v1.17.3

.claude/CLAUDE.md

@@ -1,140 +0,0 @@
-# Onebox Development Notes
-
-## ⚠️ CRITICAL DEVELOPMENT RULES ⚠️
-
-### NEVER GUESS - ALWAYS READ THE ACTUAL CODE
-**FUCKING ALWAYS look at the dependency actual code. Don't start fucking guessing stuff.**
-
-run "pnpm run watch" when starting to do stuff, so the UI gets recompiled and the server automatically restarts on file changes.
-
-When working with any dependency:
-1. **READ the actual source code** in `node_modules/` or check the package documentation
-2. **CHECK the exact API** - don't assume based on similar libraries
-3. **VERIFY method names, return types, and property structures** before using them
-4. **TEST with the actual implementation** - APIs change between versions
-
-Common mistakes to avoid:
-- ❌ Assuming API structure based on similar libraries
-- ❌ Guessing method names or property paths
-- ❌ Using outdated documentation without checking current version
-- ✅ Read the actual TypeScript definitions in node_modules
-- ✅ Check the package's README and changelog
-- ✅ Test the actual behavior before implementing
-
-## Architecture Changes
-
-### Reverse Proxy Implementation
-- **Replaced Nginx** with native Deno reverse proxy (`ts/classes/reverseproxy.ts`)
-- Features:
-  - HTTP/HTTPS dual servers (ports 80/443)
-  - TLS/SSL certificate management with hot-reload
-  - WebSocket bidirectional proxying
-  - Dynamic routing from database
-  - SNI (Server Name Indication) support
-
-### Code Organization
-- Removed "onebox." prefix from all TypeScript files
-- Organized into subfolders:
-  - `ts/classes/` - All class implementations
-  - `ts/` - Root level utilities (logging, types, plugins, cli, info)
-
-### WebSocket Real-time Communication
-- **Backend**: WebSocket endpoint at `/api/ws` (`ts/classes/httpserver.ts:96-174`)
-  - Connection management with client Set tracking
-  - Broadcast methods: `broadcast()`, `broadcastServiceUpdate()`, `broadcastServiceStatus()`
-  - Integrated with service lifecycle (start/stop/restart actions)
-  - Status monitoring loop broadcasts changes automatically
-- **Frontend**: Angular WebSocket service (`ui/src/app/core/services/websocket.service.ts`)
-  - Auto-connects on app initialization
-  - Exponential backoff reconnection (max 5 attempts)
-  - RxJS Observable-based message streaming
-  - Components subscribe to real-time updates
-- **Message Types**:
-  - `connected` - Initial connection confirmation
-  - `service_update` - Service lifecycle changes (action: created/updated/deleted/started/stopped)
-  - `service_status` - Real-time status changes from monitoring loop
-  - `system_status` - System-wide updates
-- **Testing**: Use `.nogit/test-ws-updates.ts` to monitor WebSocket messages
-
-### Docker Configuration
-- **System Docker**: Uses root Docker at `/var/run/docker.sock` (NOT rootless)
-- **Swarm Mode**: Enabled for service orchestration
-- **API Access**: Interact with Docker via direct API calls to the socket
-  - ❌ DO NOT switch Docker CLI contexts
-  - ✅ Use curl/HTTP requests to `/var/run/docker.sock`
-- **Network**: Overlay network `onebox-network` with `Attachable: true`
-- **Services vs Containers**: All workloads run as Swarm services (not standalone containers)
-
-## Debugging Tips
-
-### Backend Logs
-Use the background bash task to check server logs:
-```bash
-# Check for specific patterns (e.g., Login attempts)
-BashOutput tool with filter: "Login|error|Error"
-
-# Check all recent output
-BashOutput tool without filter
-```
-
-The dev server runs with `--watch` so it auto-restarts on file changes.
-
-### Frontend Testing
-Use Playwright for UI testing:
-```typescript
-// Navigate to app
-mcp__playwright__browser_navigate({ url: "http://localhost:3000" })
-
-// Fill login form
-mcp__playwright__browser_fill_form({
-  fields: [
-    { name: "Username", type: "textbox", ref: "...", value: "admin" },
-    { name: "Password", type: "textbox", ref: "...", value: "admin" }
-  ]
-})
-
-// Click button
-mcp__playwright__browser_click({ element: "Sign in button", ref: "..." })
-
-// Check console errors
-// Playwright automatically shows console messages in results
-```
-
-### Common Issues
-
-#### Login Issue (Fixed)
-**Problem**: `admin/admin` credentials returned "Invalid credentials"
-
-**Root Cause**: `rowToUser()` function in database.ts was accessing rows as arrays `row[2]` instead of objects `row.password_hash`. The @db/sqlite library returns rows as objects with snake_case column names.
-
-**Fix**: Updated `rowToUser()` to support both access patterns:
-```typescript
-private rowToUser(row: any): IUser {
-  return {
-    passwordHash: String(row.password_hash || row[2]),
-    // ... other fields
-  };
-}
-```
-
-**Location**: `ts/classes/database.ts:506-515`
-
-## Default Credentials
-- Username: `admin`
-- Password: `admin`
-- ⚠️ Change immediately after first login!
-
-## Development Server
-```bash
-# Main server (port 3000)
-deno task dev
-
-# Check server status
-curl http://localhost:3000/api/status
-```
-
-## API Endpoints
-- `POST /api/auth/login` - Login (returns JWT-like token)
-- `GET /api/status` - System status (requires auth)
-- `GET /api/services` - List services (requires auth)
-- See `ts/classes/httpserver.ts` for full API

.gitea/release-template.md

@@ -0,0 +1,37 @@
+## Onebox {{VERSION}}
+
+Pre-compiled binaries for multiple platforms.
+
+### Installation
+
+#### Option 1: Via npm (recommended)
+
+```bash
+npm install -g @serve.zone/onebox
+```
+
+#### Option 2: Via installer script
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+```
+
+#### Option 3: Direct binary download
+
+Download the appropriate binary for your platform from the assets below and make it executable.
+
+### Supported Platforms
+
+- Linux x86_64 (x64)
+- Linux ARM64 (aarch64)
+- macOS x86_64 (Intel)
+- macOS ARM64 (Apple Silicon)
+- Windows x86_64
+
+### Checksums
+
+SHA256 checksums are provided in `SHA256SUMS.txt` for binary verification.
+
+### npm Package
+
+The npm package includes automatic binary detection and installation for your platform.

.gitea/workflows/ci.yml

@@ -0,0 +1,114 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check:
+    name: Type Check & Lint
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Install dependencies
+        run: deno install --entrypoint mod.ts
+
+      - name: Check TypeScript types
+        run: deno check mod.ts
+
+      - name: Lint code
+        run: deno lint
+        continue-on-error: true
+
+      - name: Format check
+        run: deno fmt --check
+        continue-on-error: true
+
+  build:
+    name: Build Test (Current Platform)
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Install dependencies
+        run: pnpm install --ignore-scripts
+
+      - name: Compile for current platform
+        run: |
+          echo "Testing compilation for Linux x86_64..."
+          npx tsdeno compile --allow-all --no-check \
+            --output onebox-test \
+            --target x86_64-unknown-linux-gnu mod.ts
+
+      - name: Test binary execution
+        run: |
+          chmod +x onebox-test
+          ./onebox-test --version
+          ./onebox-test --help
+
+  build-all:
+    name: Build All Platforms
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Install dependencies
+        run: pnpm install --ignore-scripts
+
+      - name: Compile all platform binaries
+        run: mkdir -p dist/binaries && npx tsdeno compile
+
+      - name: Upload all binaries as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: onebox-binaries.zip
+          path: dist/binaries/*
+          retention-days: 30

.gitea/workflows/npm-publish.yml

@@ -0,0 +1,131 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  npm-publish:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Setup Node.js for npm publishing
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+          registry-url: 'https://registry.npmjs.org/'
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Publishing version: $VERSION"
+
+      - name: Verify deno.json version matches tag
+        run: |
+          DENO_VERSION=$(grep -o '"version": "[^"]*"' deno.json | cut -d'"' -f4)
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "deno.json version: $DENO_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$DENO_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            echo "deno.json has version $DENO_VERSION but tag is $TAG_VERSION"
+            exit 1
+          fi
+
+      - name: Compile binaries for npm package
+        run: |
+          echo "Compiling binaries for npm package..."
+          deno task compile
+          echo ""
+          echo "Binary sizes:"
+          ls -lh dist/binaries/
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS
+          cat SHA256SUMS
+          cd ../..
+
+      - name: Sync package.json version
+        run: |
+          VERSION="${{ steps.version.outputs.version_number }}"
+          echo "Syncing package.json to version ${VERSION}..."
+          npm version ${VERSION} --no-git-tag-version --allow-same-version
+          echo "package.json version: $(grep '"version"' package.json | head -1)"
+
+      - name: Create npm package
+        run: |
+          echo "Creating npm package..."
+          npm pack
+          echo ""
+          echo "Package created:"
+          ls -lh *.tgz
+
+      - name: Test local installation
+        run: |
+          echo "Testing local package installation..."
+          PACKAGE_FILE=$(ls *.tgz)
+          npm install -g ${PACKAGE_FILE}
+          echo ""
+          echo "Testing onebox command:"
+          onebox --version || echo "Note: Binary execution may fail in CI environment"
+          echo ""
+          echo "Checking installed files:"
+          npm ls -g @serve.zone/onebox || true
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          echo "Publishing to npm registry..."
+          npm publish --access public
+          echo ""
+          echo "Successfully published @serve.zone/onebox to npm!"
+          echo ""
+          echo "Package info:"
+          npm view @serve.zone/onebox
+
+      - name: Verify npm package
+        run: |
+          echo "Waiting for npm propagation..."
+          sleep 30
+          echo ""
+          echo "Verifying published package..."
+          npm view @serve.zone/onebox
+          echo ""
+          echo "Testing installation from npm:"
+          npm install -g @serve.zone/onebox
+          echo ""
+          echo "Package installed successfully!"
+          which onebox || echo "Binary location check skipped"
+
+      - name: Publish Summary
+        run: |
+          echo "================================================"
+          echo "  npm Publish Complete!"
+          echo "================================================"
+          echo ""
+          echo "Package: @serve.zone/onebox"
+          echo "Version: ${{ steps.version.outputs.version }}"
+          echo ""
+          echo "Installation:"
+          echo "  npm install -g @serve.zone/onebox"
+          echo ""
+          echo "Registry:"
+          echo "  https://www.npmjs.com/package/@serve.zone/onebox"
+          echo ""

.gitea/workflows/release.yml

@@ -0,0 +1,211 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Install dependencies
+        run: pnpm install --ignore-scripts
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Building version: $VERSION"
+
+      - name: Verify deno.json version matches tag
+        run: |
+          DENO_VERSION=$(grep -o '"version": "[^"]*"' deno.json | cut -d'"' -f4)
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "deno.json version: $DENO_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$DENO_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            echo "deno.json has version $DENO_VERSION but tag is $TAG_VERSION"
+            exit 1
+          fi
+
+      - name: Compile binaries for all platforms
+        run: mkdir -p dist/binaries && npx tsdeno compile
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+          cd ../..
+
+      - name: Extract changelog for this version
+        id: changelog
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Check if CHANGELOG.md exists
+          if [ ! -f CHANGELOG.md ] && [ ! -f changelog.md ]; then
+            echo "No changelog found, using default release notes"
+            cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          Pre-compiled binaries for multiple platforms.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+
+          Or download the binary for your platform and make it executable.
+
+          ### Supported Platforms
+          - Linux x86_64 (x64)
+          - Linux ARM64 (aarch64)
+          - macOS x86_64 (Intel)
+          - macOS ARM64 (Apple Silicon)
+          - Windows x86_64
+
+          ### Checksums
+          SHA256 checksums are provided in SHA256SUMS.txt
+          EOF
+          else
+            CHANGELOG_FILE=$([ -f CHANGELOG.md ] && echo "CHANGELOG.md" || echo "changelog.md")
+            awk "/## \[$VERSION\]/,/## \[/" "$CHANGELOG_FILE" | sed '$d' > /tmp/release_notes.md || cat > /tmp/release_notes.md << EOF
+          ## Onebox $VERSION
+
+          See changelog.md for full details.
+
+          ### Installation
+
+          Use the installation script:
+          \`\`\`bash
+          curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+          \`\`\`
+          EOF
+          fi
+
+          echo "Release notes:"
+          cat /tmp/release_notes.md
+
+      - name: Delete existing release if it exists
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          echo "Checking for existing release $VERSION..."
+
+          # Try to get existing release by tag
+          EXISTING_RELEASE_ID=$(curl -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/tags/$VERSION" \
+            | jq -r '.id // empty')
+
+          if [ -n "$EXISTING_RELEASE_ID" ]; then
+            echo "Found existing release (ID: $EXISTING_RELEASE_ID), deleting..."
+            curl -X DELETE -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$EXISTING_RELEASE_ID"
+            echo "Existing release deleted"
+            sleep 2
+          else
+            echo "No existing release found, proceeding with creation"
+          fi
+
+      - name: Create Gitea Release
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_NOTES=$(cat /tmp/release_notes.md)
+
+          # Create the release
+          echo "Creating release for $VERSION..."
+          RELEASE_ID=$(curl -X POST -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" \
+            -d "{
+              \"tag_name\": \"$VERSION\",
+              \"name\": \"Onebox $VERSION\",
+              \"body\": $(jq -Rs . /tmp/release_notes.md),
+              \"draft\": false,
+              \"prerelease\": false
+            }" | jq -r '.id')
+
+          echo "Release created with ID: $RELEASE_ID"
+
+          # Upload binaries as release assets
+          for binary in dist/binaries/*; do
+            filename=$(basename "$binary")
+            echo "Uploading $filename..."
+            curl -X POST -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@$binary" \
+              "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$RELEASE_ID/assets?name=$filename"
+          done
+
+          echo "All assets uploaded successfully"
+
+      - name: Clean up old releases
+        run: |
+          echo "Cleaning up old releases (keeping only last 3)..."
+
+          # Fetch all releases sorted by creation date
+          RELEASES=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases" | \
+            jq -r 'sort_by(.created_at) | reverse | .[3:] | .[].id')
+
+          # Delete old releases
+          if [ -n "$RELEASES" ]; then
+            echo "Found releases to delete:"
+            for release_id in $RELEASES; do
+              echo "  Deleting release ID: $release_id"
+              curl -X DELETE -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                "https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/$release_id"
+            done
+            echo "Old releases deleted successfully"
+          else
+            echo "No old releases to delete (less than 4 releases total)"
+          fi
+          echo ""
+
+      - name: Release Summary
+        run: |
+          echo "================================================"
+          echo "  Release ${{ steps.version.outputs.version }} Complete!"
+          echo "================================================"
+          echo ""
+          echo "Binaries published:"
+          ls -lh dist/binaries/
+          echo ""
+          echo "Release URL:"
+          echo "https://code.foss.global/serve.zone/onebox/releases/tag/${{ steps.version.outputs.version }}"
+          echo ""
+          echo "Installation command:"
+          echo "curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+          echo ""

