false;
+      }
+    } catch (error) {
+      logger.info(`MariaDB health check exception: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+
+  async provisionResource(userService: IService): Promise<IProvisionedResource> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('MariaDB platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const containerName = this.getContainerName();
+
+    // Generate resource names and credentials
+    const dbName = this.generateResourceName(userService.name);
+    const username = this.generateResourceName(userService.name);
+    const password = credentialEncryption.generatePassword(32);
+
+    logger.info(`Provisioning MariaDB database '${dbName}' for service '${userService.name}'...`);
+
+    // Create database and user via mariadb inside the container
+    const sql = [
+      `CREATE DATABASE IF NOT EXISTS \`${dbName}\`;`,
+      `CREATE USER IF NOT EXISTS '${username}'@'%' IDENTIFIED BY '${password.replace(/'/g, "\\'")}';`,
+      `GRANT ALL PRIVILEGES ON \`${dbName}\`.* TO '${username}'@'%';`,
+      `FLUSH PRIVILEGES;`,
+    ].join(' ');
+
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mariadb',
+        '-u', 'root',
+        `-p${adminCreds.password}`,
+        '-e', sql,
+      ]
+    );
+
+    if (result.exitCode !== 0) {
+      throw new Error(`Failed to provision MariaDB database: exit code ${result.exitCode}, output: ${result.stdout.substring(0, 200)} ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`MariaDB database '${dbName}' provisioned with user '${username}'`);
+
+    // Build the credentials and env vars
+    const credentials: Record<string, string> = {
+      host: containerName,
+      port: '3306',
+      database: dbName,
+      username,
+      password,
+      connectionString: `mysql://${username}:${password}@${containerName}:3306/${dbName}`,
+    };
+
+    // Map credentials to env vars
+    const envVars: Record<string, string> = {};
+    for (const mapping of this.getEnvVarMappings()) {
+      if (credentials[mapping.credentialPath]) {
+        envVars[mapping.envVar] = credentials[mapping.credentialPath];
+      }
+    }
+
+    return {
+      type: 'database',
+      name: dbName,
+      credentials,
+      envVars,
+    };
+  }
+
+  async deprovisionResource(resource: IPlatformResource, credentials: Record<string, string>): Promise<void> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('MariaDB platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+    logger.info(`Deprovisioning MariaDB database '${resource.resourceName}'...`);
+
+    const sql = [
+      `DROP USER IF EXISTS '${credentials.username}'@'%';`,
+      `DROP DATABASE IF EXISTS \`${resource.resourceName}\`;`,
+    ].join(' ');
+
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mariadb',
+        '-u', 'root',
+        `-p${adminCreds.password}`,
+        '-e', sql,
+      ]
+    );
+
+    if (result.exitCode !== 0) {
+      logger.warn(`MariaDB deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`MariaDB database '${resource.resourceName}' dropped`);
+  }
+}
@@ -196,84 +196,28 @@ export class MinioProvider extends BasePlatformServiceProvider {
    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
    const containerName = this.getContainerName();

-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
-    // Generate bucket name and credentials
+    // Generate bucket name
    const bucketName = this.generateBucketName(userService.name);
-    const accessKey = credentialEncryption.generateAccessKey(20);
-    const secretKey = credentialEncryption.generateSecretKey(40);

    logger.info(`Provisioning MinIO bucket '${bucketName}' for service '${userService.name}'...`);

-    // Connect to MinIO via localhost and the mapped host port (for provisioning from host)
-    const provisioningEndpoint = `http://127.0.0.1:${hostPort}`;
-
-    // Import AWS S3 client
-    const { S3Client, CreateBucketCommand, PutBucketPolicyCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    // Create S3 client with admin credentials - connect via host port
-    const s3Client = new S3Client({
-      endpoint: provisioningEndpoint,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Use docker exec with mc (MinIO Client) inside the container
+    // First configure mc alias for local server
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);

    // Create the bucket
-    try {
-      await s3Client.send(new CreateBucketCommand({
-        Bucket: bucketName,
-      }));
-      logger.info(`Created MinIO bucket '${bucketName}'`);
-    } catch (e: any) {
-      if (e.name !== 'BucketAlreadyOwnedByYou' && e.name !== 'BucketAlreadyExists') {
-        throw e;
-      }
-      logger.warn(`Bucket '${bucketName}' already exists`);
-    }
+    const mbResult = await this.execMc(platformService.containerId, [
+      'mb', '--ignore-existing', `local/${bucketName}`,
+    ]);
+    logger.info(`Created MinIO bucket '${bucketName}'`);