changelog.md

@@ -1,5 +1,275 @@
 # Changelog
 
+## 2026-03-16 - 1.17.3 - fix(mongodb)
+downgrade the MongoDB service image to 4.4 and use the legacy mongo shell for container operations
+
+- changes the default MongoDB container image from mongo:7 to mongo:4.4
+- replaces mongosh with mongo for health checks, provisioning, and deprovisioning inside the container
+
+## 2026-03-16 - 1.17.2 - fix(platform-services)
+provision ClickHouse, MinIO, and MongoDB resources via docker exec instead of host port access
+
+- switch ClickHouse provisioning and teardown to in-container client commands to avoid host port mapping issues
+- replace MinIO host-side S3 API calls with in-container mc commands for bucket creation and removal
+- run MongoDB provisioning and deprovisioning through mongosh inside the container and improve docker exec failure reporting
+
+## 2026-03-16 - 1.17.1 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.17.0 - feat(web/services)
+add deploy service action to the services view
+
+- Adds a prominent "Deploy Service" button to the services page header.
+- Routes users into the create service view directly from the services listing.
+- Includes a new service creation form screenshot asset for the updated interface.
+
+## 2026-03-16 - 1.16.0 - feat(services)
+add platform service navigation and stats in the services UI
+
+- add platform service stats state and fetch action
+- show platform services in the services list and open a platform detail view
+- enable dashboard clicks to jump directly to the selected platform service
+- refresh platform service stats after start and restart actions
+- bump @serve.zone/catalog to ^2.6.0 for the new platform service UI components
+
+## 2026-03-16 - 1.15.3 - fix(install)
+refresh systemd service configuration before restarting previously running installations
+
+- Re-enable the systemd service during updates so unit file changes are applied before restart
+- Add a log message indicating the service configuration is being refreshed
+
+## 2026-03-16 - 1.15.2 - fix(systemd)
+set HOME and DENO_DIR for the systemd service environment
+
+- Adds HOME=/root to the generated onebox systemd unit
+- Adds DENO_DIR=/root/.cache/deno so Deno cache paths are available when running as a service
+
+## 2026-03-16 - 1.15.1 - fix(systemd)
+move Docker installation and swarm initialization to systemd enable flow
+
+- Ensures Docker is installed before writing and enabling the systemd unit that depends on docker.service.
+- Removes Docker auto-installation from Onebox initialization so setup happens in the service management path.
+
+## 2026-03-16 - 1.15.0 - feat(systemd)
+replace smartdaemon-based service management with native systemd commands
+
+- adds a dedicated OneboxSystemd manager for enabling, disabling, starting, stopping, checking status, and following logs
+- introduces a new `onebox systemd` CLI command set and updates install and help output to use it
+- removes the smartdaemon dependency and related service management code
+
+## 2026-03-16 - 1.14.10 - fix(services)
+stop auto-update monitoring during shutdown
+
+- Track the auto-update polling interval in the services manager
+- Clear the auto-update interval when Onebox shuts down to prevent background checks after shutdown
+
+## 2026-03-16 - 1.14.9 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.8 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.7 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.6 - fix(project)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.5 - fix(onebox)
+move Docker auto-install and swarm initialization into Onebox startup flow
+
+- removes Docker setup from daemon service installation
+- ensures Docker is installed before Docker initialization during Onebox startup
+- preserves automatic Docker Swarm initialization on fresh servers
+
+## 2026-03-16 - 1.14.4 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.3 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.2 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.1 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 1.14.0 - feat(daemon)
+auto-install Docker and initialize Swarm during daemon service setup
+
+- Adds a Docker availability check before installing the Onebox daemon service
+- Installs Docker automatically when it is missing using the standard installation script
+- Attempts to initialize Docker Swarm after installation and handles already-initialized environments gracefully
+
+## 2026-03-16 - 1.13.17 - fix(ci)
+remove forced container image pulling from Gitea workflow jobs
+
+- Drops the `--pull always` container option from CI, npm publish, and release workflows.
+- Keeps workflow container images unchanged while avoiding forced pulls on every job run.
+
+## 2026-03-16 - 1.13.16 - fix(ci)
+refresh workflow container images on every run and bump @apiclient.xyz/docker to ^5.1.1
+
+- add --pull always to CI, release, and npm publish workflow containers to avoid stale images
+- update @apiclient.xyz/docker from ^5.1.0 to ^5.1.1 in deno.json
+
+## 2026-03-15 - 1.13.15 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.14 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.13 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.12 - fix(ci)
+run pnpm install with --ignore-scripts in CI and release workflows
+
+- Update CI workflow dependency installation steps to skip lifecycle scripts during builds.
+- Apply the same install change to the release workflow for consistent automation behavior.
+
+## 2026-03-15 - 1.13.11 - fix(project)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.10 - fix(deps)
+bump @git.zone/tsdeno to ^1.2.0
+
+- Updates the tsdeno development dependency from ^1.1.1 to ^1.2.0.
+
+## 2026-03-15 - 1.13.9 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.8 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.7 - fix(repo)
+no changes to commit
+
+
+## 2026-03-15 - 1.13.6 - fix(ci)
+correct workflow container image registry path
+
+- Update Gitea CI, release, and npm publish workflows to use the corrected ht-docker-node image path
+- Align all workflow container references from hosttoday to host.today to prevent pipeline image resolution issues
+
+## 2026-03-15 - 1.13.5 - fix(workflows)
+switch Gitea workflow containers from ht-docker-dbase to ht-docker-node
+
+- Updates the CI, release, and npm publish workflows to use the Node-focused container image consistently.
+- Aligns workflow runtime images with the project's Node and Deno build and publish steps.
+
+## 2026-03-15 - 1.13.4 - fix(ci)
+run workflows in the shared build container and enable corepack for pnpm installs
+
+- adds the ht-docker-dbase container image to CI, release, and npm publish workflows
+- enables corepack before pnpm install in build and release jobs to ensure package manager availability
+
+## 2026-03-15 - 1.13.3 - fix(build)
+replace custom Deno compile scripts with tsdeno-based binary builds in CI and release workflows
+
+- adds @git.zone/tsdeno as a dev dependency and configures compile targets in npmextra.json
+- updates CI and release workflows to install Node.js dependencies before running tsdeno compile
+- removes the legacy scripts/compile-all.sh script and points the compile task to tsdeno compile
+
+## 2026-03-15 - 1.13.2 - fix(scripts)
+install production dependencies before compiling binaries and exclude local node_modules from builds
+
+- Adds a dependency installation step using the application entrypoint before cross-platform compilation
+- Updates all deno compile targets to use --node-modules-dir=none to avoid bundling local node_modules
+
+## 2026-03-15 - 1.13.1 - fix(deno)
+remove nodeModulesDir from Deno configuration
+
+- Drops the explicit nodeModulesDir setting from deno.json.
+- Keeps the package version unchanged at 1.13.0 while simplifying runtime configuration.
+
+## 2026-03-15 - 1.13.0 - feat(install)
+improve installer with version selection, service restart handling, and upgrade documentation
+
+- Adds installer command-line options for help, specific version selection, and custom install directory.
+- Fetches the latest release from the Gitea API when no version is provided and installs the matching platform binary.
+- Preserves Onebox data directories, stops and restarts the systemd service during updates, and refreshes installation instructions in the README including upgrade usage.
+
+## 2026-03-15 - 1.12.1 - fix(package.json)
+update package metadata
+
+- Single metadata-only file changed (+1, -1)
+- No source code or runtime behavior modified; safe patch release
+
+## 2026-03-15 - 1.12.0 - feat(cli,release)
+add self-upgrade command and automate CI, release, and npm publishing workflows
+
+- adds a new `onebox upgrade` CLI command that checks the latest release and reinstalls the current binary via the installer script
+- introduces Gitea CI workflows for type checks, build verification, multi-platform binary compilation, release creation, and npm publishing
+- adds a reusable release template describing installation options, supported platforms, and checksum availability
+
+## 2026-03-03 - 1.11.0 - feat(services)
+map backend service data to UI components, add stats & logs parsing, fetch service stats, and fix logs request param
+
+- Fix: rename service logs request property from 'lines' to 'tail' when calling typedRequest
+- Add data transformation helpers: formatBytes, parseImageString, mapStatus, toServiceDetail, toServiceStats, parseLogs
+- Transform service list and detail props to match @serve.zone/catalog component interfaces (map status, image, repo/tag, timestamps, registry)
+- Dispatch fetchServiceStatsAction on service click and surface transformed stats with default values to avoid nulls
+- Parse and normalize logs into timestamp/message pairs for the detail view
+
+## 2026-03-02 - 1.10.3 - fix(bin)
+make bin/onebox-wrapper.js executable
+
+- Metadata-only change: file mode updated for bin/onebox-wrapper.js to include the executable bit
+- No source or behavior changes to the code
+
+## 2026-03-02 - 1.10.2 - fix(build)
+update build/watch configuration, switch to esbuild bundler and tswatch, and bump catalog and tooling dependencies
+
+- Switch watch script to 'tswatch' (replaced previous concurrently command invoking deno + tswatch).
+- npmextra.json: set bundler to 'esbuild', enable production mode, include html/index.html in the bundle, and extend watchPatterns to include ./html/**/*.
+- Backend watcher: expanded watch globs and changed command to include --unstable-ffi and runtime flags (--ephemeral --monitor); restart and debounce kept.
+- Bump runtime deps: @design.estate/dees-catalog -> ^3.43.3, @serve.zone/catalog -> ^2.5.0.
+- Bump devDependencies: @git.zone/tsbundle -> ^2.9.0, @git.zone/tswatch -> ^3.2.0.
+
+## 2026-02-24 - 1.10.1 - fix(package.json)
+update package metadata
+
+- Single metadata-only file changed (+1 -1)
+- No source code or runtime behavior modified; safe patch release
+- Current package version is 1.10.0; recommend patch bump to 1.10.1
+
+## 2026-02-24 - 1.10.0 - feat(opsserver)
+introduce OpsServer (TypedRequest API) and new lightweight web UI; replace legacy Angular UI and add typed interfaces
+
+- Add OpsServer (ts/opsserver) with TypedRequest handlers for admin, services, platform, dns, domains, registry, network, backups, schedules, settings and logs.
+- Integrate typedrequest/typedserver and smartjwt/smartguard plugins (ts/plugins.ts) and add comprehensive ts_interfaces for requests and data shapes.
+- Replace legacy HTTP server usage with OpsServer throughout daemon, Onebox class and CLI (ts/classes/daemon.ts, ts/classes/onebox.ts, ts/cli.ts).
+- Implement log streaming via VirtualStream and support for downloading/restoring backups and registry token management within handlers.
+- Introduce new web UI built with dees-element web components under ts_web (ob-app-shell and views) and bundle/watch tooling (npmextra.json, tsbundle/tswatch integration).
+- Update package.json: add build/watch scripts, tsbundle/tswatch dev deps and new runtime dependencies for typedrequest and catalog components.
+- Remove large Angular-based ui application and related services/components in ui/ (major cleanup of Angular code and assets).
+- Note: This adds many new endpoints and internal API changes (TypedRequest-based); consumers of the old UI/HTTP endpoints should migrate to the new OpsServer TypedRequest API and web components.
+
+## 2025-12-03 - 1.9.2 - fix(ui)
+Add VS Code configs for the UI workspace and normalize dark theme CSS variables
+
+- Add VS Code workspace files under ui/.vscode:
+-   - extensions.json: recommend the Angular language support extension
+-   - launch.json: Chrome launch configurations for 'ng serve' and 'ng test' (preLaunchTask hooks)
+-   - tasks.json: npm 'start' and 'test' tasks with a background TypeScript problem matcher to improve dev workflow
+- Update ui/src/styles.css dark theme variables to use neutral black/gray HSL values for background, foreground, cards, popovers, accents, borders, inputs and ring to improve contrast and consistency
+
 ## 2025-11-27 - 1.9.1 - fix(ui)
 Correct import success toast and add VS Code launch/tasks recommendations for the UI
 

deno.json

@@ -1,12 +1,11 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.9.1",
+  "version": "1.17.3",
   "exports": "./mod.ts",
-  "nodeModulesDir": "auto",
   "tasks": {
     "test": "deno test --allow-all test/",
     "test:watch": "deno test --allow-all --watch test/",
-    "compile": "bash scripts/compile-all.sh",
+    "compile": "tsdeno compile",
     "dev": "pnpm run watch"
   },
   "imports": {
@@ -16,13 +15,17 @@
     "@std/assert": "jsr:@std/assert@^1.0.15",
     "@std/encoding": "jsr:@std/encoding@^1.0.10",
     "@db/sqlite": "jsr:@db/sqlite@0.12.0",
-    "@push.rocks/smartdaemon": "npm:@push.rocks/smartdaemon@^2.1.0",
-    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.0",
+    "@apiclient.xyz/docker": "npm:@apiclient.xyz/docker@^5.1.1",
     "@apiclient.xyz/cloudflare": "npm:@apiclient.xyz/cloudflare@6.4.3",
     "@push.rocks/smartacme": "npm:@push.rocks/smartacme@^8.0.0",
     "@push.rocks/smartregistry": "npm:@push.rocks/smartregistry@^2.2.0",
     "@push.rocks/smarts3": "npm:@push.rocks/smarts3@^5.1.0",
-    "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^3.1.0"
+    "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^3.1.0",
+    "@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
+    "@api.global/typedrequest": "npm:@api.global/typedrequest@^3.2.6",
+    "@api.global/typedserver": "npm:@api.global/typedserver@^8.3.1",
+    "@push.rocks/smartguard": "npm:@push.rocks/smartguard@^3.1.0",
+    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.1"
   },
   "compilerOptions": {
     "lib": [

dist_serve/index.html

@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta
+      name="viewport"
+      content="user-scalable=0, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height"
+    />
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="theme-color" content="#000000" />
+    <title>Onebox</title>
+    <link rel="preconnect" href="https://assetbroker.lossless.one/" crossorigin>
+    <link rel="stylesheet" href="https://assetbroker.lossless.one/fonts/fonts.css">
+    <style>
+      html {
+        -ms-text-size-adjust: 100%;
+        -webkit-text-size-adjust: 100%;
+      }
+      body {
+        position: relative;
+        background: #000;
+        margin: 0px;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+      <p style="color: #fff; text-align: center; margin-top: 100px;">
+        JavaScript is required to run the Onebox dashboard.
+      </p>
+    </noscript>
+  </body>
+  <script defer type="module" src="/bundle.js"></script>
+</html>

html/index.html

@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta
+      name="viewport"
+      content="user-scalable=0, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height"
+    />
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="theme-color" content="#000000" />
+    <title>Onebox</title>
+    <link rel="preconnect" href="https://assetbroker.lossless.one/" crossorigin>
+    <link rel="stylesheet" href="https://assetbroker.lossless.one/fonts/fonts.css">
+    <style>
+      html {
+        -ms-text-size-adjust: 100%;
+        -webkit-text-size-adjust: 100%;
+      }
+      body {
+        position: relative;
+        background: #000;
+        margin: 0px;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+      <p style="color: #fff; text-align: center; margin-top: 100px;">
+        JavaScript is required to run the Onebox dashboard.
+      </p>
+    </noscript>
+  </body>
+  <script defer type="module" src="/bundle.js"></script>
+</html>

install.sh

@@ -1,192 +1,310 @@
 #!/bin/bash
+
+# Onebox Installer Script
+# Downloads and installs pre-compiled Onebox binary from Gitea releases
 #
-# Onebox installer script
+# Usage:
+#   Direct piped installation (recommended):
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
 #
+#   With version specification:
+#     curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0
+#
+# Options:
+#   -h, --help             Show this help message
+#   --version VERSION      Install specific version (e.g., v1.11.0)
+#   --install-dir DIR      Installation directory (default: /opt/onebox)
 
 set -e
 
-# Configuration
-REPO_URL="https://code.foss.global/serve.zone/onebox"
+# Default values
+SHOW_HELP=0
+SPECIFIED_VERSION=""
 INSTALL_DIR="/opt/onebox"
-BIN_LINK="/usr/local/bin/onebox"
+GITEA_BASE_URL="https://code.foss.global"
+GITEA_REPO="serve.zone/onebox"
+SERVICE_NAME="onebox"
 
-# Colors
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -h|--help)
+      SHOW_HELP=1
+      shift
+      ;;
+    --version)
+      SPECIFIED_VERSION="$2"
+      shift 2
+      ;;
+    --install-dir)
+      INSTALL_DIR="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown option: $1"
+      echo "Use -h or --help for usage information"
+      exit 1
+      ;;
+  esac
+done
 
-# Functions
-error() {
-    echo -e "${RED}Error: $1${NC}" >&2
-    exit 1
-}
-
-info() {
-    echo -e "${GREEN}$1${NC}"
-}
-
-warn() {
-    echo -e "${YELLOW}$1${NC}"
-}
-
-# Detect platform and architecture
-detect_platform() {
-    OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-    ARCH=$(uname -m)
-
-    case "$OS" in
-        linux)
-            PLATFORM="linux"
-            ;;
-        darwin)
-            PLATFORM="macos"
-            ;;
-        *)
-            error "Unsupported operating system: $OS"
-            ;;
-    esac
-
-    case "$ARCH" in
-        x86_64|amd64)
-            ARCH="x64"
-            ;;
-        aarch64|arm64)
-            ARCH="arm64"
-            ;;
-        *)
-            error "Unsupported architecture: $ARCH"
-            ;;
-    esac
-
-    BINARY_NAME="onebox-${PLATFORM}-${ARCH}"
-}
-
-# Get latest version from Gitea API
-get_latest_version() {
-    info "Fetching latest version..."
-    VERSION=$(curl -s "${REPO_URL}/releases" | grep -o '"tag_name":"v[^"]*' | head -1 | cut -d'"' -f4 | cut -c2-)
-
-    if [ -z "$VERSION" ]; then
-        warn "Could not fetch latest version, using 'main' branch"
-        VERSION="main"
-    else
-        info "Latest version: v${VERSION}"
-    fi
-}
+if [ $SHOW_HELP -eq 1 ]; then
+  echo "Onebox Installer Script"
+  echo "Downloads and installs pre-compiled Onebox binary"
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "Options:"
+  echo "  -h, --help             Show this help message"
+  echo "  --version VERSION      Install specific version (e.g., v1.11.0)"
+  echo "  --install-dir DIR      Installation directory (default: /opt/onebox)"
+  echo ""
+  echo "Examples:"
+  echo "  # Install latest version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash"
+  echo ""
+  echo "  # Install specific version"
+  echo "  curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0"
+  exit 0
+fi
 
 # Check if running as root
-check_root() {
-    if [ "$EUID" -ne 0 ]; then
-        error "This script must be run as root (use sudo)"
-    fi
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root (sudo bash install.sh or pipe to sudo bash)"
+  exit 1
+fi
+
+# Helper function to detect OS and architecture
+detect_platform() {
+  local os=$(uname -s)
+  local arch=$(uname -m)
+
+  # Map OS
+  case "$os" in
+    Linux)
+      os_name="linux"
+      ;;
+    Darwin)
+      os_name="macos"
+      ;;
+    MINGW*|MSYS*|CYGWIN*)
+      os_name="windows"
+      ;;
+    *)
+      echo "Error: Unsupported operating system: $os"
+      echo "Supported: Linux, macOS, Windows"
+      exit 1
+      ;;
+  esac
+
+  # Map architecture
+  case "$arch" in
+    x86_64|amd64)
+      arch_name="x64"
+      ;;
+    aarch64|arm64)
+      arch_name="arm64"
+      ;;
+    *)
+      echo "Error: Unsupported architecture: $arch"
+      echo "Supported: x86_64/amd64 (x64), aarch64/arm64 (arm64)"
+      exit 1
+      ;;
+  esac
+
+  # Construct binary name
+  if [ "$os_name" = "windows" ]; then
+    echo "onebox-${os_name}-${arch_name}.exe"
+  else
+    echo "onebox-${os_name}-${arch_name}"
+  fi
 }
 
+# Get latest release version from Gitea API
+get_latest_version() {
+  echo "Fetching latest release version from Gitea..." >&2
+
+  local api_url="${GITEA_BASE_URL}/api/v1/repos/${GITEA_REPO}/releases/latest"
+  local response=$(curl -sSL "$api_url" 2>/dev/null)
+
+  if [ $? -ne 0 ] || [ -z "$response" ]; then
+    echo "Error: Failed to fetch latest release information from Gitea API" >&2
+    echo "URL: $api_url" >&2
+    exit 1
+  fi
+
+  # Extract tag_name from JSON response
+  local version=$(echo "$response" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
+
+  if [ -z "$version" ]; then
+    echo "Error: Could not determine latest version from API response" >&2
+    exit 1
+  fi
+
+  echo "$version"
+}
+
+# Main installation process
+echo "================================================"
+echo "  Onebox Installation Script"
+echo "================================================"
+echo ""
+
+# Detect platform
+BINARY_NAME=$(detect_platform)
+echo "Detected platform: $BINARY_NAME"
+echo ""
+
+# Determine version to install
+if [ -n "$SPECIFIED_VERSION" ]; then
+  VERSION="$SPECIFIED_VERSION"
+  echo "Installing specified version: $VERSION"
+else
+  VERSION=$(get_latest_version)
+  echo "Installing latest version: $VERSION"
+fi
+echo ""
+
+# Construct download URL
+DOWNLOAD_URL="${GITEA_BASE_URL}/${GITEA_REPO}/releases/download/${VERSION}/${BINARY_NAME}"
+echo "Download URL: $DOWNLOAD_URL"
+echo ""
+
+# Check if service is running and stop it
+SERVICE_WAS_RUNNING=0
+if systemctl is-enabled --quiet "$SERVICE_NAME" 2>/dev/null || systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+  SERVICE_WAS_RUNNING=1
+  if systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    echo "Stopping Onebox service..."
+    systemctl stop "$SERVICE_NAME"
+  fi
+fi
+
+# Clean installation directory - ensure only binary exists
+if [ -d "$INSTALL_DIR" ]; then
+  echo "Cleaning installation directory: $INSTALL_DIR"
+  rm -rf "$INSTALL_DIR"
+fi
+
+# Create fresh installation directory
+echo "Creating installation directory: $INSTALL_DIR"
+mkdir -p "$INSTALL_DIR"
+
 # Download binary
-download_binary() {
-    info "Downloading Onebox ${VERSION} for ${PLATFORM}-${ARCH}..."
+echo "Downloading Onebox binary..."
+TEMP_FILE="$INSTALL_DIR/onebox.download"
+curl -sSL "$DOWNLOAD_URL" -o "$TEMP_FILE"
 
-    # Create temp directory
-    TMP_DIR=$(mktemp -d)
-    TMP_FILE="${TMP_DIR}/${BINARY_NAME}"
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to download binary from $DOWNLOAD_URL"
+  echo ""
+  echo "Please check:"
+  echo "  1. Your internet connection"
+  echo "  2. The specified version exists: ${GITEA_BASE_URL}/${GITEA_REPO}/releases"
+  echo "  3. The platform binary is available for this release"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi
 
-    # Try release download first
-    if [ "$VERSION" != "main" ]; then
-        DOWNLOAD_URL="${REPO_URL}/releases/download/v${VERSION}/${BINARY_NAME}"
-    else
-        DOWNLOAD_URL="${REPO_URL}/raw/branch/main/dist/binaries/${BINARY_NAME}"
-    fi
+# Check if download was successful (file exists and not empty)
+if [ ! -s "$TEMP_FILE" ]; then
+  echo "Error: Downloaded file is empty or does not exist"
+  rm -f "$TEMP_FILE"
+  exit 1
+fi
 
-    if ! curl -L -f -o "$TMP_FILE" "$DOWNLOAD_URL"; then
-        error "Failed to download binary from $DOWNLOAD_URL"
-    fi
+# Move to final location
+BINARY_PATH="$INSTALL_DIR/onebox"
+mv "$TEMP_FILE" "$BINARY_PATH"
 
-    # Verify download
-    if [ ! -f "$TMP_FILE" ] || [ ! -s "$TMP_FILE" ]; then
-        error "Downloaded file is empty or missing"
-    fi
+if [ $? -ne 0 ] || [ ! -f "$BINARY_PATH" ]; then
+  echo "Error: Failed to move binary to $BINARY_PATH"
+  rm -f "$TEMP_FILE" 2>/dev/null
+  exit 1
+fi
 
-    info "✓ Download complete"
-}
+# Make executable
+chmod +x "$BINARY_PATH"
 
-# Install binary
-install_binary() {
-    info "Installing Onebox to ${INSTALL_DIR}..."
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to make binary executable"
+  exit 1
+fi
 
-    # Create install directory
-    mkdir -p "$INSTALL_DIR"
+echo "Binary installed successfully to: $BINARY_PATH"
+echo ""
 
-    # Copy binary
-    cp "$TMP_FILE" "${INSTALL_DIR}/onebox"
-    chmod +x "${INSTALL_DIR}/onebox"
+# Check if /usr/local/bin is in PATH
+if [[ ":$PATH:" == *":/usr/local/bin:"* ]]; then
+  BIN_DIR="/usr/local/bin"
+else
+  BIN_DIR="/usr/bin"
+fi
 
-    # Create symlink
-    ln -sf "${INSTALL_DIR}/onebox" "$BIN_LINK"
+# Create symlink for global access
+ln -sf "$BINARY_PATH" "$BIN_DIR/onebox"
+echo "Symlink created: $BIN_DIR/onebox -> $BINARY_PATH"
+echo ""
 
-    # Cleanup temp files
-    rm -rf "$TMP_DIR"
+# Create data directories
+mkdir -p /var/lib/onebox
+mkdir -p /var/www/certbot
 
-    info "✓ Installation complete"
-}
+# Re-enable and restart service if it was previously running (refreshes unit file)
+if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+  echo "Refreshing systemd service..."
+  onebox systemd enable
+  echo "Restarting Onebox service..."
+  systemctl restart "$SERVICE_NAME"
+  echo "Service restarted successfully."
+  echo ""
+fi
 
-# Initialize database and config
-initialize() {
-    info "Initializing Onebox..."
+echo "================================================"
+echo "  Onebox Installation Complete!"
+echo "================================================"
+echo ""
+echo "Installation details:"
+echo "  Binary location: $BINARY_PATH"
+echo "  Symlink location: $BIN_DIR/onebox"
+echo "  Version: $VERSION"
+echo ""
 