-    // Create service account/access key using MinIO Admin API
-    // MinIO Admin API requires mc client or direct API calls
-    // For simplicity, we'll use root credentials and bucket policy isolation
-    // In production, you'd use MinIO's Admin API to create service accounts
-
-    // Set bucket policy to allow access only with this bucket's credentials
-    const bucketPolicy = {
-      Version: '2012-10-17',
-      Statement: [
-        {
-          Effect: 'Allow',
-          Principal: { AWS: ['*'] },
-          Action: ['s3:GetObject', 's3:PutObject', 's3:DeleteObject', 's3:ListBucket'],
-          Resource: [
-            `arn:aws:s3:::${bucketName}`,
-            `arn:aws:s3:::${bucketName}/*`,
-          ],
-        },
-      ],
-    };
-
-    try {
-      await s3Client.send(new PutBucketPolicyCommand({
-        Bucket: bucketName,
-        Policy: JSON.stringify(bucketPolicy),
-      }));
-      logger.info(`Set bucket policy for '${bucketName}'`);
-    } catch (e) {
-      logger.warn(`Could not set bucket policy: ${getErrorMessage(e)}`);
-    }
-
-    // Note: For proper per-service credentials, MinIO Admin API should be used
-    // For now, we're providing the bucket with root access
-    // TODO: Implement MinIO service account creation
-    logger.warn('Using root credentials for MinIO access. Consider implementing service accounts for production.');
+    // Set bucket policy to allow public read/write (services on the same network use root creds)
+    await this.execMc(platformService.containerId, [
+      'anonymous', 'set', 'none', `local/${bucketName}`,
+    ]);

    // Use container name for the endpoint in credentials (user services run in same network)
    const serviceEndpoint = `http://${containerName}:9000`;
@@ -281,7 +225,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
    const credentials: Record<string, string> = {
      endpoint: serviceEndpoint,
      bucket: bucketName,
-      accessKey: adminCreds.username, // Using root for now
+      accessKey: adminCreds.username,
      secretKey: adminCreds.password,
      region: 'us-east-1',
    };
@@ -312,57 +256,37 @@ export class MinioProvider extends BasePlatformServiceProvider {

    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);

-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
    logger.info(`Deprovisioning MinIO bucket '${resource.resourceName}'...`);

-    const { S3Client, DeleteBucketCommand, ListObjectsV2Command, DeleteObjectsCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    const s3Client = new S3Client({
-      endpoint: `http://127.0.0.1:${hostPort}`,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Configure mc alias
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);

    try {
-      // First, delete all objects in the bucket
-      let continuationToken: string | undefined;
-      do {
-        const listResponse = await s3Client.send(new ListObjectsV2Command({
-          Bucket: resource.resourceName,
-          ContinuationToken: continuationToken,
-        }));
-
-        if (listResponse.Contents && listResponse.Contents.length > 0) {
-          await s3Client.send(new DeleteObjectsCommand({
-            Bucket: resource.resourceName,
-            Delete: {
-              Objects: listResponse.Contents.map(obj => ({ Key: obj.Key! })),
-            },
-          }));
-          logger.info(`Deleted ${listResponse.Contents.length} objects from bucket`);
-        }
-
-        continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : undefined;
-      } while (continuationToken);
-
-      // Now delete the bucket
-      await s3Client.send(new DeleteBucketCommand({
-        Bucket: resource.resourceName,
-      }));
-
+      // Remove all objects and the bucket
+      await this.execMc(platformService.containerId, [
+        'rb', '--force', `local/${resource.resourceName}`,
+      ]);
      logger.success(`MinIO bucket '${resource.resourceName}' deleted`);
    } catch (e) {
      logger.error(`Failed to delete MinIO bucket: ${getErrorMessage(e)}`);
      throw e;
    }
  }
+
+  /**
+   * Execute mc (MinIO Client) command inside the container
+   */
+  private async execMc(
+    containerId: string,
+    args: string[],
+  ): Promise<{ stdout: string; stderr: string }> {
+    const result = await this.oneboxRef.docker.execInContainer(containerId, ['mc', ...args]);
+    if (result.exitCode !== 0) {
+      throw new Error(`mc command failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
+    }
+    return result;
+  }
 }
@@ -28,7 +28,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {

  getDefaultConfig(): IPlatformServiceConfig {
    return {
-      image: 'mongo:7',
+      image: 'mongo:4.4',
      port: 27017,
      volumes: ['/var/lib/onebox/mongodb:/data/db'],
      environment: {
@@ -165,7 +165,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
      // This avoids network issues with overlay networks
      const result = await this.oneboxRef.docker.execInContainer(
        platformService.containerId,
-        ['mongosh', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
+        ['mongo', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
      );

      if (result.exitCode === 0) {
@@ -190,12 +190,6 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
    const containerName = this.getContainerName();