-    # Create data directory
-    mkdir -p /var/lib/onebox
-
-    # Create certbot directory for ACME challenges
-    mkdir -p /var/www/certbot
-
-    info "✓ Initialization complete"
-}
-
-# Print success message
-print_success() {
-    echo ""
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    info "  Onebox installed successfully!"
-    info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    echo ""
-    echo "Next steps:"
-    echo ""
-    echo "1. Configure Cloudflare (optional):"
-    echo "   onebox config set cloudflareAPIKey <key>"
-    echo "   onebox config set cloudflareEmail <email>"
-    echo "   onebox config set cloudflareZoneID <zone-id>"
-    echo "   onebox config set serverIP <your-server-ip>"
-    echo ""
-    echo "2. Configure ACME email:"
-    echo "   onebox config set acmeEmail <your@email.com>"
-    echo ""
-    echo "3. Install daemon:"
-    echo "   onebox daemon install"
-    echo ""
-    echo "4. Start daemon:"
-    echo "   onebox daemon start"
-    echo ""
-    echo "5. Deploy your first service:"
-    echo "   onebox service add myapp --image nginx:latest --domain app.example.com"
-    echo ""
-    echo "Web UI: http://localhost:3000"
-    echo "Default credentials: admin / admin"
-    echo ""
-}
-
-# Main installation flow
-main() {
-    info "Onebox Installer"
-    echo ""
-
-    check_root
-    detect_platform
-    get_latest_version
-    download_binary
-    install_binary
-    initialize
-    print_success
-}
-
-# Run main function
-main
+# Check if database exists (indicates existing installation)
+if [ -f "/var/lib/onebox/onebox.db" ]; then
+  echo "Data directory: /var/lib/onebox (preserved)"
+  echo ""
+  echo "Your existing data has been preserved."
+  if [ $SERVICE_WAS_RUNNING -eq 1 ]; then
+    echo "The service has been restarted with your current settings."
+  else
+    echo "Start the service with: onebox systemd start"
+  fi
+else
+  echo "Get started:"
+  echo ""
+  echo "  onebox --version"
+  echo "  onebox --help"
+  echo ""
+  echo "  1. Configure Cloudflare (optional):"
+  echo "     onebox config set cloudflareAPIKey <key>"
+  echo "     onebox config set cloudflareEmail <email>"
+  echo "     onebox config set cloudflareZoneID <zone-id>"
+  echo "     onebox config set serverIP <your-server-ip>"
+  echo ""
+  echo "  2. Configure ACME email:"
+  echo "     onebox config set acmeEmail <your@email.com>"
+  echo ""
+  echo "  3. Enable systemd service:"
+  echo "     onebox systemd enable"
+  echo ""
+  echo "  4. Start service:"
+  echo "     onebox systemd start"
+  echo ""
+  echo "  5. Deploy your first service:"
+  echo "     onebox service add myapp --image nginx:latest --domain app.example.com"
+  echo ""
+  echo "  Web UI: http://localhost:3000"
+  echo "  Default credentials: admin / admin"
+fi
+echo ""

npmextra.json

@@ -0,0 +1,57 @@
+{
+  "@git.zone/tsbundle": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "includeFiles": [{"from": "./html/index.html", "to": "index.html"}]
+      }
+    ]
+  },
+  "@git.zone/tsdeno": {
+    "compileTargets": [
+      {
+        "name": "onebox-linux-x64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "x86_64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      },
+      {
+        "name": "onebox-linux-arm64",
+        "entryPoint": "mod.ts",
+        "outDir": "dist/binaries",
+        "target": "aarch64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true
+      }
+    ]
+  },
+  "@git.zone/tswatch": {
+    "bundles": [
+      {
+        "from": "./ts_web/index.ts",
+        "to": "./ts_bundled/bundle.ts",
+        "outputMode": "base64ts",
+        "bundler": "esbuild",
+        "production": true,
+        "watchPatterns": ["./ts_web/**/*", "./html/**/*"],
+        "includeFiles": [{"from": "./html/index.html", "to": "index.html"}]
+      }
+    ],
+    "watchers": [
+      {
+        "name": "backend",
+        "watch": ["./ts/**/*", "./ts_interfaces/**/*", "./ts_bundled/**/*"],
+        "command": "deno run --allow-all --unstable-ffi mod.ts server --ephemeral --monitor",
+        "restart": true,
+        "debounce": 500,
+        "runOnStart": true
+      }
+    ]
+  }
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.9.1",
+  "version": "1.17.3",
   "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
   "main": "mod.ts",
   "type": "module",
@@ -9,7 +9,9 @@
   },
   "scripts": {
     "postinstall": "node scripts/install-binary.js",
-    "watch": "concurrently --kill-others --names \"BACKEND,UI\" --prefix-colors \"cyan,magenta\" \"deno run --allow-all --unstable-ffi --watch mod.ts server --ephemeral --monitor\" \"cd ui && pnpm run watch\""
+    "watch": "tswatch",
+    "build": "tsbundle",
+    "bundle": "tsbundle"
   },
   "keywords": [
     "docker",
@@ -51,8 +53,15 @@
     "arm64"
   ],
   "packageManager": "pnpm@10.18.1+sha512.77a884a165cbba2d8d1c19e3b4880eee6d2fcabd0d879121e282196b80042351d5eb3ca0935fa599da1dc51265cc68816ad2bddd2a2de5ea9fdf92adbec7cd34",
-  "dependencies": {},
+  "dependencies": {
+    "@api.global/typedrequest-interfaces": "^3.0.19",
+    "@design.estate/dees-catalog": "^3.43.3",
+    "@design.estate/dees-element": "^2.1.6",
+    "@serve.zone/catalog": "^2.6.0"
+  },
   "devDependencies": {
-    "concurrently": "^9.1.2"
+    "@git.zone/tsbundle": "^2.9.0",
+    "@git.zone/tsdeno": "^1.2.0",
+    "@git.zone/tswatch": "^3.2.0"
   }
 }

readme.md

@@ -47,10 +47,11 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ### Installation
 
 ```bash
-# Download the latest release for your platform
-curl -sSL https://code.foss.global/serve.zone/onebox/releases/latest/download/onebox-linux-x64 -o onebox
-chmod +x onebox
-sudo mv onebox /usr/local/bin/
+# One-line install (recommended)
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash
+
+# Install a specific version
+curl -sSL https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh | sudo bash -s -- --version v1.11.0
 
 # Or install from npm
 pnpm install -g @serve.zone/onebox
@@ -242,6 +243,13 @@ onebox config set cloudflareZoneID your-zone-id
 onebox status
 ```
 
+### Upgrade
+
+```bash
+# Upgrade to the latest version (requires root)
+sudo onebox upgrade
+```
+
 ## Configuration 🔧
 
 ### System Requirements

scripts/compile-all.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-#
-# Compile Onebox for all platforms
-#
-
-set -e
-
-VERSION=$(grep '"version"' deno.json | cut -d'"' -f4)
-echo "Compiling Onebox v${VERSION} for all platforms..."
-
-# Create dist directory
-mkdir -p dist/binaries
-
-# Compile for each platform
-echo "Compiling for Linux x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-x64" \
-  --target x86_64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for Linux ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-linux-arm64" \
-  --target aarch64-unknown-linux-gnu \
-  mod.ts
-
-echo "Compiling for macOS x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-x64" \
-  --target x86_64-apple-darwin \
-  mod.ts
-
-echo "Compiling for macOS ARM64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-macos-arm64" \
-  --target aarch64-apple-darwin \
-  mod.ts
-
-echo "Compiling for Windows x64..."
-deno compile --allow-all --no-check \
-  --output "dist/binaries/onebox-windows-x64.exe" \
-  --target x86_64-pc-windows-msvc \
-  mod.ts
-
-echo ""
-echo "✓ Compilation complete!"
-echo ""
-echo "Binaries:"
-ls -lh dist/binaries/
-echo ""
-echo "Next steps:"
-echo "1. Test binaries on their respective platforms"
-echo "2. Create git tag: git tag v${VERSION}"
-echo "3. Push tag: git push origin v${VERSION}"
-echo "4. Upload binaries to Gitea release"
-echo "5. Publish to npm: pnpm publish"

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/onebox',
-  version: '1.9.1',
+  version: '1.17.3',
   description: 'Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers'
 }

ts/classes/daemon.ts

@@ -4,9 +4,7 @@
  * Handles background monitoring, metrics collection, and automatic tasks
  */
 
-import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
-import { projectInfo } from '../info.ts';
 import { getErrorMessage } from '../utils/error.ts';
 import type { Onebox } from './onebox.ts';
 
@@ -18,7 +16,6 @@ const FALLBACK_PID_FILE = `${FALLBACK_PID_DIR}/onebox.pid`;
 
 export class OneboxDaemon {
   private oneboxRef: Onebox;
-  private smartdaemon: plugins.smartdaemon.SmartDaemon | null = null;
   private running = false;
   private monitoringInterval: number | null = null;
   private statsInterval: number | null = null;
@@ -46,68 +43,6 @@ export class OneboxDaemon {
     }
   }
 
-  /**
-   * Install systemd service
-   */
-  async installService(): Promise<void> {
-    try {
-      logger.info('Installing Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      // Get installation directory
-      const execPath = Deno.execPath();
-
-      const service = await this.smartdaemon.addService({
-        name: 'onebox',
-        version: projectInfo.version,
-        command: `${execPath} run --allow-all ${Deno.cwd()}/mod.ts daemon start`,
-        description: 'Onebox - Self-hosted container platform',
-        workingDir: Deno.cwd(),
-      });
-
-      await service.save();
-      await service.enable();
-
-      logger.success('Onebox daemon service installed');
-      logger.info('Start with: sudo systemctl start smartdaemon_onebox');
-    } catch (error) {
-      logger.error(`Failed to install daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Uninstall systemd service
-   */
-  async uninstallService(): Promise<void> {
-    try {
-      logger.info('Uninstalling Onebox daemon service...');
-
-      // Initialize smartdaemon if needed
-      if (!this.smartdaemon) {
-        this.smartdaemon = new plugins.smartdaemon.SmartDaemon();
-      }
-
-      const services = await this.smartdaemon.systemdManager.getServices();
-      const service = services.find(s => s.name === 'onebox');
-
-      if (service) {
-        await service.stop();
-        await service.disable();
-        await service.delete();
-      }
-
-      logger.success('Onebox daemon service uninstalled');
-    } catch (error) {
-      logger.error(`Failed to uninstall daemon service: ${getErrorMessage(error)}`);
-      throw error;
-    }
-  }
-
   /**
    * Start daemon mode (background monitoring)
    */
@@ -131,9 +66,9 @@ export class OneboxDaemon {
       // Start monitoring loop
       this.startMonitoring();
 
-      // Start HTTP server
+      // Start OpsServer (serves new UI + TypedRequest API)
       const httpPort = parseInt(this.oneboxRef.database.getSetting('httpPort') || '3000', 10);
-      await this.oneboxRef.httpServer.start(httpPort);
+      await this.oneboxRef.opsServer.start(httpPort);
 
       logger.success('Onebox daemon started');
       logger.info(`Web UI available at http://localhost:${httpPort}`);
@@ -163,8 +98,8 @@ export class OneboxDaemon {
       // Stop monitoring
       this.stopMonitoring();
 
-      // Stop HTTP server
-      await this.oneboxRef.httpServer.stop();
+      // Stop OpsServer
+      await this.oneboxRef.opsServer.stop();
 
       // Remove PID file
       await this.removePidFile();
@@ -280,31 +215,12 @@ export class OneboxDaemon {
   }
 
   /**
-   * Broadcast stats to WebSocket clients (real-time updates)
+   * Broadcast stats (placeholder for future WebSocket integration via OpsServer)
    */
   private async broadcastStats(): Promise<void> {
-    try {
-      const services = this.oneboxRef.services.listServices();
-      const runningServices = services.filter(s => s.status === 'running' && s.containerID);
-
-      logger.info(`Broadcasting stats for ${runningServices.length} running services`);
-
-      for (const service of runningServices) {
-        try {
-          const stats = await this.oneboxRef.docker.getContainerStats(service.containerID!);
-          if (stats) {
-            logger.info(`Broadcasting stats for ${service.name}: CPU=${stats.cpuPercent.toFixed(1)}%, Mem=${Math.round(stats.memoryUsed / 1024 / 1024)}MB`);
-            this.oneboxRef.httpServer.broadcastStatsUpdate(service.name, stats);
-          } else {
-            logger.warn(`No stats returned for ${service.name} (containerID: ${service.containerID})`);
-          }
-        } catch (error) {
-          logger.warn(`Stats collection failed for ${service.name}: ${getErrorMessage(error)}`);
-        }
-      }
-    } catch (error) {
-      logger.error(`Broadcast stats error: ${getErrorMessage(error)}`);
-    }
+    // Stats broadcasting via WebSocket is not yet implemented in OpsServer.
+    // Metrics are still collected and stored in the DB by collectMetrics().
+    // The new UI fetches stats via TypedRequests on demand.
   }
 
   /**
@@ -501,36 +417,7 @@ export class OneboxDaemon {
   static async ensureNoDaemon(): Promise<void> {
     const running = await OneboxDaemon.isDaemonRunning();
     if (running) {
-      throw new Error('Daemon is already running. Please stop it first with: onebox daemon stop');
-    }
-  }
-
-  /**
-   * Get service status from systemd
-   */
-  async getServiceStatus(): Promise<string> {
-    try {
-      // Don't need smartdaemon to check status, just use systemctl directly
-      const command = new Deno.Command('systemctl', {
-        args: ['status', 'smartdaemon_onebox'],
-        stdout: 'piped',
-        stderr: 'piped',
-      });
-
-      const { code, stdout } = await command.output();
-      const output = new TextDecoder().decode(stdout);
-
-      if (code === 0 || output.includes('active (running)')) {
-        return 'running';
-      } else if (output.includes('inactive') || output.includes('dead')) {
-        return 'stopped';
-      } else if (output.includes('failed')) {
-        return 'failed';
-      } else {
-        return 'unknown';
-      }
-    } catch (error) {
-      return 'not-installed';
+      throw new Error('Daemon is already running. Please stop it first with: onebox systemd stop');
     }
   }
 }

ts/classes/docker.ts

@@ -881,12 +881,12 @@ export class OneboxDockerManager {
       ]);
 
       const execInfo = await inspect();
-      const exitCode = execInfo.ExitCode || 0;
+      const exitCode = execInfo.ExitCode ?? -1;
 
       return { stdout, stderr, exitCode };
     } catch (error) {
       logger.error(`Failed to exec in container ${containerID}: ${getErrorMessage(error)}`);
-      throw error;
+      return { stdout: '', stderr: getErrorMessage(error), exitCode: -1 };
     }
   }
 

ts/classes/onebox.ts

@@ -14,6 +14,7 @@ import { OneboxReverseProxy } from './reverseproxy.ts';
 import { OneboxDnsManager } from './dns.ts';
 import { OneboxSslManager } from './ssl.ts';
 import { OneboxDaemon } from './daemon.ts';
+import { OneboxSystemd } from './systemd.ts';
 import { OneboxHttpServer } from './httpserver.ts';
 import { CloudflareDomainSync } from './cloudflare-sync.ts';
 import { CertRequirementManager } from './cert-requirement-manager.ts';
@@ -22,6 +23,7 @@ import { PlatformServicesManager } from './platform-services/index.ts';
 import { CaddyLogReceiver } from './caddy-log-receiver.ts';
 import { BackupManager } from './backup-manager.ts';
 import { BackupScheduler } from './backup-scheduler.ts';
+import { OpsServer } from '../opsserver/index.ts';
 
 export class Onebox {
   public database: OneboxDatabase;
@@ -32,6 +34,7 @@ export class Onebox {
   public dns: OneboxDnsManager;
   public ssl: OneboxSslManager;
   public daemon: OneboxDaemon;
+  public systemd: OneboxSystemd;
   public httpServer: OneboxHttpServer;
   public cloudflareDomainSync: CloudflareDomainSync;
   public certRequirementManager: CertRequirementManager;
@@ -40,6 +43,7 @@ export class Onebox {
   public caddyLogReceiver: CaddyLogReceiver;
   public backupManager: BackupManager;
   public backupScheduler: BackupScheduler;
+  public opsServer: OpsServer;
 
   private initialized = false;
 
@@ -55,6 +59,7 @@ export class Onebox {
     this.dns = new OneboxDnsManager(this);
     this.ssl = new OneboxSslManager(this);
     this.daemon = new OneboxDaemon(this);
+    this.systemd = new OneboxSystemd();
     this.httpServer = new OneboxHttpServer(this);
     this.registry = new RegistryManager({
       dataDir: './.nogit/registry-data',
@@ -77,6 +82,9 @@ export class Onebox {
 
     // Initialize Backup scheduler
     this.backupScheduler = new BackupScheduler(this);
+
+    // Initialize OpsServer (TypedRequest-based server)
+    this.opsServer = new OpsServer(this);
   }
 
   /**
@@ -316,31 +324,17 @@ export class Onebox {
   }
 
   /**
-   * Start daemon mode
-   */
-  async startDaemon(): Promise<void> {
-    await this.daemon.start();
-  }
-
-  /**
-   * Stop daemon mode
-   */
-  async stopDaemon(): Promise<void> {
-    await this.daemon.stop();
-  }
-
-  /**
-   * Start HTTP server
+   * Start OpsServer (TypedRequest-based, serves new UI)
    */
   async startHttpServer(port?: number): Promise<void> {
-    await this.httpServer.start(port);
+    await this.opsServer.start(port || 3000);
   }
 
   /**
-   * Stop HTTP server
+   * Stop OpsServer
    */
   async stopHttpServer(): Promise<void> {
-    await this.httpServer.stop();
+    await this.opsServer.stop();
   }
 
   /**
@@ -350,14 +344,17 @@ export class Onebox {
     try {
       logger.info('Shutting down Onebox...');
 
+      // Stop auto-update monitoring
+      this.services.stopAutoUpdateMonitoring();
+
       // Stop backup scheduler
       await this.backupScheduler.stop();
 
       // Stop daemon if running
       await this.daemon.stop();
 
-      // Stop HTTP server if running
-      await this.httpServer.stop();
+      // Stop OpsServer if running
+      await this.opsServer.stop();
 
       // Stop reverse proxy if running
       await this.reverseProxy.stop();

ts/classes/platform-services/providers/clickhouse.ts

@@ -194,12 +194,6 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
-
     // Generate resource names and credentials
     const dbName = this.generateResourceName(userService.name);
     const username = this.generateResourceName(userService.name);
@@ -207,35 +201,16 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
 
     logger.info(`Provisioning ClickHouse database '${dbName}' for service '${userService.name}'...`);
 
-    // Connect to ClickHouse via localhost and the mapped host port
-    const baseUrl = `http://127.0.0.1:${hostPort}`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const queries = [
+      `CREATE DATABASE IF NOT EXISTS ${dbName}`,
+      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`,
+      `GRANT ALL ON ${dbName}.* TO ${username}`,
+    ];
 
-    // Create database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE DATABASE IF NOT EXISTS ${dbName}`
-    );
-    logger.info(`Created ClickHouse database '${dbName}'`);
-
-    // Create user with access to this database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `CREATE USER IF NOT EXISTS ${username} IDENTIFIED BY '${password}'`
-    );
-    logger.info(`Created ClickHouse user '${username}'`);
-
-    // Grant permissions on the database
-    await this.executeQuery(
-      baseUrl,
-      adminCreds.username,
-      adminCreds.password,
-      `GRANT ALL ON ${dbName}.* TO ${username}`
-    );
-    logger.info(`Granted permissions to user '${username}' on database '${dbName}'`);
+    for (const query of queries) {
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, query);
+    }
 
     logger.success(`ClickHouse database '${dbName}' provisioned with user '${username}'`);
 
@@ -274,37 +249,11 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
 
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 8123);
-    if (!hostPort) {
-      throw new Error('Could not get ClickHouse container host port');
-    }
-
     logger.info(`Deprovisioning ClickHouse database '${resource.resourceName}'...`);
 
-    const baseUrl = `http://127.0.0.1:${hostPort}`;
-
     try {
-      // Drop the user
-      try {
-        await this.executeQuery(
-          baseUrl,
-          adminCreds.username,
-          adminCreds.password,
-          `DROP USER IF EXISTS ${credentials.username}`
-        );
-        logger.info(`Dropped ClickHouse user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop ClickHouse user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await this.executeQuery(
-        baseUrl,
-        adminCreds.username,
-        adminCreds.password,
-        `DROP DATABASE IF EXISTS ${resource.resourceName}`
-      );
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP USER IF EXISTS ${credentials.username}`);
+      await this.execClickHouseQuery(platformService.containerId, adminCreds, `DROP DATABASE IF EXISTS ${resource.resourceName}`);
       logger.success(`ClickHouse database '${resource.resourceName}' dropped`);
     } catch (e) {
       logger.error(`Failed to deprovision ClickHouse database: ${getErrorMessage(e)}`);
@@ -313,26 +262,27 @@ export class ClickHouseProvider extends BasePlatformServiceProvider {
   }
 
   /**
-   * Execute a ClickHouse SQL query via HTTP interface
+   * Execute a ClickHouse SQL query via docker exec inside the container
    */
-  private async executeQuery(
-    baseUrl: string,
-    username: string,
-    password: string,
+  private async execClickHouseQuery(
+    containerId: string,
+    adminCreds: { username: string; password: string },
     query: string
   ): Promise<string> {
-    const url = `${baseUrl}/?user=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}`;
+    const result = await this.oneboxRef.docker.execInContainer(
+      containerId,
+      [
+        'clickhouse-client',
+        '--user', adminCreds.username,
+        '--password', adminCreds.password,
+        '--query', query,
+      ]
+    );
 