-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
-
    // Generate resource names and credentials
    const dbName = this.generateResourceName(userService.name);
    const username = this.generateResourceName(userService.name);
@@ -203,32 +197,40 @@ export class MongoDBProvider extends BasePlatformServiceProvider {

    logger.info(`Provisioning MongoDB database '${dbName}' for service '${userService.name}'...`);

-    // Connect to MongoDB via localhost and the mapped host port
-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const escapedPassword = password.replace(/'/g, "'\\''");
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");

-    const client = new MongoClient(adminUri);
-    await client.connect();
-
-    try {
-      // Create the database by switching to it (MongoDB creates on first write)
-      const db = client.db(dbName);
-
-      // Create a collection to ensure the database exists
-      await db.createCollection('_onebox_init');
-
-      // Create user with readWrite access to this database
-      await db.command({
-        createUser: username,
-        pwd: password,
-        roles: [{ role: 'readWrite', db: dbName }],
+    // Create database and user via mongo inside the container
+    const mongoScript = `
+      db = db.getSiblingDB('${dbName}');
+      db.createCollection('_onebox_init');
+      db.createUser({
+        user: '${username}',
+        pwd: '${escapedPassword}',
+        roles: [{ role: 'readWrite', db: '${dbName}' }]
      });
+      print('PROVISION_SUCCESS');
+    `;

-      logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
-    } finally {
-      await client.close();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );
+
+    if (result.exitCode !== 0 || !result.stdout.includes('PROVISION_SUCCESS')) {
+      throw new Error(`Failed to provision MongoDB database: exit code ${result.exitCode}, output: ${result.stdout.substring(0, 200)} ${result.stderr.substring(0, 200)}`);
    }

+    logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
+
    // Build the credentials and env vars
    const credentials: Record<string, string> = {
      host: containerName,
@@ -262,37 +264,33 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
    }

    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
-
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");

    logger.info(`Deprovisioning MongoDB database '${resource.resourceName}'...`);

-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    const mongoScript = `
+      db = db.getSiblingDB('${resource.resourceName}');
+      try { db.dropUser('${credentials.username}'); } catch(e) { print('User drop failed: ' + e); }
+      db.dropDatabase();
+      print('DEPROVISION_SUCCESS');
+    `;

-    const client = new MongoClient(adminUri);
-    await client.connect();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );

-    try {
-      const db = client.db(resource.resourceName);
-
-      // Drop the user
-      try {
-        await db.command({ dropUser: credentials.username });
-        logger.info(`Dropped MongoDB user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop MongoDB user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await db.dropDatabase();
-      logger.success(`MongoDB database '${resource.resourceName}' dropped`);
-    } finally {
-      await client.close();
+    if (result.exitCode !== 0) {
+      logger.warn(`MongoDB deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
    }
+
+    logger.success(`MongoDB database '${resource.resourceName}' dropped`);
  }
 }
@@ -0,0 +1,283 @@
+/**
+ * Redis Platform Service Provider
+ */
+
+import { BasePlatformServiceProvider } from './base.ts';
+import type {
+  IService,
+  IPlatformResource,
+  IPlatformServiceConfig,
+  IProvisionedResource,
+  IEnvVarMapping,
+  TPlatformServiceType,
+  TPlatformResourceType,
+} from '../../../types.ts';
+import { logger } from '../../../logging.ts';
+import { getErrorMessage } from '../../../utils/error.ts';
+import { credentialEncryption } from '../../encryption.ts';
+import type { Onebox } from '../../onebox.ts';
+
+export class RedisProvider extends BasePlatformServiceProvider {
+  readonly type: TPlatformServiceType = 'redis';
+  readonly displayName = 'Redis';
+  readonly resourceTypes: TPlatformResourceType[] = ['cache'];
+
+  constructor(oneboxRef: Onebox) {
+    super(oneboxRef);
+  }
+
+  getDefaultConfig(): IPlatformServiceConfig {
+    return {
+      image: 'redis:7-alpine',
+      port: 6379,
+      volumes: ['/var/lib/onebox/redis:/data'],
+      environment: {},
+    };
+  }
+
+  getEnvVarMappings(): IEnvVarMapping[] {
+    return [
+      { envVar: 'REDIS_HOST', credentialPath: 'host' },
+      { envVar: 'REDIS_PORT', credentialPath: 'port' },
+      { envVar: 'REDIS_PASSWORD', credentialPath: 'password' },
+      { envVar: 'REDIS_DB', credentialPath: 'db' },
+      { envVar: 'REDIS_URL', credentialPath: 'connectionString' },
+    ];
+  }
+
+  async deployContainer(): Promise<string> {
+    const config = this.getDefaultConfig();
+    const containerName = this.getContainerName();
+    const dataDir = '/var/lib/onebox/redis';
+
+    logger.info(`Deploying Redis platform service as ${containerName}...`);
+
+    // Check if we have existing data and stored credentials
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    let adminCredentials: { username: string; password: string };
+    let dataExists = false;
+
+    // Check if data directory has existing Redis data
+    try {
+      const stat = await Deno.stat(`${dataDir}/dump.rdb`);
+      dataExists = stat.isFile;
+      logger.info(`Redis data directory exists with dump.rdb file`);
+    } catch {
+      // Also check for appendonly file
+      try {
+        const stat = await Deno.stat(`${dataDir}/appendonly.aof`);
+        dataExists = stat.isFile;
+        logger.info(`Redis data directory exists with appendonly.aof file`);
+      } catch {
+        dataExists = false;
+      }
+    }
+
+    if (dataExists && platformService?.adminCredentialsEncrypted) {
+      // Reuse existing credentials from database
+      logger.info('Reusing existing Redis credentials (data directory already initialized)');
+      adminCredentials = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    } else {
+      // Generate new credentials for fresh deployment
+      logger.info('Generating new Redis admin credentials');
+      adminCredentials = {
+        username: 'default',
+        password: credentialEncryption.generatePassword(32),
+      };
+
+      // If data exists but we don't have credentials, we need to wipe the data
+      if (dataExists) {
+        logger.warn('Redis data exists but no credentials in database - wiping data directory');
+        try {
+          await Deno.remove(dataDir, { recursive: true });
+        } catch (e) {
+          logger.error(`Failed to wipe Redis data directory: ${getErrorMessage(e)}`);
+          throw new Error('Cannot deploy Redis: data directory exists without credentials');
+        }
+      }
+    }
+
+    // Ensure data directory exists
+    try {
+      await Deno.mkdir(dataDir, { recursive: true });
+    } catch (e) {
+      // Directory might already exist
+      if (!(e instanceof Deno.errors.AlreadyExists)) {
+        logger.warn(`Could not create Redis data directory: ${getErrorMessage(e)}`);
+      }
+    }
+
+    // Redis uses command args for password, not env vars
+    const containerId = await this.oneboxRef.docker.createPlatformContainer({
+      name: containerName,
+      image: config.image,
+      port: config.port,
+      env: [],
+      volumes: config.volumes,
+      network: this.getNetworkName(),
+      command: ['redis-server', '--requirepass', adminCredentials.password, '--appendonly', 'yes'],
+    });
+
+    // Store encrypted admin credentials (only update if new or changed)
+    const encryptedCreds = await credentialEncryption.encrypt(adminCredentials);
+    if (platformService) {
+      this.oneboxRef.database.updatePlatformService(platformService.id!, {
+        containerId,
+        adminCredentialsEncrypted: encryptedCreds,
+        status: 'starting',
+      });
+    }
+
+    logger.success(`Redis container created: ${containerId}`);
+    return containerId;
+  }
+
+  async stopContainer(containerId: string): Promise<void> {
+    logger.info(`Stopping Redis container ${containerId}...`);