-    const response = await fetch(url, {
-      method: 'POST',
-      body: query,
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`ClickHouse query failed: ${errorText}`);
+    if (result.exitCode !== 0) {
+      throw new Error(`ClickHouse query failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
     }
 
-    return await response.text();
+    return result.stdout;
   }
 }

ts/classes/platform-services/providers/minio.ts

@@ -196,84 +196,28 @@ export class MinioProvider extends BasePlatformServiceProvider {
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
-    // Generate bucket name and credentials
+    // Generate bucket name
     const bucketName = this.generateBucketName(userService.name);
-    const accessKey = credentialEncryption.generateAccessKey(20);
-    const secretKey = credentialEncryption.generateSecretKey(40);
 
     logger.info(`Provisioning MinIO bucket '${bucketName}' for service '${userService.name}'...`);
 
-    // Connect to MinIO via localhost and the mapped host port (for provisioning from host)
-    const provisioningEndpoint = `http://127.0.0.1:${hostPort}`;
-
-    // Import AWS S3 client
-    const { S3Client, CreateBucketCommand, PutBucketPolicyCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    // Create S3 client with admin credentials - connect via host port
-    const s3Client = new S3Client({
-      endpoint: provisioningEndpoint,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Use docker exec with mc (MinIO Client) inside the container
+    // First configure mc alias for local server
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);
 
     // Create the bucket
-    try {
-      await s3Client.send(new CreateBucketCommand({
-        Bucket: bucketName,
-      }));
-      logger.info(`Created MinIO bucket '${bucketName}'`);
-    } catch (e: any) {
-      if (e.name !== 'BucketAlreadyOwnedByYou' && e.name !== 'BucketAlreadyExists') {
-        throw e;
-      }
-      logger.warn(`Bucket '${bucketName}' already exists`);
-    }
+    const mbResult = await this.execMc(platformService.containerId, [
+      'mb', '--ignore-existing', `local/${bucketName}`,
+    ]);
+    logger.info(`Created MinIO bucket '${bucketName}'`);
 
-    // Create service account/access key using MinIO Admin API
-    // MinIO Admin API requires mc client or direct API calls
-    // For simplicity, we'll use root credentials and bucket policy isolation
-    // In production, you'd use MinIO's Admin API to create service accounts
-
-    // Set bucket policy to allow access only with this bucket's credentials
-    const bucketPolicy = {
-      Version: '2012-10-17',
-      Statement: [
-        {
-          Effect: 'Allow',
-          Principal: { AWS: ['*'] },
-          Action: ['s3:GetObject', 's3:PutObject', 's3:DeleteObject', 's3:ListBucket'],
-          Resource: [
-            `arn:aws:s3:::${bucketName}`,
-            `arn:aws:s3:::${bucketName}/*`,
-          ],
-        },
-      ],
-    };
-
-    try {
-      await s3Client.send(new PutBucketPolicyCommand({
-        Bucket: bucketName,
-        Policy: JSON.stringify(bucketPolicy),
-      }));
-      logger.info(`Set bucket policy for '${bucketName}'`);
-    } catch (e) {
-      logger.warn(`Could not set bucket policy: ${getErrorMessage(e)}`);
-    }
-
-    // Note: For proper per-service credentials, MinIO Admin API should be used
-    // For now, we're providing the bucket with root access
-    // TODO: Implement MinIO service account creation
-    logger.warn('Using root credentials for MinIO access. Consider implementing service accounts for production.');
+    // Set bucket policy to allow public read/write (services on the same network use root creds)
+    await this.execMc(platformService.containerId, [
+      'anonymous', 'set', 'none', `local/${bucketName}`,
+    ]);
 
     // Use container name for the endpoint in credentials (user services run in same network)
     const serviceEndpoint = `http://${containerName}:9000`;
@@ -281,7 +225,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
     const credentials: Record<string, string> = {
       endpoint: serviceEndpoint,
       bucket: bucketName,
-      accessKey: adminCreds.username, // Using root for now
+      accessKey: adminCreds.username,
       secretKey: adminCreds.password,
       region: 'us-east-1',
     };
@@ -312,57 +256,37 @@ export class MinioProvider extends BasePlatformServiceProvider {
 
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
-    if (!hostPort) {
-      throw new Error('Could not get MinIO container host port');
-    }
-
     logger.info(`Deprovisioning MinIO bucket '${resource.resourceName}'...`);
 
-    const { S3Client, DeleteBucketCommand, ListObjectsV2Command, DeleteObjectsCommand } = await import('npm:@aws-sdk/client-s3@3');
-
-    const s3Client = new S3Client({
-      endpoint: `http://127.0.0.1:${hostPort}`,
-      region: 'us-east-1',
-      credentials: {
-        accessKeyId: adminCreds.username,
-        secretAccessKey: adminCreds.password,
-      },
-      forcePathStyle: true,
-    });
+    // Configure mc alias
+    await this.execMc(platformService.containerId, [
+      'alias', 'set', 'local', 'http://localhost:9000',
+      adminCreds.username, adminCreds.password,
+    ]);
 
     try {
-      // First, delete all objects in the bucket
-      let continuationToken: string | undefined;
-      do {
-        const listResponse = await s3Client.send(new ListObjectsV2Command({
-          Bucket: resource.resourceName,
-          ContinuationToken: continuationToken,
-        }));
-
-        if (listResponse.Contents && listResponse.Contents.length > 0) {
-          await s3Client.send(new DeleteObjectsCommand({
-            Bucket: resource.resourceName,
-            Delete: {
-              Objects: listResponse.Contents.map(obj => ({ Key: obj.Key! })),
-            },
-          }));
-          logger.info(`Deleted ${listResponse.Contents.length} objects from bucket`);
-        }
-
-        continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : undefined;
-      } while (continuationToken);
-
-      // Now delete the bucket
-      await s3Client.send(new DeleteBucketCommand({
-        Bucket: resource.resourceName,
-      }));
-
+      // Remove all objects and the bucket
+      await this.execMc(platformService.containerId, [
+        'rb', '--force', `local/${resource.resourceName}`,
+      ]);
       logger.success(`MinIO bucket '${resource.resourceName}' deleted`);
     } catch (e) {
       logger.error(`Failed to delete MinIO bucket: ${getErrorMessage(e)}`);
       throw e;
     }
   }
+
+  /**
+   * Execute mc (MinIO Client) command inside the container
+   */
+  private async execMc(
+    containerId: string,
+    args: string[],
+  ): Promise<{ stdout: string; stderr: string }> {
+    const result = await this.oneboxRef.docker.execInContainer(containerId, ['mc', ...args]);
+    if (result.exitCode !== 0) {
+      throw new Error(`mc command failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
+    }
+    return result;
+  }
 }

ts/classes/platform-services/providers/mongodb.ts

@@ -28,7 +28,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
 
   getDefaultConfig(): IPlatformServiceConfig {
     return {
-      image: 'mongo:7',
+      image: 'mongo:4.4',
       port: 27017,
       volumes: ['/var/lib/onebox/mongodb:/data/db'],
       environment: {
@@ -165,7 +165,7 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
       // This avoids network issues with overlay networks
       const result = await this.oneboxRef.docker.execInContainer(
         platformService.containerId,
-        ['mongosh', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
+        ['mongo', '--eval', 'db.adminCommand("ping")', '--username', adminCreds.username, '--password', adminCreds.password, '--authenticationDatabase', 'admin', '--quiet']
       );
 
       if (result.exitCode === 0) {
@@ -190,12 +190,6 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
     const containerName = this.getContainerName();
 
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
-
     // Generate resource names and credentials
     const dbName = this.generateResourceName(userService.name);
     const username = this.generateResourceName(userService.name);
@@ -203,32 +197,40 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
 
     logger.info(`Provisioning MongoDB database '${dbName}' for service '${userService.name}'...`);
 
-    // Connect to MongoDB via localhost and the mapped host port
-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    // Use docker exec to provision inside the container (avoids host port mapping issues)
+    const escapedPassword = password.replace(/'/g, "'\\''");
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");
 
-    const client = new MongoClient(adminUri);
-    await client.connect();
-
-    try {
-      // Create the database by switching to it (MongoDB creates on first write)
-      const db = client.db(dbName);
-
-      // Create a collection to ensure the database exists
-      await db.createCollection('_onebox_init');
-
-      // Create user with readWrite access to this database
-      await db.command({
-        createUser: username,
-        pwd: password,
-        roles: [{ role: 'readWrite', db: dbName }],
+    // Create database and user via mongo inside the container
+    const mongoScript = `
+      db = db.getSiblingDB('${dbName}');
+      db.createCollection('_onebox_init');
+      db.createUser({
+        user: '${username}',
+        pwd: '${escapedPassword}',
+        roles: [{ role: 'readWrite', db: '${dbName}' }]
       });
+      print('PROVISION_SUCCESS');
+    `;
 
-      logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
-    } finally {
-      await client.close();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );
+
+    if (result.exitCode !== 0 || !result.stdout.includes('PROVISION_SUCCESS')) {
+      throw new Error(`Failed to provision MongoDB database: exit code ${result.exitCode}, output: ${result.stdout.substring(0, 200)} ${result.stderr.substring(0, 200)}`);
     }
 
+    logger.success(`MongoDB database '${dbName}' provisioned with user '${username}'`);
+
     // Build the credentials and env vars
     const credentials: Record<string, string> = {
       host: containerName,
@@ -262,37 +264,33 @@ export class MongoDBProvider extends BasePlatformServiceProvider {
     }
 
     const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
-
-    // Get container host port for connection from host (overlay network IPs not accessible from host)
-    const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 27017);
-    if (!hostPort) {
-      throw new Error('Could not get MongoDB container host port');
-    }
+    const escapedAdminPassword = adminCreds.password.replace(/'/g, "'\\''");
 
     logger.info(`Deprovisioning MongoDB database '${resource.resourceName}'...`);
 
-    const { MongoClient } = await import('npm:mongodb@6');
-    const adminUri = `mongodb://${adminCreds.username}:${adminCreds.password}@127.0.0.1:${hostPort}/?authSource=admin`;
+    const mongoScript = `
+      db = db.getSiblingDB('${resource.resourceName}');
+      try { db.dropUser('${credentials.username}'); } catch(e) { print('User drop failed: ' + e); }
+      db.dropDatabase();
+      print('DEPROVISION_SUCCESS');
+    `;
 
-    const client = new MongoClient(adminUri);
-    await client.connect();
+    const result = await this.oneboxRef.docker.execInContainer(
+      platformService.containerId,
+      [
+        'mongo',
+        '--username', adminCreds.username,
+        '--password', escapedAdminPassword,
+        '--authenticationDatabase', 'admin',
+        '--quiet',
+        '--eval', mongoScript,
+      ]
+    );
 
-    try {
-      const db = client.db(resource.resourceName);
-
-      // Drop the user
-      try {
-        await db.command({ dropUser: credentials.username });
-        logger.info(`Dropped MongoDB user '${credentials.username}'`);
-      } catch (e) {
-        logger.warn(`Could not drop MongoDB user: ${getErrorMessage(e)}`);
-      }
-
-      // Drop the database
-      await db.dropDatabase();
-      logger.success(`MongoDB database '${resource.resourceName}' dropped`);
-    } finally {
-      await client.close();
+    if (result.exitCode !== 0) {
+      logger.warn(`MongoDB deprovision returned exit code ${result.exitCode}: ${result.stderr.substring(0, 200)}`);
     }
+
+    logger.success(`MongoDB database '${resource.resourceName}' dropped`);
   }
 }

ts/classes/services.ts

@@ -15,6 +15,7 @@ export class OneboxServicesManager {
   private oneboxRef: any; // Will be Onebox instance
   private database: OneboxDatabase;
   private docker: OneboxDockerManager;
+  private autoUpdateIntervalId: number | null = null;
 
   constructor(oneboxRef: any) {
     this.oneboxRef = oneboxRef;
@@ -681,7 +682,7 @@ export class OneboxServicesManager {
    */
   startAutoUpdateMonitoring(): void {
     // Check every 30 seconds
-    setInterval(async () => {
+    this.autoUpdateIntervalId = setInterval(async () => {
       try {
         await this.checkForRegistryUpdates();
       } catch (error) {
@@ -692,6 +693,17 @@ export class OneboxServicesManager {
     logger.info('Auto-update monitoring started (30s interval)');
   }
 
+  /**
+   * Stop auto-update monitoring
+   */
+  stopAutoUpdateMonitoring(): void {
+    if (this.autoUpdateIntervalId !== null) {
+      clearInterval(this.autoUpdateIntervalId);
+      this.autoUpdateIntervalId = null;
+      logger.debug('Auto-update monitoring stopped');
+    }
+  }
+
   /**
    * Check all services using onebox registry for updates
    */

ts/classes/systemd.ts

@@ -0,0 +1,243 @@
+/**
+ * Systemd Service Manager for Onebox
+ *
+ * Handles systemd unit file installation, enabling, starting, stopping,
+ * and status checking. Modeled on nupst's direct systemctl approach —
+ * no external library dependencies.
+ */
+
+import { logger } from '../logging.ts';
+import { getErrorMessage } from '../utils/error.ts';
+
+const SERVICE_NAME = 'onebox';
+const SERVICE_FILE_PATH = '/etc/systemd/system/onebox.service';
+
+const SERVICE_UNIT_TEMPLATE = `[Unit]
+Description=Onebox - Self-hosted container platform
+After=network-online.target docker.service
+Wants=network-online.target
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/onebox systemd start-daemon
+Restart=always
+RestartSec=10
+WorkingDirectory=/var/lib/onebox
+Environment=PATH=/usr/bin:/usr/local/bin
+Environment=HOME=/root
+Environment=DENO_DIR=/root/.cache/deno
+
+[Install]
+WantedBy=multi-user.target
+`;
+
+export class OneboxSystemd {
+  /**
+   * Install and enable the systemd service
+   */
+  async enable(): Promise<void> {
+    try {
+      // Ensure Docker is installed before writing unit file (it requires docker.service)
+      await this.ensureDocker();
+
+      // Write the unit file
+      logger.info('Writing systemd unit file...');
+      await Deno.writeTextFile(SERVICE_FILE_PATH, SERVICE_UNIT_TEMPLATE);
+      logger.info(`Unit file written to ${SERVICE_FILE_PATH}`);
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      // Enable the service
+      const result = await this.runSystemctl(['enable', `${SERVICE_NAME}.service`]);
+      if (!result.success) {
+        throw new Error(`Failed to enable service: ${result.stderr}`);
+      }
+
+      logger.success('Onebox systemd service enabled');
+      logger.info('Start with: onebox systemd start');
+    } catch (error) {
+      logger.error(`Failed to enable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop, disable, and remove the systemd service
+   */
+  async disable(): Promise<void> {
+    try {
+      // Stop the service (ignore errors if not running)
+      await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+
+      // Disable the service
+      await this.runSystemctl(['disable', `${SERVICE_NAME}.service`]);
+
+      // Remove the unit file
+      try {
+        await Deno.remove(SERVICE_FILE_PATH);
+        logger.info(`Removed ${SERVICE_FILE_PATH}`);
+      } catch {
+        // File might not exist
+      }
+
+      // Reload systemd daemon
+      await this.runSystemctl(['daemon-reload']);
+
+      logger.success('Onebox systemd service disabled and removed');
+    } catch (error) {
+      logger.error(`Failed to disable service: ${getErrorMessage(error)}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Start the service via systemctl
+   */
+  async start(): Promise<void> {
+    const result = await this.runSystemctl(['start', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to start service: ${result.stderr}`);
+      throw new Error(`Failed to start onebox service`);
+    }
+    logger.success('Onebox service started');
+  }
+
+  /**
+   * Stop the service via systemctl
+   */
+  async stop(): Promise<void> {
+    const result = await this.runSystemctl(['stop', `${SERVICE_NAME}.service`]);
+    if (!result.success) {
+      logger.error(`Failed to stop service: ${result.stderr}`);
+      throw new Error(`Failed to stop onebox service`);
+    }
+    logger.success('Onebox service stopped');
+  }
+
+  /**
+   * Get and display service status
+   */
+  async getStatus(): Promise<string> {
+    const result = await this.runSystemctl(['status', `${SERVICE_NAME}.service`]);
+    const output = result.stdout;
+
+    let status: string;
+    if (output.includes('active (running)')) {
+      status = 'running';
+    } else if (output.includes('inactive') || output.includes('dead')) {
+      status = 'stopped';
+    } else if (output.includes('failed')) {
+      status = 'failed';
+    } else if (!result.success && result.stderr.includes('could not be found')) {
+      status = 'not-installed';
+    } else {
+      status = 'unknown';
+    }
+
+    // Print the raw systemctl output for full details
+    if (output.trim()) {
+      console.log(output);
+    }
+
+    return status;
+  }
+
+  /**
+   * Show service logs via journalctl
+   */
+  async showLogs(): Promise<void> {
+    const cmd = new Deno.Command('journalctl', {
+      args: ['-u', `${SERVICE_NAME}.service`, '-f'],
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    await cmd.output();
+  }
+
+  /**
+   * Check if the service unit file is installed
+   */
+  async isInstalled(): Promise<boolean> {
+    try {
+      await Deno.stat(SERVICE_FILE_PATH);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Ensure Docker is installed, installing it if necessary
+   */
+  private async ensureDocker(): Promise<void> {
+    try {
+      const cmd = new Deno.Command('docker', {
+        args: ['--version'],
+        stdout: 'piped',
+        stderr: 'piped',
+      });
+      const result = await cmd.output();
+      if (result.success) {
+        const version = new TextDecoder().decode(result.stdout).trim();
+        logger.info(`Docker found: ${version}`);
+        return;
+      }
+    } catch {
+      // docker command not found
+    }
+
+    logger.info('Docker not found. Installing Docker...');
+    const installCmd = new Deno.Command('bash', {
+      args: ['-c', 'curl -fsSL https://get.docker.com | sh'],
+      stdin: 'inherit',
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    const installResult = await installCmd.output();
+    if (!installResult.success) {
+      throw new Error('Failed to install Docker. Please install it manually: curl -fsSL https://get.docker.com | sh');
+    }
+    logger.success('Docker installed successfully');
+
+    // Initialize Docker Swarm
+    logger.info('Initializing Docker Swarm...');
+    const swarmCmd = new Deno.Command('docker', {
+      args: ['swarm', 'init'],
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+    const swarmResult = await swarmCmd.output();
+    if (swarmResult.success) {
+      logger.success('Docker Swarm initialized');
+    } else {
+      const stderr = new TextDecoder().decode(swarmResult.stderr);
+      if (stderr.includes('already part of a swarm')) {
+        logger.info('Docker Swarm already initialized');
+      } else {
+        logger.warn(`Docker Swarm init warning: ${stderr.trim()}`);
+      }
+    }
+  }
+
+  /**
+   * Run a systemctl command and return results
+   */
+  private async runSystemctl(
+    args: string[]
+  ): Promise<{ success: boolean; stdout: string; stderr: string }> {
+    const cmd = new Deno.Command('systemctl', {
+      args,
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+
+    const result = await cmd.output();
+    return {
+      success: result.success,
+      stdout: new TextDecoder().decode(result.stdout),
+      stderr: new TextDecoder().decode(result.stderr),
+    };
+  }
+}

ts/cli.ts

@@ -7,6 +7,7 @@ import { projectInfo } from './info.ts';
 import { getErrorMessage } from './utils/error.ts';
 import { Onebox } from './classes/onebox.ts';
 import { OneboxDaemon } from './classes/daemon.ts';
+import { OneboxSystemd } from './classes/systemd.ts';
 
 export async function runCli(): Promise<void> {
   const args = Deno.args;
@@ -25,6 +26,19 @@ export async function runCli(): Promise<void> {
   const subcommand = args[1];
 
   try {
+    // === LIGHTWEIGHT COMMANDS (no init()) ===
+    if (command === 'systemd') {
+      await handleSystemdCommand(subcommand, args.slice(2));
+      return;
+    }
+
+    if (command === 'upgrade') {
+      await handleUpgradeCommand();
+      return;
+    }
+
+    // === HEAVY COMMANDS (require full init()) ===
+
     // Server command has special handling (doesn't shut down)
     if (command === 'server') {
       const onebox = new Onebox();
@@ -60,10 +74,6 @@ export async function runCli(): Promise<void> {
         await handleNginxCommand(onebox, subcommand, args.slice(2));
         break;
 
-      case 'daemon':
-        await handleDaemonCommand(onebox, subcommand, args.slice(2));
-        break;
-
       case 'config':
         await handleConfigCommand(onebox, subcommand, args.slice(2));
         break;
@@ -278,7 +288,7 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
       await OneboxDaemon.ensureNoDaemon();
     } catch (error) {
       logger.error('Cannot start in ephemeral mode: Daemon is already running');
-      logger.info('Stop the daemon first: onebox daemon stop');
+      logger.info('Stop the daemon first: onebox systemd stop');
       logger.info('Or run without --ephemeral to use the existing daemon');
       Deno.exit(1);
     }
@@ -286,8 +296,8 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
 
   logger.info('Starting Onebox server...');
 