+    await this.oneboxRef.docker.stopContainer(containerId);
+    logger.success('Redis container stopped');
+  }
+
+  async healthCheck(): Promise<boolean> {
+    try {
+      logger.info('Redis health check: starting...');
+      const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+      if (!platformService) {
+        logger.info('Redis health check: platform service not found in database');
+        return false;
+      }
+      if (!platformService.adminCredentialsEncrypted) {
+        logger.info('Redis health check: no admin credentials stored');
+        return false;
+      }
+      if (!platformService.containerId) {
+        logger.info('Redis health check: no container ID in database record');
+        return false;
+      }
+
+      logger.info(`Redis health check: using container ID ${platformService.containerId.substring(0, 12)}...`);
+      const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+
+      // Use docker exec to run health check inside the container
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['redis-cli', '-a', adminCreds.password, 'ping']
+      );
+
+      if (result.exitCode === 0 && result.stdout.includes('PONG')) {
+        logger.info('Redis health check: success');
+        return true;
+      } else {
+        logger.info(`Redis health check failed: exit code ${result.exitCode}, stdout: ${result.stdout.substring(0, 200)}`);
+        return false;
+      }
+    } catch (error) {
+      logger.info(`Redis health check exception: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+
+  async provisionResource(userService: IService): Promise<IProvisionedResource> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted) {
+      throw new Error('Redis platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const containerName = this.getContainerName();
+
+    // Determine the next available DB index (1-15, reserving 0 for admin)
+    const existingResources = this.oneboxRef.database.getPlatformResourcesByPlatformService(platformService.id!);
+    const usedIndexes = new Set<number>();
+
+    for (const resource of existingResources) {
+      try {
+        const creds = await credentialEncryption.decrypt(resource.credentialsEncrypted);
+        if (creds.db) {
+          usedIndexes.add(parseInt(creds.db, 10));
+        }
+      } catch {
+        // Skip resources with corrupt credentials
+      }
+    }
+
+    let dbIndex = -1;
+    for (let i = 1; i <= 15; i++) {
+      if (!usedIndexes.has(i)) {
+        dbIndex = i;
+        break;
+      }
+    }
+
+    if (dbIndex === -1) {
+      throw new Error('No available Redis database indexes (max 15 services per Redis instance)');
+    }
+
+    const resourceName = this.generateResourceName(userService.name);
+
+    logger.info(`Provisioning Redis database index ${dbIndex} for service '${userService.name}'...`);
+
+    // No server-side creation needed - Redis DB indexes exist implicitly
+    // Just verify connectivity
+    if (platformService.containerId) {
+      const result = await this.oneboxRef.docker.execInContainer(
+        platformService.containerId,
+        ['redis-cli', '-a', adminCreds.password, '-n', String(dbIndex), 'ping']
+      );
+
+      if (result.exitCode !== 0 || !result.stdout.includes('PONG')) {
+        throw new Error(`Failed to verify Redis database ${dbIndex}: exit code ${result.exitCode}`);
+      }
+    }
+
+    logger.success(`Redis database index ${dbIndex} provisioned for service '${userService.name}'`);
+
+    // Build the credentials and env vars
+    const credentials: Record<string, string> = {
+      host: containerName,
+      port: '6379',
+      password: adminCreds.password,
+      db: String(dbIndex),
+      connectionString: `redis://:${adminCreds.password}@${containerName}:6379/${dbIndex}`,
+    };
+
+    // Map credentials to env vars
+    const envVars: Record<string, string> = {};
+    for (const mapping of this.getEnvVarMappings()) {
+      if (credentials[mapping.credentialPath]) {
+        envVars[mapping.envVar] = credentials[mapping.credentialPath];
+      }
+    }
+
+    return {
+      type: 'cache',
+      name: resourceName,
+      credentials,
+      envVars,
+    };
+  }
+
+  async deprovisionResource(resource: IPlatformResource, credentials: Record<string, string>): Promise<void> {
+    const platformService = this.oneboxRef.database.getPlatformServiceByType(this.type);
+    if (!platformService || !platformService.adminCredentialsEncrypted || !platformService.containerId) {
+      throw new Error('Redis platform service not found or not configured');
+    }
+
+    const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
+    const dbIndex = credentials.db || '0';
+
+    logger.info(`Deprovisioning Redis database index ${dbIndex} for resource '${resource.resourceName}'...`);
+
+    // Flush the specific database
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      ['redis-cli', '-a', adminCreds.password, '-n', dbIndex, 'FLUSHDB']
+    );
+
+    if (result.exitCode !== 0) {
+      logger.warn(`Redis deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
+    }
+
+    logger.success(`Redis database index ${dbIndex} flushed for resource '${resource.resourceName}'`);
+  }
+}
@@ -2,7 +2,7 @@
 * Onebox Registry Manager
 *
 * Manages the local Docker registry using:
- * - @push.rocks/smarts3 (S3-compatible server with filesystem storage)
+ * - @push.rocks/smartstorage (S3-compatible server with filesystem storage)
 * - @push.rocks/smartregistry (OCI-compliant Docker registry)
 */