-  // Start HTTP server
-  await onebox.httpServer.start(port);
+  // Start OpsServer (serves new UI + TypedRequest API)
+  await onebox.opsServer.start(port);
 
   // Start monitoring if requested
   if (monitor) {
@@ -308,7 +318,7 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
     if (monitor) {
       onebox.daemon.stopMonitoring();
     }
-    await onebox.httpServer.stop();
+    await onebox.opsServer.stop();
     await onebox.shutdown();
     Deno.exit(0);
   };
@@ -322,39 +332,49 @@ async function handleServerCommand(onebox: Onebox, args: string[]) {
   }
 }
 
-// Daemon commands
-async function handleDaemonCommand(onebox: Onebox, subcommand: string, _args: string[]) {
+// Systemd service commands (lightweight — no Onebox init)
+async function handleSystemdCommand(subcommand: string, _args: string[]) {
+  const systemd = new OneboxSystemd();
+
   switch (subcommand) {
-    case 'install':
-      await onebox.daemon.installService();
+    case 'enable':
+      await systemd.enable();
+      break;
+
+    case 'disable':
+      await systemd.disable();
       break;
 
     case 'start':
-      await onebox.startDaemon();
+      await systemd.start();
       break;
 
     case 'stop':
-      await onebox.stopDaemon();
+      await systemd.stop();
       break;
 
-    case 'logs': {
-      const command = new Deno.Command('journalctl', {
-        args: ['-u', 'smartdaemon_onebox', '-f'],
-        stdout: 'inherit',
-        stderr: 'inherit',
-      });
-      await command.output();
+    case 'status': {
+      const status = await systemd.getStatus();
+      logger.info(`Service status: ${status}`);
       break;
     }
 
-    case 'status': {
-      const status = await onebox.daemon.getServiceStatus();
-      logger.info(`Daemon status: ${status}`);
+    case 'logs':
+      await systemd.showLogs();
+      break;
+
+    case 'start-daemon': {
+      // This is what systemd's ExecStart calls — full init + daemon loop
+      const onebox = new Onebox();
+      await onebox.init();
+      await onebox.daemon.start();
+      // start() blocks (keepAlive loop) until SIGTERM/SIGINT
       break;
     }
 
     default:
-      logger.error(`Unknown daemon subcommand: ${subcommand}`);
+      logger.error(`Unknown systemd subcommand: ${subcommand}`);
+      logger.info('Available: enable, disable, start, stop, status, logs');
   }
 }
 
@@ -386,6 +406,78 @@ async function handleStatusCommand(onebox: Onebox) {
   console.log(JSON.stringify(status, null, 2));
 }
 
+// Upgrade command - self-update onebox to latest version
+async function handleUpgradeCommand(): Promise<void> {
+  // Check if running as root
+  if (Deno.uid() !== 0) {
+    logger.error('This command must be run as root to upgrade Onebox.');
+    logger.info('Try: sudo onebox upgrade');
+    Deno.exit(1);
+  }
+
+  logger.info('Checking for updates...');
+
+  try {
+    // Get current version
+    const currentVersion = projectInfo.version;
+
+    // Fetch latest version from Gitea API
+    const apiUrl = 'https://code.foss.global/api/v1/repos/serve.zone/onebox/releases/latest';
+    const curlCmd = new Deno.Command('curl', {
+      args: ['-sSL', apiUrl],
+      stdout: 'piped',
+      stderr: 'piped',
+    });
+    const curlResult = await curlCmd.output();
+    const response = new TextDecoder().decode(curlResult.stdout);
+    const release = JSON.parse(response);
+    const latestVersion = release.tag_name as string; // e.g., "v1.11.0"
+
+    // Normalize versions for comparison (ensure both have "v" prefix)
+    const normalizedCurrent = currentVersion.startsWith('v')
+      ? currentVersion
+      : `v${currentVersion}`;
+    const normalizedLatest = latestVersion.startsWith('v')
+      ? latestVersion
+      : `v${latestVersion}`;
+
+    console.log(`  Current version: ${normalizedCurrent}`);
+    console.log(`  Latest version:  ${normalizedLatest}`);
+    console.log('');
+
+    // Compare normalized versions
+    if (normalizedCurrent === normalizedLatest) {
+      logger.success('Already up to date!');
+      return;
+    }
+
+    logger.info(`New version available: ${latestVersion}`);
+    logger.info('Downloading and installing...');
+    console.log('');
+
+    // Download and run the install script
+    const installUrl = 'https://code.foss.global/serve.zone/onebox/raw/branch/main/install.sh';
+    const installCmd = new Deno.Command('bash', {
+      args: ['-c', `curl -sSL ${installUrl} | bash`],
+      stdin: 'inherit',
+      stdout: 'inherit',
+      stderr: 'inherit',
+    });
+    const installResult = await installCmd.output();
+
+    if (!installResult.success) {
+      logger.error('Upgrade failed');
+      Deno.exit(1);
+    }
+
+    console.log('');
+    logger.success(`Upgraded to ${latestVersion}`);
+  } catch (error) {
+    logger.error(`Upgrade failed: ${getErrorMessage(error)}`);
+    Deno.exit(1);
+  }
+}
+
 // Helpers
 function getArg(args: string[], flag: string): string {
   const arg = args.find((a) => a.startsWith(`${flag}=`));
@@ -430,17 +522,21 @@ Commands:
   nginx test
   nginx status
 
-  daemon install
-  daemon start
-  daemon stop
-  daemon logs
-  daemon status
+  systemd enable             Install and enable systemd service
+  systemd disable            Stop, disable, and remove systemd service
+  systemd start              Start onebox via systemctl
+  systemd stop               Stop onebox via systemctl
+  systemd status             Show systemd service status
+  systemd logs               Follow service logs (journalctl)
 
   config show
   config set <key> <value>
 
   status
 
+  upgrade
+      Upgrade Onebox to the latest version (requires root)
+
 Options:
   --help, -h     Show this help message
   --version, -v  Show version
@@ -451,15 +547,15 @@ Development Workflow:
   onebox service add ...               # In another terminal
 
 Production Workflow:
-  onebox daemon install                # Install systemd service
-  onebox daemon start                  # Start daemon
-  onebox service add ...               # CLI uses daemon
+  onebox systemd enable                # Install and enable systemd service
+  onebox systemd start                 # Start via systemctl
+  onebox service add ...               # CLI manages services
 
 Examples:
   onebox server --ephemeral            # Start dev server
   onebox service add myapp --image nginx:latest --domain app.example.com --port 80
   onebox registry add --url registry.example.com --username user --password pass
-  onebox daemon install
-  onebox daemon start
+  onebox systemd enable
+  onebox systemd start
 `);
 }

ts/database/index.ts

@@ -25,6 +25,7 @@ import type {
 import type { TBindValue } from './types.ts';
 import { logger } from '../logging.ts';
 import { getErrorMessage } from '../utils/error.ts';
+import { MigrationRunner } from './migrations/index.ts';
 
 // Import repositories
 import {
@@ -71,7 +72,8 @@ export class OneboxDatabase {
       await this.createTables();
 
       // Run migrations if needed
-      await this.runMigrations();
+      const runner = new MigrationRunner(this.query.bind(this));
+      runner.run();
 
       // Initialize repositories with bound query function
       const queryFn = this.query.bind(this);
@@ -241,724 +243,6 @@ export class OneboxDatabase {
   /**
    * Run database migrations
    */
-  private async runMigrations(): Promise<void> {
-    if (!this.db) throw new Error('Database not initialized');
-
-    try {
-      const currentVersion = this.getMigrationVersion();
-      logger.info(`Current database migration version: ${currentVersion}`);
-
-      // Migration 1: Initial schema
-      if (currentVersion === 0) {
-        logger.info('Setting initial migration version to 1');
-        this.setMigrationVersion(1);
-      }
-
-      // Migration 2: Convert timestamp columns from INTEGER to REAL
-      const updatedVersion = this.getMigrationVersion();
-      if (updatedVersion < 2) {
-        logger.info('Running migration 2: Converting timestamps to REAL...');
-
-        // SSL certificates
-        this.query(`
-          CREATE TABLE ssl_certificates_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            cert_path TEXT NOT NULL,
-            key_path TEXT NOT NULL,
-            full_chain_path TEXT NOT NULL,
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO ssl_certificates_new SELECT * FROM ssl_certificates`);
-        this.query(`DROP TABLE ssl_certificates`);
-        this.query(`ALTER TABLE ssl_certificates_new RENAME TO ssl_certificates`);
-
-        // Services
-        this.query(`
-          CREATE TABLE services_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            image TEXT NOT NULL,
-            registry TEXT,
-            env_vars TEXT NOT NULL,
-            port INTEGER NOT NULL,
-            domain TEXT,
-            container_id TEXT,
-            status TEXT NOT NULL DEFAULT 'stopped',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO services_new SELECT * FROM services`);
-        this.query(`DROP TABLE services`);
-        this.query(`ALTER TABLE services_new RENAME TO services`);
-
-        // Registries
-        this.query(`
-          CREATE TABLE registries_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            url TEXT NOT NULL UNIQUE,
-            username TEXT NOT NULL,
-            password_encrypted TEXT NOT NULL,
-            created_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO registries_new SELECT * FROM registries`);
-        this.query(`DROP TABLE registries`);
-        this.query(`ALTER TABLE registries_new RENAME TO registries`);
-
-        // Nginx configs
-        this.query(`
-          CREATE TABLE nginx_configs_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            domain TEXT NOT NULL,
-            port INTEGER NOT NULL,
-            ssl_enabled INTEGER NOT NULL DEFAULT 0,
-            config_template TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO nginx_configs_new SELECT * FROM nginx_configs`);
-        this.query(`DROP TABLE nginx_configs`);
-        this.query(`ALTER TABLE nginx_configs_new RENAME TO nginx_configs`);
-
-        // DNS records
-        this.query(`
-          CREATE TABLE dns_records_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            type TEXT NOT NULL,
-            value TEXT NOT NULL,
-            cloudflare_id TEXT,
-            zone_id TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO dns_records_new SELECT * FROM dns_records`);
-        this.query(`DROP TABLE dns_records`);
-        this.query(`ALTER TABLE dns_records_new RENAME TO dns_records`);
-
-        // Metrics
-        this.query(`
-          CREATE TABLE metrics_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            timestamp REAL NOT NULL,
-            cpu_percent REAL NOT NULL,
-            memory_used INTEGER NOT NULL,
-            memory_limit INTEGER NOT NULL,
-            network_rx_bytes INTEGER NOT NULL,
-            network_tx_bytes INTEGER NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO metrics_new SELECT * FROM metrics`);
-        this.query(`DROP TABLE metrics`);
-        this.query(`ALTER TABLE metrics_new RENAME TO metrics`);
-        this.query(`CREATE INDEX IF NOT EXISTS idx_metrics_service_timestamp ON metrics(service_id, timestamp DESC)`);
-
-        // Logs
-        this.query(`
-          CREATE TABLE logs_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            timestamp REAL NOT NULL,
-            message TEXT NOT NULL,
-            level TEXT NOT NULL,
-            source TEXT NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-        this.query(`INSERT INTO logs_new SELECT * FROM logs`);
-        this.query(`DROP TABLE logs`);
-        this.query(`ALTER TABLE logs_new RENAME TO logs`);
-        this.query(`CREATE INDEX IF NOT EXISTS idx_logs_service_timestamp ON logs(service_id, timestamp DESC)`);
-
-        // Users
-        this.query(`
-          CREATE TABLE users_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            username TEXT NOT NULL UNIQUE,
-            password_hash TEXT NOT NULL,
-            role TEXT NOT NULL DEFAULT 'user',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO users_new SELECT * FROM users`);
-        this.query(`DROP TABLE users`);
-        this.query(`ALTER TABLE users_new RENAME TO users`);
-
-        // Settings
-        this.query(`
-          CREATE TABLE settings_new (
-            key TEXT PRIMARY KEY,
-            value TEXT NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO settings_new SELECT * FROM settings`);
-        this.query(`DROP TABLE settings`);
-        this.query(`ALTER TABLE settings_new RENAME TO settings`);
-
-        // Migrations table itself
-        this.query(`
-          CREATE TABLE migrations_new (
-            version INTEGER PRIMARY KEY,
-            applied_at REAL NOT NULL
-          )
-        `);
-        this.query(`INSERT INTO migrations_new SELECT * FROM migrations`);
-        this.query(`DROP TABLE migrations`);
-        this.query(`ALTER TABLE migrations_new RENAME TO migrations`);
-
-        this.setMigrationVersion(2);
-        logger.success('Migration 2 completed: All timestamps converted to REAL');
-      }
-
-      // Migration 3: Domain management tables
-      const version3 = this.getMigrationVersion();
-      if (version3 < 3) {
-        logger.info('Running migration 3: Creating domain management tables...');
-
-        this.query(`
-          CREATE TABLE domains (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain TEXT NOT NULL UNIQUE,
-            dns_provider TEXT,
-            cloudflare_zone_id TEXT,
-            is_obsolete INTEGER NOT NULL DEFAULT 0,
-            default_wildcard INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE certificates (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain_id INTEGER NOT NULL,
-            cert_domain TEXT NOT NULL,
-            is_wildcard INTEGER NOT NULL DEFAULT 0,
-            cert_path TEXT NOT NULL,
-            key_path TEXT NOT NULL,
-            full_chain_path TEXT NOT NULL,
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            is_valid INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE cert_requirements (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            domain_id INTEGER NOT NULL,
-            subdomain TEXT NOT NULL,
-            certificate_id INTEGER,
-            status TEXT NOT NULL DEFAULT 'pending',
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE,
-            FOREIGN KEY (certificate_id) REFERENCES certificates(id) ON DELETE SET NULL
-          )
-        `);
-
-        interface OldSslCert {
-          id?: number;
-          domain?: string;
-          cert_path?: string;
-          key_path?: string;
-          full_chain_path?: string;
-          expiry_date?: number;
-          issuer?: string;
-          created_at?: number;
-          updated_at?: number;
-          [key: number]: unknown;
-        }
-        const existingCerts = this.query<OldSslCert>('SELECT * FROM ssl_certificates');
-
-        const now = Date.now();
-        const domainMap = new Map<string, number>();
-
-        for (const cert of existingCerts) {
-          const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
-          if (!domainMap.has(domain)) {
-            this.query(
-              'INSERT INTO domains (domain, dns_provider, is_obsolete, default_wildcard, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)',
-              [domain, null, 0, 1, now, now]
-            );
-            const result = this.query<{ id?: number; [key: number]: unknown }>('SELECT last_insert_rowid() as id');
-            const domainId = result[0].id ?? (result[0] as Record<number, unknown>)[0];
-            domainMap.set(domain, Number(domainId));
-          }
-        }
-
-        for (const cert of existingCerts) {
-          const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
-          const domainId = domainMap.get(domain);
-
-          this.query(
-            `INSERT INTO certificates (
-              domain_id, cert_domain, is_wildcard, cert_path, key_path, full_chain_path,
-              expiry_date, issuer, is_valid, created_at, updated_at
-            ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-            [
-              domainId,
-              domain,
-              0,
-              String(cert.cert_path ?? (cert as Record<number, unknown>)[2]),
-              String(cert.key_path ?? (cert as Record<number, unknown>)[3]),
-              String(cert.full_chain_path ?? (cert as Record<number, unknown>)[4]),
-              Number(cert.expiry_date ?? (cert as Record<number, unknown>)[5]),
-              String(cert.issuer ?? (cert as Record<number, unknown>)[6]),
-              1,
-              Number(cert.created_at ?? (cert as Record<number, unknown>)[7]),
-              Number(cert.updated_at ?? (cert as Record<number, unknown>)[8])
-            ]
-          );
-        }
-
-        this.query('DROP TABLE ssl_certificates');
-        this.query('CREATE INDEX IF NOT EXISTS idx_domains_cloudflare_zone ON domains(cloudflare_zone_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_cert_requirements_service ON cert_requirements(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_cert_requirements_domain ON cert_requirements(domain_id)');
-
-        this.setMigrationVersion(3);
-        logger.success('Migration 3 completed: Domain management tables created');
-      }
-
-      // Migration 4: Add Onebox Registry support columns
-      const version4 = this.getMigrationVersion();
-      if (version4 < 4) {
-        logger.info('Running migration 4: Adding Onebox Registry columns to services table...');
-
-        this.query(`ALTER TABLE services ADD COLUMN use_onebox_registry INTEGER DEFAULT 0`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_repository TEXT`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_token TEXT`);
-        this.query(`ALTER TABLE services ADD COLUMN registry_image_tag TEXT DEFAULT 'latest'`);
-        this.query(`ALTER TABLE services ADD COLUMN auto_update_on_push INTEGER DEFAULT 0`);
-        this.query(`ALTER TABLE services ADD COLUMN image_digest TEXT`);
-
-        this.setMigrationVersion(4);
-        logger.success('Migration 4 completed: Onebox Registry columns added to services table');
-      }
-
-      // Migration 5: Registry tokens table
-      const version5 = this.getMigrationVersion();
-      if (version5 < 5) {
-        logger.info('Running migration 5: Creating registry_tokens table...');
-
-        this.query(`
-          CREATE TABLE registry_tokens (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL,
-            token_hash TEXT NOT NULL UNIQUE,
-            token_type TEXT NOT NULL,
-            scope TEXT NOT NULL,
-            expires_at REAL,
-            created_at REAL NOT NULL,
-            last_used_at REAL,
-            created_by TEXT NOT NULL
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_registry_tokens_type ON registry_tokens(token_type)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_registry_tokens_hash ON registry_tokens(token_hash)');
-
-        this.setMigrationVersion(5);
-        logger.success('Migration 5 completed: Registry tokens table created');
-      }
-
-      // Migration 6: Drop registry_token column from services table
-      const version6 = this.getMigrationVersion();
-      if (version6 < 6) {
-        logger.info('Running migration 6: Dropping registry_token column from services table...');
-
-        this.query(`
-          CREATE TABLE services_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            image TEXT NOT NULL,
-            registry TEXT,
-            env_vars TEXT,
-            port INTEGER NOT NULL,
-            domain TEXT,
-            container_id TEXT,
-            status TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            use_onebox_registry INTEGER DEFAULT 0,
-            registry_repository TEXT,
-            registry_image_tag TEXT DEFAULT 'latest',
-            auto_update_on_push INTEGER DEFAULT 0,
-            image_digest TEXT
-          )
-        `);
-
-        this.query(`
-          INSERT INTO services_new (
-            id, name, image, registry, env_vars, port, domain, container_id, status,
-            created_at, updated_at, use_onebox_registry, registry_repository,
-            registry_image_tag, auto_update_on_push, image_digest
-          )
-          SELECT
-            id, name, image, registry, env_vars, port, domain, container_id, status,
-            created_at, updated_at, use_onebox_registry, registry_repository,
-            registry_image_tag, auto_update_on_push, image_digest
-          FROM services
-        `);
-
-        this.query('DROP TABLE services');
-        this.query('ALTER TABLE services_new RENAME TO services');
-        this.query('CREATE INDEX IF NOT EXISTS idx_services_name ON services(name)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_services_status ON services(status)');
-
-        this.setMigrationVersion(6);
-        logger.success('Migration 6 completed: registry_token column dropped from services table');
-      }
-
-      // Migration 7: Platform services tables
-      const version7 = this.getMigrationVersion();
-      if (version7 < 7) {
-        logger.info('Running migration 7: Creating platform services tables...');
-
-        this.query(`
-          CREATE TABLE platform_services (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL UNIQUE,
-            type TEXT NOT NULL,
-            status TEXT NOT NULL DEFAULT 'stopped',
-            container_id TEXT,
-            config TEXT NOT NULL DEFAULT '{}',
-            admin_credentials_encrypted TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL
-          )
-        `);
-
-        this.query(`
-          CREATE TABLE platform_resources (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            platform_service_id INTEGER NOT NULL,
-            service_id INTEGER NOT NULL,
-            resource_type TEXT NOT NULL,
-            resource_name TEXT NOT NULL,
-            credentials_encrypted TEXT NOT NULL,
-            created_at REAL NOT NULL,
-            FOREIGN KEY (platform_service_id) REFERENCES platform_services(id) ON DELETE CASCADE,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`ALTER TABLE services ADD COLUMN platform_requirements TEXT DEFAULT '{}'`);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_services_type ON platform_services(type)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_resources_service ON platform_resources(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_platform_resources_platform ON platform_resources(platform_service_id)');
-
-        this.setMigrationVersion(7);
-        logger.success('Migration 7 completed: Platform services tables created');
-      }
-
-      // Migration 8: Convert certificates table to store PEM content
-      const version8 = this.getMigrationVersion();
-      if (version8 < 8) {
-        logger.info('Running migration 8: Converting certificates table to store PEM content...');
-
-        this.query(`
-          CREATE TABLE certificates_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            domain_id INTEGER NOT NULL,
-            cert_domain TEXT NOT NULL,
-            is_wildcard INTEGER NOT NULL DEFAULT 0,
-            cert_pem TEXT NOT NULL DEFAULT '',
-            key_pem TEXT NOT NULL DEFAULT '',
-            fullchain_pem TEXT NOT NULL DEFAULT '',
-            expiry_date REAL NOT NULL,
-            issuer TEXT NOT NULL,
-            is_valid INTEGER NOT NULL DEFAULT 1,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          INSERT INTO certificates_new (id, domain_id, cert_domain, is_wildcard, cert_pem, key_pem, fullchain_pem, expiry_date, issuer, is_valid, created_at, updated_at)
-          SELECT id, domain_id, cert_domain, is_wildcard, '', '', '', expiry_date, issuer, 0, created_at, updated_at FROM certificates
-        `);
-
-        this.query('DROP TABLE certificates');
-        this.query('ALTER TABLE certificates_new RENAME TO certificates');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
-
-        this.setMigrationVersion(8);
-        logger.success('Migration 8 completed: Certificates table now stores PEM content');
-      }
-
-      // Migration 9: Backup system tables
-      const version9 = this.getMigrationVersion();
-      if (version9 < 9) {
-        logger.info('Running migration 9: Creating backup system tables...');
-
-        // Add include_image_in_backup column to services table
-        this.query(`ALTER TABLE services ADD COLUMN include_image_in_backup INTEGER DEFAULT 1`);
-
-        // Create backups table
-        this.query(`
-          CREATE TABLE backups (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            filename TEXT NOT NULL,
-            size_bytes INTEGER NOT NULL,
-            created_at REAL NOT NULL,
-            includes_image INTEGER NOT NULL,
-            platform_resources TEXT NOT NULL DEFAULT '[]',
-            checksum TEXT NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
-
-        this.setMigrationVersion(9);
-        logger.success('Migration 9 completed: Backup system tables created');
-      }
-
-      // Migration 10: Backup schedules table and extend backups table
-      const version10 = this.getMigrationVersion();
-      if (version10 < 10) {
-        logger.info('Running migration 10: Creating backup schedules table...');
-
-        // Create backup_schedules table
-        this.query(`
-          CREATE TABLE backup_schedules (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            cron_expression TEXT NOT NULL,
-            retention_tier TEXT NOT NULL,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-
-        // Extend backups table with retention_tier and schedule_id columns
-        this.query('ALTER TABLE backups ADD COLUMN retention_tier TEXT');
-        this.query('ALTER TABLE backups ADD COLUMN schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL');
-
-        this.setMigrationVersion(10);
-        logger.success('Migration 10 completed: Backup schedules table created');
-      }
-
-      // Migration 11: Add scope columns for global/pattern backup schedules
-      const version11 = this.getMigrationVersion();
-      if (version11 < 11) {
-        logger.info('Running migration 11: Adding scope columns to backup_schedules...');
-
-        // Recreate backup_schedules table with nullable service_id/service_name and new scope columns
-        this.query(`
-          CREATE TABLE backup_schedules_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            scope_type TEXT NOT NULL DEFAULT 'service',
-            scope_pattern TEXT,
-            service_id INTEGER,
-            service_name TEXT,
-            cron_expression TEXT NOT NULL,
-            retention_tier TEXT NOT NULL,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        // Copy existing schedules (all are service-specific)
-        this.query(`
-          INSERT INTO backup_schedules_new (
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
-            created_at, updated_at
-          )
-          SELECT
-            id, 'service', NULL, service_id, service_name, cron_expression,
-            retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
-            created_at, updated_at
-          FROM backup_schedules
-        `);
-
-        this.query('DROP TABLE backup_schedules');
-        this.query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)');
-
-        this.setMigrationVersion(11);
-        logger.success('Migration 11 completed: Scope columns added to backup_schedules');
-      }
-
-      // Migration 12: GFS retention policy - replace retention_tier with per-tier retention counts
-      const version12 = this.getMigrationVersion();
-      if (version12 < 12) {
-        logger.info('Running migration 12: Updating backup system for GFS retention policy...');
-
-        // Recreate backup_schedules table with new retention columns
-        this.query(`
-          CREATE TABLE backup_schedules_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            scope_type TEXT NOT NULL DEFAULT 'service',
-            scope_pattern TEXT,
-            service_id INTEGER,
-            service_name TEXT,
-            cron_expression TEXT NOT NULL,
-            retention_hourly INTEGER NOT NULL DEFAULT 0,
-            retention_daily INTEGER NOT NULL DEFAULT 7,
-            retention_weekly INTEGER NOT NULL DEFAULT 4,
-            retention_monthly INTEGER NOT NULL DEFAULT 12,
-            enabled INTEGER NOT NULL DEFAULT 1,
-            last_run_at REAL,
-            next_run_at REAL,
-            last_status TEXT,
-            last_error TEXT,
-            created_at REAL NOT NULL,
-            updated_at REAL NOT NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        // Migrate existing data - convert old retention_tier to new format
-        // daily -> D:7, weekly -> W:4, monthly -> M:12, yearly -> M:12 (yearly becomes long monthly retention)
-        this.query(`
-          INSERT INTO backup_schedules_new (
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            retention_hourly, retention_daily, retention_weekly, retention_monthly,
-            enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
-          )
-          SELECT
-            id, scope_type, scope_pattern, service_id, service_name, cron_expression,
-            0, -- retention_hourly
-            CASE WHEN retention_tier = 'daily' THEN 7 ELSE 0 END,
-            CASE WHEN retention_tier IN ('daily', 'weekly') THEN 4 ELSE 0 END,
-            CASE WHEN retention_tier IN ('daily', 'weekly', 'monthly') THEN 12
-                 WHEN retention_tier = 'yearly' THEN 24 ELSE 12 END,
-            enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
-          FROM backup_schedules
-        `);
-
-        this.query('DROP TABLE backup_schedules');
-        this.query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)');
-
-        // Recreate backups table without retention_tier column
-        this.query(`
-          CREATE TABLE backups_new (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            service_id INTEGER NOT NULL,
-            service_name TEXT NOT NULL,
-            filename TEXT NOT NULL,
-            size_bytes INTEGER NOT NULL,
-            created_at REAL NOT NULL,
-            includes_image INTEGER NOT NULL,
-            platform_resources TEXT NOT NULL DEFAULT '[]',
-            checksum TEXT NOT NULL,
-            schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL,
-            FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-          )
-        `);
-
-        this.query(`
-          INSERT INTO backups_new (
-            id, service_id, service_name, filename, size_bytes, created_at,
-            includes_image, platform_resources, checksum, schedule_id
-          )
-          SELECT
-            id, service_id, service_name, filename, size_bytes, created_at,
-            includes_image, platform_resources, checksum, schedule_id
-          FROM backups
-        `);
-
-        this.query('DROP TABLE backups');
-        this.query('ALTER TABLE backups_new RENAME TO backups');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
-        this.query('CREATE INDEX IF NOT EXISTS idx_backups_schedule ON backups(schedule_id)');
-
-        this.setMigrationVersion(12);
-        logger.success('Migration 12 completed: GFS retention policy schema updated');
-      }
-    } catch (error) {
-      logger.error(`Migration failed: ${getErrorMessage(error)}`);
-      if (error instanceof Error && error.stack) {
-        logger.error(`Stack: ${error.stack}`);
-      }
-      throw error;
-    }
-  }
-
-  /**
-   * Get current migration version
-   */
-  private getMigrationVersion(): number {
-    if (!this.db) throw new Error('Database not initialized');
-
-    try {
-      const result = this.query<{ version?: number | null; [key: number]: unknown }>('SELECT MAX(version) as version FROM migrations');
-      if (result.length === 0) return 0;
-
-      const versionValue = result[0].version ?? (result[0] as Record<number, unknown>)[0];
-      return versionValue !== null && versionValue !== undefined ? Number(versionValue) : 0;
-    } catch (error) {
-      logger.warn(`Error getting migration version: ${getErrorMessage(error)}, defaulting to 0`);
-      return 0;
-    }
-  }
-
-  /**
-   * Set migration version
-   */
-  private setMigrationVersion(version: number): void {
-    if (!this.db) throw new Error('Database not initialized');
-
-    this.query('INSERT INTO migrations (version, applied_at) VALUES (?, ?)', [
-      version,
-      Date.now(),
-    ]);
-    logger.debug(`Migration version set to ${version}`);
-  }
-
   /**
    * Close database connection
    */