@@ -27,7 +27,7 @@ export class RegistryManager {
  }

  /**
-   * Initialize the registry (start smarts3 and smartregistry)
+   * Initialize the registry (start smartstorage and smartregistry)
   */
  async init(): Promise<void> {
    if (this.isInitialized) {
@@ -39,10 +39,10 @@ export class RegistryManager {
      const dataDir = this.options.dataDir || './.nogit/registry-data';
      const port = this.options.port || 4000;

-      logger.info(`Starting smarts3 server on port ${port}...`);
+      logger.info(`Starting smartstorage server on port ${port}...`);

-      // 1. Start smarts3 server (S3-compatible storage with filesystem backend)
-      this.s3Server = await plugins.smarts3.Smarts3.createAndStart({
+      // 1. Start smartstorage server (S3-compatible storage with filesystem backend)
+      this.s3Server = await plugins.smartstorage.SmartStorage.createAndStart({
        server: {
          port: port,
          address: '0.0.0.0',
@@ -53,16 +53,16 @@ export class RegistryManager {
        },
      });

-      logger.success(`smarts3 server started on port ${port}`);
+      logger.success(`smartstorage server started on port ${port}`);

-      // 2. Configure smartregistry to use smarts3
+      // 2. Configure smartregistry to use smartstorage
      logger.info('Initializing smartregistry...');

      this.registry = new plugins.smartregistry.SmartRegistry({
        storage: {
          endpoint: 'localhost',
          port: port,
-          accessKey: 'onebox', // smarts3 doesn't validate credentials
+          accessKey: 'onebox', // smartstorage doesn't validate credentials
          accessSecret: 'onebox',
          useSsl: false,
          region: 'us-east-1',
@@ -314,15 +314,15 @@ export class RegistryManager {
  }

  /**
-   * Stop the registry and smarts3 server
+   * Stop the registry and smartstorage server
   */
  async stop(): Promise<void> {
    if (this.s3Server) {
      try {
        await this.s3Server.stop();
-        logger.info('smarts3 server stopped');
+        logger.info('smartstorage server stopped');
      } catch (error) {
-        logger.error(`Error stopping smarts3: ${getErrorMessage(error)}`);
+        logger.error(`Error stopping smartstorage: ${getErrorMessage(error)}`);
      }
    }

@@ -15,6 +15,7 @@ export class OneboxServicesManager {
  private oneboxRef: any; // Will be Onebox instance
  private database: OneboxDatabase;
  private docker: OneboxDockerManager;
+  private autoUpdateIntervalId: number | null = null;

  constructor(oneboxRef: any) {
    this.oneboxRef = oneboxRef;
@@ -49,11 +50,13 @@ export class OneboxServicesManager {

      // Build platform requirements
      const platformRequirements: IPlatformRequirements | undefined =
-        (options.enableMongoDB || options.enableS3 || options.enableClickHouse)
+        (options.enableMongoDB || options.enableS3 || options.enableClickHouse || options.enableRedis || options.enableMariaDB)
          ? {
              mongodb: options.enableMongoDB,
              s3: options.enableS3,
              clickhouse: options.enableClickHouse,
+              redis: options.enableRedis,
+              mariadb: options.enableMariaDB,
            }
          : undefined;

@@ -75,6 +78,9 @@ export class OneboxServicesManager {
        autoUpdateOnPush: options.autoUpdateOnPush,
        // Platform requirements
        platformRequirements,
+        // App Store template tracking
+        appTemplateId: options.appTemplateId,
+        appTemplateVersion: options.appTemplateVersion,
      });

      // Provision platform resources if needed
@@ -681,7 +687,7 @@ export class OneboxServicesManager {
   */
  startAutoUpdateMonitoring(): void {
    // Check every 30 seconds
-    setInterval(async () => {
+    this.autoUpdateIntervalId = setInterval(async () => {
      try {
        await this.checkForRegistryUpdates();
      } catch (error) {
@@ -692,6 +698,17 @@ export class OneboxServicesManager {
    logger.info('Auto-update monitoring started (30s interval)');
  }

+  /**
+   * Stop auto-update monitoring
+   */
+  stopAutoUpdateMonitoring(): void {
+    if (this.autoUpdateIntervalId !== null) {
+      clearInterval(this.autoUpdateIntervalId);
+      this.autoUpdateIntervalId = null;
+      logger.debug('Auto-update monitoring stopped');
+    }
+  }
+
  /**
   * Check all services using onebox registry for updates
   */
@@ -0,0 +1,243 @@
+/**
+ * Systemd Service Manager for Onebox
+ *
+ * Handles systemd unit file installation, enabling, starting, stopping,
+ * and status checking. Modeled on nupst's direct systemctl approach —
+ * no external library dependencies.
+ */
+
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+
+const SERVICE_NAME = 'onebox';
+const SERVICE_FILE_PATH = '/etc/systemd/system/onebox.service';
+
+const SERVICE_UNIT_TEMPLATE = `[Unit]
+Description=Onebox - Self-hosted container platform
+After=network-online.target docker.service
+Wants=network-online.target
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/onebox systemd start-daemon
+Restart=always
+RestartSec=10
+WorkingDirectory=/var/lib/onebox
+Environment=PATH=/usr/bin:/usr/local/bin
+Environment=HOME=/root
+Environment=DENO_DIR=/root/.cache/deno
+
+[Install]
+WantedBy=multi-user.target
+`;
+
+export class OneboxSystemd {
+  /**
+   * Install and enable the systemd service
+   */
+  async enable(): Promise<void> {
+    try {
+      // Ensure Docker is installed before writing unit file (it requires docker.service)
+      await this.ensureDocker();
+
+      // Write the unit file
+      logger.info('Writing systemd unit file...');
+      await Deno.writeTextFile(SERVICE_FILE_PATH, SERVICE_UNIT_TEMPLATE);
+      logger.info(`Unit file written to ${SERVICE_FILE_PATH}`);
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      // Enable the service
+      const result = await this.runSystemctl(['enable', `${SERVICE_NAME}.service`]);
+      if (!result.success) {
+        throw new Error(`Failed to enable service: ${result.stderr}`);
+      }
+
+      logger.success('Onebox systemd service enabled');
+      logger.info('Start with: onebox systemd start');
+    } catch (error) {
+      logger.error(`Failed to enable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop, disable, and remove the systemd service
+   */
+  async disable(): Promise<void> {
+    try {
+      // Stop the service (ignore errors if not running)
+      await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+
+      // Disable the service
+      await this.runSystemctl(['disable', `${SERVICE_NAME}.service`]);
+
+      // Remove the unit file
+      try {
+        await Deno.remove(SERVICE_FILE_PATH);
+        logger.info(`Removed ${SERVICE_FILE_PATH}`);
+      } catch {
+        // File might not exist
+      }
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      logger.success('Onebox systemd service disabled and removed');
+    } catch (error) {
+      logger.error(`Failed to disable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Start the service via systemctl
+   */
+  async start(): Promise<void> {
+    const result = await this.runSystemctl(['start', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to start service: ${result.stderr}`);
+      throw new Error(`Failed to start onebox service`);
+    }
+    logger.success('Onebox service started');
+  }
+
+  /**
+   * Stop the service via systemctl
+   */
+  async stop(): Promise<void> {
+    const result = await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to stop service: ${result.stderr}`);
+      throw new Error(`Failed to stop onebox service`);
+    }
+    logger.success('Onebox service stopped');
+  }
+
+  /**
+   * Get and display service status
+   */
+  async getStatus(): Promise<string> {
+    const result = await this.runSystemctl(['status', `${SERVICE_NAME}.service`]);
+    const output = result.stdout;
+
+    let status: string;
+    if (output.includes('active (running)')) {
+      status = 'running';
+    } else if (output.includes('inactive') || output.includes('dead')) {
+      status = 'stopped';
+    } else if (output.includes('failed')) {
+      status = 'failed';
+    } else if (!result.success && result.stderr.includes('could not be found')) {
+      status = 'not-installed';
+    } else {
+      status = 'unknown';
+    }
+
+    // Print the raw systemctl output for full details
+    if (output.trim()) {
+      console.log(output);
+    }
+
+    return status;
+  }
+
+  /**
+   * Show service logs via journalctl
+   */
+  async showLogs(): Promise<void> {
+    const cmd = new Deno.Command('journalctl', {
+      args: ['-u', `${SERVICE_NAME}.service`, '-f'],
+      stdout: 'inherit',