ts/database/migrations/base-migration.ts

@@ -0,0 +1,22 @@
+/**
+ * Abstract base class for database migrations.
+ * All migrations must extend this class and implement the abstract members.
+ */
+
+import type { TQueryFunction } from '../types.ts';
+
+export abstract class BaseMigration {
+  /** The migration version number (must be unique and sequential) */
+  abstract readonly version: number;
+
+  /** A short description of what this migration does */
+  abstract readonly description: string;
+
+  /** Execute the migration's SQL statements */
+  abstract up(query: TQueryFunction): void;
+
+  /** Returns a human-readable name for logging */
+  getName(): string {
+    return `Migration ${this.version}: ${this.description}`;
+  }
+}

ts/database/migrations/index.ts

@@ -0,0 +1,2 @@
+export { BaseMigration } from './base-migration.ts';
+export { MigrationRunner } from './migration-runner.ts';

ts/database/migrations/migration-001-initial.ts

@@ -0,0 +1,12 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration001Initial extends BaseMigration {
+  readonly version = 1;
+  readonly description = 'Initial schema';
+
+  up(_query: TQueryFunction): void {
+    // Initial schema is created by createTables() in the database class.
+    // This migration just marks the initial version.
+  }
+}

ts/database/migrations/migration-002-timestamps-to-real.ts

@@ -0,0 +1,170 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration002TimestampsToReal extends BaseMigration {
+  readonly version = 2;
+  readonly description = 'Convert timestamp columns from INTEGER to REAL';
+
+  up(query: TQueryFunction): void {
+    // SSL certificates
+    query(`
+      CREATE TABLE ssl_certificates_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        cert_path TEXT NOT NULL,
+        key_path TEXT NOT NULL,
+        full_chain_path TEXT NOT NULL,
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO ssl_certificates_new SELECT * FROM ssl_certificates`);
+    query(`DROP TABLE ssl_certificates`);
+    query(`ALTER TABLE ssl_certificates_new RENAME TO ssl_certificates`);
+
+    // Services
+    query(`
+      CREATE TABLE services_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        image TEXT NOT NULL,
+        registry TEXT,
+        env_vars TEXT NOT NULL,
+        port INTEGER NOT NULL,
+        domain TEXT,
+        container_id TEXT,
+        status TEXT NOT NULL DEFAULT 'stopped',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO services_new SELECT * FROM services`);
+    query(`DROP TABLE services`);
+    query(`ALTER TABLE services_new RENAME TO services`);
+
+    // Registries
+    query(`
+      CREATE TABLE registries_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        url TEXT NOT NULL UNIQUE,
+        username TEXT NOT NULL,
+        password_encrypted TEXT NOT NULL,
+        created_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO registries_new SELECT * FROM registries`);
+    query(`DROP TABLE registries`);
+    query(`ALTER TABLE registries_new RENAME TO registries`);
+
+    // Nginx configs
+    query(`
+      CREATE TABLE nginx_configs_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        domain TEXT NOT NULL,
+        port INTEGER NOT NULL,
+        ssl_enabled INTEGER NOT NULL DEFAULT 0,
+        config_template TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO nginx_configs_new SELECT * FROM nginx_configs`);
+    query(`DROP TABLE nginx_configs`);
+    query(`ALTER TABLE nginx_configs_new RENAME TO nginx_configs`);
+
+    // DNS records
+    query(`
+      CREATE TABLE dns_records_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        type TEXT NOT NULL,
+        value TEXT NOT NULL,
+        cloudflare_id TEXT,
+        zone_id TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO dns_records_new SELECT * FROM dns_records`);
+    query(`DROP TABLE dns_records`);
+    query(`ALTER TABLE dns_records_new RENAME TO dns_records`);
+
+    // Metrics
+    query(`
+      CREATE TABLE metrics_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        timestamp REAL NOT NULL,
+        cpu_percent REAL NOT NULL,
+        memory_used INTEGER NOT NULL,
+        memory_limit INTEGER NOT NULL,
+        network_rx_bytes INTEGER NOT NULL,
+        network_tx_bytes INTEGER NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO metrics_new SELECT * FROM metrics`);
+    query(`DROP TABLE metrics`);
+    query(`ALTER TABLE metrics_new RENAME TO metrics`);
+    query(`CREATE INDEX IF NOT EXISTS idx_metrics_service_timestamp ON metrics(service_id, timestamp DESC)`);
+
+    // Logs
+    query(`
+      CREATE TABLE logs_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        timestamp REAL NOT NULL,
+        message TEXT NOT NULL,
+        level TEXT NOT NULL,
+        source TEXT NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+    query(`INSERT INTO logs_new SELECT * FROM logs`);
+    query(`DROP TABLE logs`);
+    query(`ALTER TABLE logs_new RENAME TO logs`);
+    query(`CREATE INDEX IF NOT EXISTS idx_logs_service_timestamp ON logs(service_id, timestamp DESC)`);
+
+    // Users
+    query(`
+      CREATE TABLE users_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        username TEXT NOT NULL UNIQUE,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'user',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO users_new SELECT * FROM users`);
+    query(`DROP TABLE users`);
+    query(`ALTER TABLE users_new RENAME TO users`);
+
+    // Settings
+    query(`
+      CREATE TABLE settings_new (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO settings_new SELECT * FROM settings`);
+    query(`DROP TABLE settings`);
+    query(`ALTER TABLE settings_new RENAME TO settings`);
+
+    // Migrations table itself
+    query(`
+      CREATE TABLE migrations_new (
+        version INTEGER PRIMARY KEY,
+        applied_at REAL NOT NULL
+      )
+    `);
+    query(`INSERT INTO migrations_new SELECT * FROM migrations`);
+    query(`DROP TABLE migrations`);
+    query(`ALTER TABLE migrations_new RENAME TO migrations`);
+  }
+}

ts/database/migrations/migration-003-domain-management.ts

@@ -0,0 +1,125 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration003DomainManagement extends BaseMigration {
+  readonly version = 3;
+  readonly description = 'Domain management tables';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE domains (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain TEXT NOT NULL UNIQUE,
+        dns_provider TEXT,
+        cloudflare_zone_id TEXT,
+        is_obsolete INTEGER NOT NULL DEFAULT 0,
+        default_wildcard INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+
+    query(`
+      CREATE TABLE certificates (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain_id INTEGER NOT NULL,
+        cert_domain TEXT NOT NULL,
+        is_wildcard INTEGER NOT NULL DEFAULT 0,
+        cert_path TEXT NOT NULL,
+        key_path TEXT NOT NULL,
+        full_chain_path TEXT NOT NULL,
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        is_valid INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      CREATE TABLE cert_requirements (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        domain_id INTEGER NOT NULL,
+        subdomain TEXT NOT NULL,
+        certificate_id INTEGER,
+        status TEXT NOT NULL DEFAULT 'pending',
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE,
+        FOREIGN KEY (certificate_id) REFERENCES certificates(id) ON DELETE SET NULL
+      )
+    `);
+
+    // Migrate data from old ssl_certificates table
+    interface OldSslCert {
+      id?: number;
+      domain?: string;
+      cert_path?: string;
+      key_path?: string;
+      full_chain_path?: string;
+      expiry_date?: number;
+      issuer?: string;
+      created_at?: number;
+      updated_at?: number;
+      [key: number]: unknown;
+    }
+    const existingCerts = query<OldSslCert>('SELECT * FROM ssl_certificates');
+
+    const now = Date.now();
+    const domainMap = new Map<string, number>();
+
+    for (const cert of existingCerts) {
+      const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
+      if (!domainMap.has(domain)) {
+        query(
+          'INSERT INTO domains (domain, dns_provider, is_obsolete, default_wildcard, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)',
+          [domain, null, 0, 1, now, now],
+        );
+        const result = query<{ id?: number; [key: number]: unknown }>(
+          'SELECT last_insert_rowid() as id',
+        );
+        const domainId = result[0].id ?? (result[0] as Record<number, unknown>)[0];
+        domainMap.set(domain, Number(domainId));
+      }
+    }
+
+    for (const cert of existingCerts) {
+      const domain = String(cert.domain ?? (cert as Record<number, unknown>)[1]);
+      const domainId = domainMap.get(domain);
+
+      query(
+        `INSERT INTO certificates (
+          domain_id, cert_domain, is_wildcard, cert_path, key_path, full_chain_path,
+          expiry_date, issuer, is_valid, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        [
+          domainId,
+          domain,
+          0,
+          String(cert.cert_path ?? (cert as Record<number, unknown>)[2]),
+          String(cert.key_path ?? (cert as Record<number, unknown>)[3]),
+          String(cert.full_chain_path ?? (cert as Record<number, unknown>)[4]),
+          Number(cert.expiry_date ?? (cert as Record<number, unknown>)[5]),
+          String(cert.issuer ?? (cert as Record<number, unknown>)[6]),
+          1,
+          Number(cert.created_at ?? (cert as Record<number, unknown>)[7]),
+          Number(cert.updated_at ?? (cert as Record<number, unknown>)[8]),
+        ],
+      );
+    }
+
+    query('DROP TABLE ssl_certificates');
+    query('CREATE INDEX IF NOT EXISTS idx_domains_cloudflare_zone ON domains(cloudflare_zone_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_cert_requirements_service ON cert_requirements(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_cert_requirements_domain ON cert_requirements(domain_id)',
+    );
+  }
+}

ts/database/migrations/migration-004-registry-columns.ts

@@ -0,0 +1,16 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration004RegistryColumns extends BaseMigration {
+  readonly version = 4;
+  readonly description = 'Add Onebox Registry columns to services table';
+
+  up(query: TQueryFunction): void {
+    query(`ALTER TABLE services ADD COLUMN use_onebox_registry INTEGER DEFAULT 0`);
+    query(`ALTER TABLE services ADD COLUMN registry_repository TEXT`);
+    query(`ALTER TABLE services ADD COLUMN registry_token TEXT`);
+    query(`ALTER TABLE services ADD COLUMN registry_image_tag TEXT DEFAULT 'latest'`);
+    query(`ALTER TABLE services ADD COLUMN auto_update_on_push INTEGER DEFAULT 0`);
+    query(`ALTER TABLE services ADD COLUMN image_digest TEXT`);
+  }
+}

ts/database/migrations/migration-005-registry-tokens.ts

@@ -0,0 +1,30 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration005RegistryTokens extends BaseMigration {
+  readonly version = 5;
+  readonly description = 'Registry tokens table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE registry_tokens (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL,
+        token_hash TEXT NOT NULL UNIQUE,
+        token_type TEXT NOT NULL,
+        scope TEXT NOT NULL,
+        expires_at REAL,
+        created_at REAL NOT NULL,
+        last_used_at REAL,
+        created_by TEXT NOT NULL
+      )
+    `);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_registry_tokens_type ON registry_tokens(token_type)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_registry_tokens_hash ON registry_tokens(token_hash)',
+    );
+  }
+}

ts/database/migrations/migration-006-drop-registry-token.ts

@@ -0,0 +1,48 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration006DropRegistryToken extends BaseMigration {
+  readonly version = 6;
+  readonly description = 'Drop registry_token column from services table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE services_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        image TEXT NOT NULL,
+        registry TEXT,
+        env_vars TEXT,
+        port INTEGER NOT NULL,
+        domain TEXT,
+        container_id TEXT,
+        status TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        use_onebox_registry INTEGER DEFAULT 0,
+        registry_repository TEXT,
+        registry_image_tag TEXT DEFAULT 'latest',
+        auto_update_on_push INTEGER DEFAULT 0,
+        image_digest TEXT
+      )
+    `);
+
+    query(`
+      INSERT INTO services_new (
+        id, name, image, registry, env_vars, port, domain, container_id, status,
+        created_at, updated_at, use_onebox_registry, registry_repository,
+        registry_image_tag, auto_update_on_push, image_digest
+      )
+      SELECT
+        id, name, image, registry, env_vars, port, domain, container_id, status,
+        created_at, updated_at, use_onebox_registry, registry_repository,
+        registry_image_tag, auto_update_on_push, image_digest
+      FROM services
+    `);
+
+    query('DROP TABLE services');
+    query('ALTER TABLE services_new RENAME TO services');
+    query('CREATE INDEX IF NOT EXISTS idx_services_name ON services(name)');
+    query('CREATE INDEX IF NOT EXISTS idx_services_status ON services(status)');
+  }
+}

ts/database/migrations/migration-007-platform-services.ts

@@ -0,0 +1,49 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration007PlatformServices extends BaseMigration {
+  readonly version = 7;
+  readonly description = 'Platform services tables';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE platform_services (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        type TEXT NOT NULL,
+        status TEXT NOT NULL DEFAULT 'stopped',
+        container_id TEXT,
+        config TEXT NOT NULL DEFAULT '{}',
+        admin_credentials_encrypted TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL
+      )
+    `);
+
+    query(`
+      CREATE TABLE platform_resources (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        platform_service_id INTEGER NOT NULL,
+        service_id INTEGER NOT NULL,
+        resource_type TEXT NOT NULL,
+        resource_name TEXT NOT NULL,
+        credentials_encrypted TEXT NOT NULL,
+        created_at REAL NOT NULL,
+        FOREIGN KEY (platform_service_id) REFERENCES platform_services(id) ON DELETE CASCADE,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`ALTER TABLE services ADD COLUMN platform_requirements TEXT DEFAULT '{}'`);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_services_type ON platform_services(type)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_resources_service ON platform_resources(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_platform_resources_platform ON platform_resources(platform_service_id)',
+    );
+  }
+}

ts/database/migrations/migration-008-cert-pem-content.ts

@@ -0,0 +1,41 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration008CertPemContent extends BaseMigration {
+  readonly version = 8;
+  readonly description = 'Convert certificates table to store PEM content';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE certificates_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        domain_id INTEGER NOT NULL,
+        cert_domain TEXT NOT NULL,
+        is_wildcard INTEGER NOT NULL DEFAULT 0,
+        cert_pem TEXT NOT NULL DEFAULT '',
+        key_pem TEXT NOT NULL DEFAULT '',
+        fullchain_pem TEXT NOT NULL DEFAULT '',
+        expiry_date REAL NOT NULL,
+        issuer TEXT NOT NULL,
+        is_valid INTEGER NOT NULL DEFAULT 1,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO certificates_new (id, domain_id, cert_domain, is_wildcard, cert_pem, key_pem, fullchain_pem, expiry_date, issuer, is_valid, created_at, updated_at)
+      SELECT id, domain_id, cert_domain, is_wildcard, '', '', '', expiry_date, issuer, 0, created_at, updated_at FROM certificates
+    `);
+
+    query('DROP TABLE certificates');
+    query('ALTER TABLE certificates_new RENAME TO certificates');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_certificates_domain ON certificates(domain_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_certificates_expiry ON certificates(expiry_date)',
+    );
+  }
+}

ts/database/migrations/migration-009-backup-system.ts

@@ -0,0 +1,29 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration009BackupSystem extends BaseMigration {
+  readonly version = 9;
+  readonly description = 'Backup system tables';
+
+  up(query: TQueryFunction): void {
+    query(`ALTER TABLE services ADD COLUMN include_image_in_backup INTEGER DEFAULT 1`);
+
+    query(`
+      CREATE TABLE backups (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        filename TEXT NOT NULL,
+        size_bytes INTEGER NOT NULL,
+        created_at REAL NOT NULL,
+        includes_image INTEGER NOT NULL,
+        platform_resources TEXT NOT NULL DEFAULT '[]',
+        checksum TEXT NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
+  }
+}

ts/database/migrations/migration-010-backup-schedules.ts

@@ -0,0 +1,39 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration010BackupSchedules extends BaseMigration {
+  readonly version = 10;
+  readonly description = 'Backup schedules table';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE backup_schedules (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        cron_expression TEXT NOT NULL,
+        retention_tier TEXT NOT NULL,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+
+    query('ALTER TABLE backups ADD COLUMN retention_tier TEXT');
+    query(
+      'ALTER TABLE backups ADD COLUMN schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL',
+    );
+  }
+}

ts/database/migrations/migration-011-scope-columns.ts

@@ -0,0 +1,54 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration011ScopeColumns extends BaseMigration {
+  readonly version = 11;
+  readonly description = 'Add scope columns to backup_schedules';
+
+  up(query: TQueryFunction): void {
+    query(`
+      CREATE TABLE backup_schedules_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        scope_type TEXT NOT NULL DEFAULT 'service',
+        scope_pattern TEXT,
+        service_id INTEGER,
+        service_name TEXT,
+        cron_expression TEXT NOT NULL,
+        retention_tier TEXT NOT NULL,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO backup_schedules_new (
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
+        created_at, updated_at
+      )
+      SELECT
+        id, 'service', NULL, service_id, service_name, cron_expression,
+        retention_tier, enabled, last_run_at, next_run_at, last_status, last_error,
+        created_at, updated_at
+      FROM backup_schedules
+    `);
+
+    query('DROP TABLE backup_schedules');
+    query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)',
+    );
+  }
+}

ts/database/migrations/migration-012-gfs-retention.ts

@@ -0,0 +1,97 @@
+import { BaseMigration } from './base-migration.ts';
+import type { TQueryFunction } from '../types.ts';
+
+export class Migration012GfsRetention extends BaseMigration {
+  readonly version = 12;
+  readonly description = 'GFS retention policy schema';
+
+  up(query: TQueryFunction): void {
+    // Recreate backup_schedules with GFS retention columns
+    query(`
+      CREATE TABLE backup_schedules_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        scope_type TEXT NOT NULL DEFAULT 'service',
+        scope_pattern TEXT,
+        service_id INTEGER,
+        service_name TEXT,
+        cron_expression TEXT NOT NULL,
+        retention_hourly INTEGER NOT NULL DEFAULT 0,
+        retention_daily INTEGER NOT NULL DEFAULT 7,
+        retention_weekly INTEGER NOT NULL DEFAULT 4,
+        retention_monthly INTEGER NOT NULL DEFAULT 12,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        last_run_at REAL,
+        next_run_at REAL,
+        last_status TEXT,
+        last_error TEXT,
+        created_at REAL NOT NULL,
+        updated_at REAL NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    // Migrate existing data - convert old retention_tier to new format
+    query(`
+      INSERT INTO backup_schedules_new (
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        retention_hourly, retention_daily, retention_weekly, retention_monthly,
+        enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
+      )
+      SELECT
+        id, scope_type, scope_pattern, service_id, service_name, cron_expression,
+        0,
+        CASE WHEN retention_tier = 'daily' THEN 7 ELSE 0 END,
+        CASE WHEN retention_tier IN ('daily', 'weekly') THEN 4 ELSE 0 END,
+        CASE WHEN retention_tier IN ('daily', 'weekly', 'monthly') THEN 12
+             WHEN retention_tier = 'yearly' THEN 24 ELSE 12 END,
+        enabled, last_run_at, next_run_at, last_status, last_error, created_at, updated_at
+      FROM backup_schedules
+    `);
+
+    query('DROP TABLE backup_schedules');
+    query('ALTER TABLE backup_schedules_new RENAME TO backup_schedules');
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_service ON backup_schedules(service_id)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_enabled ON backup_schedules(enabled)',
+    );
+    query(
+      'CREATE INDEX IF NOT EXISTS idx_backup_schedules_scope ON backup_schedules(scope_type)',
+    );
+
+    // Recreate backups table without retention_tier column
+    query(`
+      CREATE TABLE backups_new (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        service_id INTEGER NOT NULL,
+        service_name TEXT NOT NULL,
+        filename TEXT NOT NULL,
+        size_bytes INTEGER NOT NULL,
+        created_at REAL NOT NULL,
+        includes_image INTEGER NOT NULL,
+        platform_resources TEXT NOT NULL DEFAULT '[]',
+        checksum TEXT NOT NULL,
+        schedule_id INTEGER REFERENCES backup_schedules(id) ON DELETE SET NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      )
+    `);
+
+    query(`
+      INSERT INTO backups_new (
+        id, service_id, service_name, filename, size_bytes, created_at,
+        includes_image, platform_resources, checksum, schedule_id
+      )
+      SELECT
+        id, service_id, service_name, filename, size_bytes, created_at,
+        includes_image, platform_resources, checksum, schedule_id
+      FROM backups
+    `);
+
+    query('DROP TABLE backups');
+    query('ALTER TABLE backups_new RENAME TO backups');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_service ON backups(service_id)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_created ON backups(created_at DESC)');
+    query('CREATE INDEX IF NOT EXISTS idx_backups_schedule ON backups(schedule_id)');
+  }
+}

ts/database/migrations/migration-runner.ts

@@ -0,0 +1,100 @@
+/**
+ * Migration runner - discovers, orders, and executes database migrations.
+ * Mirrors the pattern from @serve.zone/nupst.
+ */
+
+import type { TQueryFunction } from '../types.ts';
+import { logger } from '../../logging.ts';
+import { getErrorMessage } from '../../utils/error.ts';
+
+import { Migration001Initial } from './migration-001-initial.ts';
+import { Migration002TimestampsToReal } from './migration-002-timestamps-to-real.ts';
+import { Migration003DomainManagement } from './migration-003-domain-management.ts';
+import { Migration004RegistryColumns } from './migration-004-registry-columns.ts';
+import { Migration005RegistryTokens } from './migration-005-registry-tokens.ts';
+import { Migration006DropRegistryToken } from './migration-006-drop-registry-token.ts';
+import { Migration007PlatformServices } from './migration-007-platform-services.ts';
+import { Migration008CertPemContent } from './migration-008-cert-pem-content.ts';
+import { Migration009BackupSystem } from './migration-009-backup-system.ts';
+import { Migration010BackupSchedules } from './migration-010-backup-schedules.ts';
+import { Migration011ScopeColumns } from './migration-011-scope-columns.ts';
+import { Migration012GfsRetention } from './migration-012-gfs-retention.ts';
+import type { BaseMigration } from './base-migration.ts';
+
+export class MigrationRunner {
+  private query: TQueryFunction;
+  private migrations: BaseMigration[];
+
+  constructor(query: TQueryFunction) {
+    this.query = query;
+
+    // Register all migrations in order
+    this.migrations = [
+      new Migration001Initial(),
+      new Migration002TimestampsToReal(),
+      new Migration003DomainManagement(),
+      new Migration004RegistryColumns(),
+      new Migration005RegistryTokens(),
+      new Migration006DropRegistryToken(),
+      new Migration007PlatformServices(),
+      new Migration008CertPemContent(),
+      new Migration009BackupSystem(),
+      new Migration010BackupSchedules(),
+      new Migration011ScopeColumns(),
+      new Migration012GfsRetention(),
+    ].sort((a, b) => a.version - b.version);
+  }
+
+  /** Run all pending migrations */
+  run(): void {
+    try {
+      const currentVersion = this.getMigrationVersion();
+      logger.info(`Current database migration version: ${currentVersion}`);
+
+      let applied = 0;
+      for (const migration of this.migrations) {
+        if (migration.version <= currentVersion) continue;
+
+        logger.info(`Running ${migration.getName()}...`);
+        migration.up(this.query);
+        this.setMigrationVersion(migration.version);
+        logger.success(`${migration.getName()} completed`);
+        applied++;
+      }
+
+      if (applied > 0) {
+        logger.success(`Applied ${applied} migration(s)`);
+      }
+    } catch (error) {
+      logger.error(`Migration failed: ${getErrorMessage(error)}`);
+      if (error instanceof Error && error.stack) {
+        logger.error(`Stack: ${error.stack}`);
+      }
+      throw error;
+    }
+  }
+
+  /** Get current migration version from the migrations table */
+  private getMigrationVersion(): number {
+    try {
+      const result = this.query<{ version?: number | null; [key: number]: unknown }>(
+        'SELECT MAX(version) as version FROM migrations',
+      );
+      if (result.length === 0) return 0;
+
+      const versionValue = result[0].version ?? (result[0] as Record<number, unknown>)[0];
+      return versionValue !== null && versionValue !== undefined ? Number(versionValue) : 0;
+    } catch {
+      // Table might not exist yet on fresh databases
+      return 0;
+    }
+  }
+
+  /** Record a migration version as applied */
+  private setMigrationVersion(version: number): void {
+    this.query('INSERT INTO migrations (version, applied_at) VALUES (?, ?)', [
+      version,
+      Date.now(),
+    ]);
+  }
+}

ts/index.ts

@@ -12,6 +12,7 @@ export { OneboxReverseProxy } from './classes/reverseproxy.ts';
 export { OneboxDnsManager } from './classes/dns.ts';
 export { OneboxSslManager } from './classes/ssl.ts';
 export { OneboxDaemon } from './classes/daemon.ts';
+export { OneboxSystemd } from './classes/systemd.ts';
 export { OneboxHttpServer } from './classes/httpserver.ts';
 export { OneboxApiClient } from './classes/apiclient.ts';
 

ts/opsserver/classes.opsserver.ts

@@ -0,0 +1,76 @@
+import * as plugins from '../plugins.ts';
+import { logger } from '../logging.ts';
+import type { Onebox } from '../classes/onebox.ts';
+import * as handlers from './handlers/index.ts';
+import { files as bundledFiles } from '../../ts_bundled/bundle.ts';
+
+export class OpsServer {
+  public oneboxRef: Onebox;
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+  public server!: plugins.typedserver.utilityservers.UtilityWebsiteServer;
+
+  // Handler instances
+  public adminHandler!: handlers.AdminHandler;
+  public statusHandler!: handlers.StatusHandler;
+  public servicesHandler!: handlers.ServicesHandler;
+  public platformHandler!: handlers.PlatformHandler;
+  public sslHandler!: handlers.SslHandler;
+  public domainsHandler!: handlers.DomainsHandler;
+  public dnsHandler!: handlers.DnsHandler;
+  public registryHandler!: handlers.RegistryHandler;
+  public networkHandler!: handlers.NetworkHandler;
+  public backupsHandler!: handlers.BackupsHandler;
+  public schedulesHandler!: handlers.SchedulesHandler;
+  public settingsHandler!: handlers.SettingsHandler;
+  public logsHandler!: handlers.LogsHandler;
+
+  constructor(oneboxRef: Onebox) {
+    this.oneboxRef = oneboxRef;
+  }
+
+  public async start(port = 3000) {
+    this.server = new plugins.typedserver.utilityservers.UtilityWebsiteServer({
+      domain: 'localhost',
+      feedMetadata: undefined,
+      bundledContent: bundledFiles,
+    });
+
+    // Chain typedrouters: server -> opsServer -> individual handlers
+    this.server.typedrouter.addTypedRouter(this.typedrouter);
+
+    // Set up all handlers
+    await this.setupHandlers();
+
+    await this.server.start(port);
+    logger.success(`OpsServer started on http://localhost:${port}`);
+  }
+
+  private async setupHandlers(): Promise<void> {
+    // AdminHandler requires async initialization for JWT key generation
+    this.adminHandler = new handlers.AdminHandler(this);
+    await this.adminHandler.initialize();
+
+    // All other handlers self-register in their constructors
+    this.statusHandler = new handlers.StatusHandler(this);
+    this.servicesHandler = new handlers.ServicesHandler(this);
+    this.platformHandler = new handlers.PlatformHandler(this);
+    this.sslHandler = new handlers.SslHandler(this);
+    this.domainsHandler = new handlers.DomainsHandler(this);
+    this.dnsHandler = new handlers.DnsHandler(this);
+    this.registryHandler = new handlers.RegistryHandler(this);
+    this.networkHandler = new handlers.NetworkHandler(this);
+    this.backupsHandler = new handlers.BackupsHandler(this);
+    this.schedulesHandler = new handlers.SchedulesHandler(this);
+    this.settingsHandler = new handlers.SettingsHandler(this);
+    this.logsHandler = new handlers.LogsHandler(this);
+
+    logger.success('OpsServer TypedRequest handlers initialized');
+  }
+
+  public async stop() {
+    if (this.server) {
+      await this.server.stop();
+      logger.success('OpsServer stopped');
+    }
+  }
+}

ts/opsserver/handlers/admin.handler.ts

@@ -0,0 +1,175 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+
+export interface IJwtData {
+  userId: string;
+  status: 'loggedIn' | 'loggedOut';
+  expiresAt: number;
+}
+
+export class AdminHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+  public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+  }
+
+  public async initialize(): Promise<void> {
+    this.smartjwtInstance = new plugins.smartjwt.SmartJwt();
+    await this.smartjwtInstance.init();
+    await this.smartjwtInstance.createNewKeyPair();
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Login
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+        'adminLoginWithUsernameAndPassword',
+        async (dataArg) => {
+          try {
+            const user = this.opsServerRef.oneboxRef.database.getUserByUsername(dataArg.username);
+            if (!user) {
+              throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
+            }
+
+            // Verify password (base64 comparison to match existing DB scheme)
+            const passwordHash = btoa(dataArg.password);
+            if (passwordHash !== user.passwordHash) {
+              throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
+            }
+
+            const expiresAt = Date.now() + 24 * 3600 * 1000;
+            const userId = String(user.id || user.username);
+            const jwt = await this.smartjwtInstance.createJWT({
+              userId,
+              status: 'loggedIn',
+              expiresAt,
+            });
+
+            logger.info(`User logged in: ${user.username}`);
+
+            return {
+              identity: {
+                jwt,
+                userId,
+                username: user.username,
+                expiresAt,
+                role: user.role,
+              },
+            };
+          } catch (error) {
+            if (error instanceof plugins.typedrequest.TypedResponseError) throw error;
+            throw new plugins.typedrequest.TypedResponseError('Login failed');
+          }
+        },
+      ),
+    );
+
+    // Logout
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
+        'adminLogout',
+        async (_dataArg) => {
+          return { ok: true };
+        },
+      ),
+    );
+
+    // Verify Identity
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_VerifyIdentity>(
+        'verifyIdentity',
+        async (dataArg) => {
+          if (!dataArg.identity?.jwt) {
+            return { valid: false };
+          }
+          try {
+            const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
+            if (jwtData.expiresAt < Date.now()) return { valid: false };
+            if (jwtData.status !== 'loggedIn') return { valid: false };
+            return {
+              valid: true,
+              identity: {
+                jwt: dataArg.identity.jwt,
+                userId: jwtData.userId,
+                username: dataArg.identity.username,
+                expiresAt: jwtData.expiresAt,
+                role: dataArg.identity.role,
+              },
+            };
+          } catch {
+            return { valid: false };
+          }
+        },
+      ),
+    );
+
+    // Change Password
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ChangePassword>(
+        'changePassword',
+        async (dataArg) => {
+          await this.requireValidIdentity(dataArg);
+          const user = this.opsServerRef.oneboxRef.database.getUserByUsername(dataArg.identity.username);
+          if (!user) {
+            throw new plugins.typedrequest.TypedResponseError('User not found');
+          }
+
+          const currentHash = btoa(dataArg.currentPassword);
+          if (currentHash !== user.passwordHash) {
+            throw new plugins.typedrequest.TypedResponseError('Current password is incorrect');
+          }
+
+          const newHash = btoa(dataArg.newPassword);
+          this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, newHash);
+          logger.info(`Password changed for user: ${user.username}`);
+
+          return { ok: true };
+        },
+      ),
+    );
+  }
+
+  private async requireValidIdentity(dataArg: { identity: interfaces.data.IIdentity }): Promise<void> {
+    const passed = await this.validIdentityGuard.exec({ identity: dataArg.identity });
+    if (!passed) {
+      throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+    }
+  }
+
+  // Guard for valid identity
+  public validIdentityGuard = new plugins.smartguard.Guard<{
+    identity: interfaces.data.IIdentity;
+  }>(
+    async (dataArg) => {
+      if (!dataArg.identity?.jwt) return false;
+      try {
+        const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
+        if (jwtData.expiresAt < Date.now()) return false;
+        if (jwtData.status !== 'loggedIn') return false;
+        if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
+        if (dataArg.identity.userId !== jwtData.userId) return false;
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    { failedHint: 'identity is not valid', name: 'validIdentityGuard' },
+  );
+
+  // Guard for admin identity
+  public adminIdentityGuard = new plugins.smartguard.Guard<{
+    identity: interfaces.data.IIdentity;
+  }>(
+    async (dataArg) => {
+      const isValid = await this.validIdentityGuard.exec(dataArg);
+      if (!isValid) return false;
+      return dataArg.identity.role === 'admin';
+    },
+    { failedHint: 'user is not admin', name: 'adminIdentityGuard' },
+  );
+}

ts/opsserver/handlers/backups.handler.ts

@@ -0,0 +1,100 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class BackupsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackups>(
+        'getBackups',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backups = this.opsServerRef.oneboxRef.backupManager.listBackups();
+          return { backups };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackup>(
+        'getBackup',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backup = this.opsServerRef.oneboxRef.database.getBackupById(dataArg.backupId);
+          if (!backup) {
+            throw new plugins.typedrequest.TypedResponseError('Backup not found');
+          }
+          return { backup };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBackup>(
+        'deleteBackup',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.backupManager.deleteBackup(dataArg.backupId);
+          return { ok: true };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RestoreBackup>(
+        'restoreBackup',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backupPath = this.opsServerRef.oneboxRef.backupManager.getBackupFilePath(dataArg.backupId);
+          if (!backupPath) {
+            throw new plugins.typedrequest.TypedResponseError('Backup file not found');
+          }
+          const rawResult = await this.opsServerRef.oneboxRef.backupManager.restoreBackup(
+            backupPath,
+            dataArg.options,
+          );
+          return {
+            result: {
+              service: {
+                name: rawResult.service.name,
+                status: rawResult.service.status,
+              },
+              platformResourcesRestored: rawResult.platformResourcesRestored,
+              warnings: rawResult.warnings,
+            },
+          };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DownloadBackup>(
+        'downloadBackup',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backup = this.opsServerRef.oneboxRef.database.getBackupById(dataArg.backupId);
+          if (!backup) {
+            throw new plugins.typedrequest.TypedResponseError('Backup not found');
+          }
+          const filePath = this.opsServerRef.oneboxRef.backupManager.getBackupFilePath(dataArg.backupId);
+          if (!filePath) {
+            throw new plugins.typedrequest.TypedResponseError('Backup file not found');
+          }
+          // Return a download URL that the client can fetch directly
+          return {
+            downloadUrl: `/api/backups/${dataArg.backupId}/download`,
+            filename: backup.filename,
+          };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/dns.handler.ts

@@ -0,0 +1,65 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class DnsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsRecords>(
+        'getDnsRecords',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const records = this.opsServerRef.oneboxRef.dns.listDNSRecords();
+          return { records };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDnsRecord>(
+        'createDnsRecord',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.dns.addDNSRecord(dataArg.domain, dataArg.value);
+          const records = this.opsServerRef.oneboxRef.dns.listDNSRecords();
+          const record = records.find((r: any) => r.domain === dataArg.domain);
+          return { record: record! };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteDnsRecord>(
+        'deleteDnsRecord',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.dns.removeDNSRecord(dataArg.domain);
+          return { ok: true };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncDns>(
+        'syncDns',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          if (!this.opsServerRef.oneboxRef.dns.isConfigured()) {
+            throw new plugins.typedrequest.TypedResponseError('DNS manager not configured');
+          }
+          await this.opsServerRef.oneboxRef.dns.syncFromCloudflare();
+          const records = this.opsServerRef.oneboxRef.dns.listDNSRecords();
+          return { records };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/domains.handler.ts

@@ -0,0 +1,101 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class DomainsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private buildDomainViews(): interfaces.data.IDomainDetail[] {
+    const domains = this.opsServerRef.oneboxRef.database.getAllDomains();
+    const allServices = this.opsServerRef.oneboxRef.database.getAllServices();
+
+    return domains.map((domain: any) => {
+      const certificates = this.opsServerRef.oneboxRef.database.getCertificatesByDomain(domain.id!);
+      const requirements = this.opsServerRef.oneboxRef.database.getCertRequirementsByDomain(domain.id!);
+
+      const serviceCount = allServices.filter((service: any) => {
+        if (!service.domain) return false;
+        const baseDomain = service.domain.split('.').slice(-2).join('.');
+        return baseDomain === domain.domain;
+      }).length;
+
+      let certificateStatus: 'valid' | 'expiring-soon' | 'expired' | 'pending' | 'none' = 'none';
+      let daysRemaining: number | null = null;
+
+      const validCerts = certificates.filter((cert: any) => cert.isValid && cert.expiryDate > Date.now());
+      if (validCerts.length > 0) {
+        const latestCert = validCerts.reduce((latest: any, cert: any) =>
+          cert.expiryDate > latest.expiryDate ? cert : latest
+        );
+        daysRemaining = Math.floor((latestCert.expiryDate - Date.now()) / (24 * 60 * 60 * 1000));
+        certificateStatus = daysRemaining <= 30 ? 'expiring-soon' : 'valid';
+      } else if (certificates.some((cert: any) => !cert.isValid)) {
+        certificateStatus = 'expired';
+      } else if (requirements.some((req: any) => req.status === 'pending')) {
+        certificateStatus = 'pending';
+      }
+
+      return {
+        domain,
+        certificates,
+        requirements,
+        serviceCount,
+        certificateStatus,
+        daysRemaining,
+      };
+    });
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomains>(
+        'getDomains',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const domains = this.buildDomainViews();
+          return { domains };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomain>(
+        'getDomain',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const domain = this.opsServerRef.oneboxRef.database.getDomainByName(dataArg.domainName);
+          if (!domain) {
+            throw new plugins.typedrequest.TypedResponseError('Domain not found');
+          }
+          const views = this.buildDomainViews();
+          const domainView = views.find((v) => v.domain.domain === dataArg.domainName);
+          if (!domainView) {
+            throw new plugins.typedrequest.TypedResponseError('Domain not found');
+          }
+          return { domain: domainView };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncDomains>(
+        'syncDomains',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          if (!this.opsServerRef.oneboxRef.cloudflareDomainSync) {
+            throw new plugins.typedrequest.TypedResponseError('Cloudflare domain sync not configured');
+          }
+          await this.opsServerRef.oneboxRef.cloudflareDomainSync.syncZones();
+          const domains = this.buildDomainViews();
+          return { domains };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/index.ts

@@ -0,0 +1,13 @@
+export * from './admin.handler.ts';
+export * from './status.handler.ts';
+export * from './services.handler.ts';
+export * from './platform.handler.ts';
+export * from './ssl.handler.ts';
+export * from './domains.handler.ts';
+export * from './dns.handler.ts';
+export * from './registry.handler.ts';
+export * from './network.handler.ts';
+export * from './backups.handler.ts';
+export * from './schedules.handler.ts';
+export * from './settings.handler.ts';
+export * from './logs.handler.ts';

ts/opsserver/handlers/logs.handler.ts

@@ -0,0 +1,219 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class LogsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Service log stream
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceLogStream>(
+        'getServiceLogStream',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+
+          const service = this.opsServerRef.oneboxRef.database.getServiceByName(dataArg.serviceName);
+          if (!service) {
+            throw new plugins.typedrequest.TypedResponseError('Service not found');
+          }
+
+          const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
+          const encoder = new TextEncoder();
+
+          // Get container and start streaming in background
+          (async () => {
+            try {
+              let container = await this.opsServerRef.oneboxRef.docker.getContainerById(service.containerID!);
+              if (!container) {
+                // Try finding by service label
+                const containers = await this.opsServerRef.oneboxRef.docker.listAllContainers();
+                const serviceContainer = containers.find((c: any) => {
+                  const labels = c.Labels || {};
+                  return labels['com.docker.swarm.service.id'] === service.containerID;
+                });
+                if (serviceContainer) {
+                  container = await this.opsServerRef.oneboxRef.docker.getContainerById(serviceContainer.Id);
+                }
+              }
+
+              if (!container) {
+                virtualStream.sendData(encoder.encode(JSON.stringify({ error: 'Container not found' })));
+                return;
+              }
+
+              const logStream = await container.streamLogs({
+                stdout: true,
+                stderr: true,
+                timestamps: true,
+                tail: 100,
+              });
+
+              let buffer = new Uint8Array(0);
+
+              logStream.on('data', (chunk: Uint8Array) => {
+                // Append to buffer
+                const newBuffer = new Uint8Array(buffer.length + chunk.length);
+                newBuffer.set(buffer);
+                newBuffer.set(chunk, buffer.length);
+                buffer = newBuffer;
+
+                // Process Docker multiplexed frames
+                while (buffer.length >= 8) {
+                  const frameSize = (buffer[4] << 24) | (buffer[5] << 16) | (buffer[6] << 8) | buffer[7];
+                  if (buffer.length < 8 + frameSize) break;
+
+                  const frameData = buffer.slice(8, 8 + frameSize);
+                  try {
+                    virtualStream.sendData(frameData);
+                  } catch {
+                    logStream.destroy();
+                    return;
+                  }
+                  buffer = buffer.slice(8 + frameSize);
+                }
+              });
+
+              logStream.on('error', (error: Error) => {
+                logger.error(`Log stream error for ${dataArg.serviceName}: ${error.message}`);
+              });
+            } catch (error) {
+              logger.error(`Failed to start log stream: ${error}`);
+            }
+          })();
+
+          return { logStream: virtualStream as any };
+        },
+      ),
+    );
+
+    // Platform service log stream
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServiceLogStream>(
+        'getPlatformServiceLogStream',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+
+          const platformService = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(
+            dataArg.serviceType,
+          );
+          if (!platformService || !platformService.containerId) {
+            throw new plugins.typedrequest.TypedResponseError('Platform service has no container');
+          }
+
+          const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
+
+          (async () => {
+            try {
+              const container = await this.opsServerRef.oneboxRef.docker.getContainerById(
+                platformService.containerId!,
+              );
+              if (!container) return;
+
+              const logStream = await container.streamLogs({
+                stdout: true,
+                stderr: true,
+                timestamps: true,
+                tail: 100,
+              });
+
+              let buffer = new Uint8Array(0);
+
+              logStream.on('data', (chunk: Uint8Array) => {
+                const newBuffer = new Uint8Array(buffer.length + chunk.length);
+                newBuffer.set(buffer);
+                newBuffer.set(chunk, buffer.length);
+                buffer = newBuffer;
+
+                while (buffer.length >= 8) {
+                  const frameSize = (buffer[4] << 24) | (buffer[5] << 16) | (buffer[6] << 8) | buffer[7];
+                  if (buffer.length < 8 + frameSize) break;
+                  const frameData = buffer.slice(8, 8 + frameSize);
+                  try {
+                    virtualStream.sendData(frameData);
+                  } catch {
+                    logStream.destroy();
+                    return;
+                  }
+                  buffer = buffer.slice(8 + frameSize);
+                }
+              });
+            } catch (error) {
+              logger.error(`Failed to start platform log stream: ${error}`);
+            }
+          })();
+
+          return { logStream: virtualStream as any };
+        },
+      ),
+    );
+
+    // Network log stream
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkLogStream>(
+        'getNetworkLogStream',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+
+          const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
+          const encoder = new TextEncoder();
+          const clientId = crypto.randomUUID();
+
+          // Create a mock WebSocket-like object for the CaddyLogReceiver
+          const mockSocket = {
+            readyState: 1, // WebSocket.OPEN
+            send: (data: string) => {
+              try {
+                virtualStream.sendData(encoder.encode(data));
+              } catch {
+                this.opsServerRef.oneboxRef.caddyLogReceiver.removeClient(clientId);
+              }
+            },
+          };
+
+          const filter = dataArg.filter || {};
+          this.opsServerRef.oneboxRef.caddyLogReceiver.addClient(
+            clientId,
+            mockSocket as any,
+            filter,
+          );
+
+          return { logStream: virtualStream as any };
+        },
+      ),
+    );
+
+    // Event stream (general updates)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEventStream>(
+        'getEventStream',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+
+          const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
+          const encoder = new TextEncoder();
+
+          // Send initial connection message
+          virtualStream.sendData(
+            encoder.encode(
+              JSON.stringify({
+                type: 'connected',
+                message: 'Connected to Onebox event stream',
+                timestamp: Date.now(),
+              }),
+            ),
+          );
+
+          return { eventStream: virtualStream as any };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/network.handler.ts

@@ -0,0 +1,123 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+import type { TPlatformServiceType } from '../../types.ts';
+
+export class NetworkHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private getPlatformServicePort(type: TPlatformServiceType): number {
+    const ports: Record<TPlatformServiceType, number> = {
+      mongodb: 27017,
+      minio: 9000,
+      redis: 6379,
+      postgresql: 5432,
+      rabbitmq: 5672,
+      caddy: 80,
+      clickhouse: 8123,
+    };
+    return ports[type] || 0;
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargets>(
+        'getNetworkTargets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const targets: interfaces.data.INetworkTarget[] = [];
+
+          // Services
+          const services = this.opsServerRef.oneboxRef.services.listServices();
+          for (const svc of services) {
+            targets.push({
+              type: 'service',
+              name: svc.name,
+              domain: svc.domain || null,
+              targetHost: (svc as any).containerIP || svc.containerID || 'unknown',
+              targetPort: svc.port || 80,
+              status: svc.status,
+            });
+          }
+
+          // Registry
+          const registryStatus = this.opsServerRef.oneboxRef.registry.getStatus();
+          if (registryStatus.running) {
+            targets.push({
+              type: 'registry',
+              name: 'onebox-registry',
+              domain: null,
+              targetHost: 'localhost',
+              targetPort: registryStatus.port,
+              status: 'running',
+            });
+          }
+
+          // Platform services
+          const platformServices = this.opsServerRef.oneboxRef.platformServices.getAllPlatformServices();
+          for (const ps of platformServices) {
+            const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(ps.type);
+            targets.push({
+              type: 'platform',
+              name: provider?.displayName || ps.type,
+              domain: null,
+              targetHost: 'localhost',
+              targetPort: this.getPlatformServicePort(ps.type),
+              status: ps.status,
+            });
+          }
+
+          return { targets };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkStats>(
+        'getNetworkStats',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
+          const logReceiverStats = this.opsServerRef.oneboxRef.caddyLogReceiver.getStats();
+
+          return {
+            stats: {
+              proxy: {
+                running: proxyStatus.running ?? proxyStatus.http?.running ?? false,
+                httpPort: proxyStatus.httpPort ?? proxyStatus.http?.port ?? 80,
+                httpsPort: proxyStatus.httpsPort ?? proxyStatus.https?.port ?? 443,
+                routes: proxyStatus.routes ?? 0,
+                certificates: proxyStatus.certificates ?? proxyStatus.https?.certificates ?? 0,
+              },
+              logReceiver: {
+                running: logReceiverStats.running,
+                port: logReceiverStats.port,
+                clients: logReceiverStats.clients,
+                connections: logReceiverStats.connections,
+                sampleRate: logReceiverStats.sampleRate,
+                recentLogsCount: logReceiverStats.recentLogsCount,
+              },
+            },
+          };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTrafficStats>(
+        'getTrafficStats',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const trafficStats = this.opsServerRef.oneboxRef.caddyLogReceiver.getTrafficStats(60);
+          return { stats: trafficStats };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/platform.handler.ts

@@ -0,0 +1,169 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class PlatformHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Get all platform services
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServices>(
+        'getPlatformServices',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const platformServices = this.opsServerRef.oneboxRef.platformServices.getAllPlatformServices();
+          const providers = this.opsServerRef.oneboxRef.platformServices.getAllProviders();
+
+          const result = providers.map((provider: any) => {
+            const service = platformServices.find((s: any) => s.type === provider.type);
+            const isCore = 'isCore' in provider && (provider as any).isCore === true;
+
+            let status: string = service?.status || 'not-deployed';
+            if (provider.type === 'caddy') {
+              const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
+              status = (proxyStatus.running ?? proxyStatus.http?.running) ? 'running' : 'stopped';
+            }
+
+            return {
+              type: provider.type,
+              displayName: provider.displayName,
+              resourceTypes: provider.resourceTypes,
+              status: status as interfaces.data.TPlatformServiceStatus,
+              containerId: service?.containerId,
+              isCore,
+              createdAt: service?.createdAt,
+              updatedAt: service?.updatedAt,
+            };
+          });
+
+          return { platformServices: result as interfaces.data.IPlatformService[] };
+        },
+      ),
+    );
+
+    // Get specific platform service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformService>(
+        'getPlatformService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
+          if (!provider) {
+            throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
+          }
+
+          const service = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(dataArg.serviceType);
+          const isCore = 'isCore' in provider && (provider as any).isCore === true;
+
+          let rawStatus: string = service?.status || 'not-deployed';
+          if (dataArg.serviceType === 'caddy') {
+            const proxyStatus = this.opsServerRef.oneboxRef.reverseProxy.getStatus() as any;
+            rawStatus = (proxyStatus.running ?? proxyStatus.http?.running) ? 'running' : 'stopped';
+          }
+
+          return {
+            platformService: {
+              type: provider.type,
+              displayName: provider.displayName,
+              resourceTypes: provider.resourceTypes,
+              status: rawStatus as interfaces.data.TPlatformServiceStatus,
+              containerId: service?.containerId,
+              isCore,
+              createdAt: service?.createdAt,
+              updatedAt: service?.updatedAt,
+            } as interfaces.data.IPlatformService,
+          };
+        },
+      ),
+    );
+
+    // Start platform service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StartPlatformService>(
+        'startPlatformService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
+          if (!provider) {
+            throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
+          }
+
+          logger.info(`Starting platform service: ${dataArg.serviceType}`);
+          const service = await this.opsServerRef.oneboxRef.platformServices.ensureRunning(dataArg.serviceType);
+
+          return {
+            platformService: {
+              type: service.type,
+              displayName: provider.displayName,
+              resourceTypes: provider.resourceTypes,
+              status: service.status,
+              containerId: service.containerId,
+            },
+          };
+        },
+      ),
+    );
+
+    // Stop platform service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StopPlatformService>(
+        'stopPlatformService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.oneboxRef.platformServices.getProvider(dataArg.serviceType);
+          if (!provider) {
+            throw new plugins.typedrequest.TypedResponseError(`Unknown platform service type: ${dataArg.serviceType}`);
+          }
+
+          const isCore = 'isCore' in provider && (provider as any).isCore === true;
+          if (isCore) {
+            throw new plugins.typedrequest.TypedResponseError(
+              `${provider.displayName} is a core service and cannot be stopped`,
+            );
+          }
+
+          logger.info(`Stopping platform service: ${dataArg.serviceType}`);
+          await this.opsServerRef.oneboxRef.platformServices.stopPlatformService(dataArg.serviceType);
+
+          return {
+            platformService: {
+              type: dataArg.serviceType,
+              displayName: provider.displayName,
+              resourceTypes: provider.resourceTypes,
+              status: 'stopped' as const,
+            },
+          };
+        },
+      ),
+    );
+
+    // Get platform service stats
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetPlatformServiceStats>(
+        'getPlatformServiceStats',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.database.getPlatformServiceByType(dataArg.serviceType);
+          if (!service || !service.containerId) {
+            throw new plugins.typedrequest.TypedResponseError('Platform service has no container');
+          }
+
+          const stats = await this.opsServerRef.oneboxRef.docker.getContainerStats(service.containerId);
+          if (!stats) {
+            throw new plugins.typedrequest.TypedResponseError('Could not retrieve container stats');
+          }
+
+          return { stats };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/registry.handler.ts

@@ -0,0 +1,147 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class RegistryHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Get registry tags
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRegistryTags>(
+        'getRegistryTags',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const tags = await this.opsServerRef.oneboxRef.registry.getImageTags(dataArg.serviceName);
+          return { tags };
+        },
+      ),
+    );
+
+    // Get registry tokens
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRegistryTokens>(
+        'getRegistryTokens',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const rawTokens = this.opsServerRef.oneboxRef.database.getAllRegistryTokens();
+          const now = Date.now();
+
+          const tokens = rawTokens.map((token: any) => {
+            const isExpired = token.expiresAt !== null && token.expiresAt < now;
+            let scopeDisplay: string;
+            if (token.scope === 'all') {
+              scopeDisplay = 'All services';
+            } else if (Array.isArray(token.scope)) {
+              scopeDisplay = token.scope.length === 1 ? token.scope[0] : `${token.scope.length} services`;
+            } else {
+              scopeDisplay = 'Unknown';
+            }
+
+            return {
+              id: token.id!,
+              name: token.name,
+              type: token.type,
+              scope: token.scope,
+              scopeDisplay,
+              expiresAt: token.expiresAt,
+              createdAt: token.createdAt,
+              lastUsedAt: token.lastUsedAt,
+              createdBy: token.createdBy,
+              isExpired,
+            };
+          });
+
+          return { tokens };
+        },
+      ),
+    );
+
+    // Create registry token
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRegistryToken>(
+        'createRegistryToken',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = dataArg.tokenConfig;
+
+          // Calculate expiration
+          const now = Date.now();
+          let expiresAt: number | null = null;
+          if (config.expiresIn !== 'never') {
+            const daysMap: Record<string, number> = { '30d': 30, '90d': 90, '365d': 365 };
+            const days = daysMap[config.expiresIn];
+            if (days) expiresAt = now + days * 24 * 60 * 60 * 1000;
+          }
+
+          // Generate token
+          const plainToken = crypto.randomUUID() + crypto.randomUUID();
+          const encoder = new TextEncoder();
+          const hashBuffer = await crypto.subtle.digest('SHA-256', encoder.encode(plainToken));
+          const hashArray = Array.from(new Uint8Array(hashBuffer));
+          const tokenHash = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+
+          const token = this.opsServerRef.oneboxRef.database.createRegistryToken({
+            name: config.name,
+            tokenHash,
+            type: config.type,
+            scope: config.scope,
+            expiresAt,
+            createdAt: now,
+            lastUsedAt: null,
+            createdBy: dataArg.identity.username,
+          });
+
+          let scopeDisplay: string;
+          if (token.scope === 'all') {
+            scopeDisplay = 'All services';
+          } else if (Array.isArray(token.scope)) {
+            scopeDisplay = token.scope.length === 1 ? token.scope[0] : `${token.scope.length} services`;
+          } else {
+            scopeDisplay = 'Unknown';
+          }
+
+          return {
+            result: {
+              token: {
+                id: token.id!,
+                name: token.name,
+                type: token.type,
+                scope: token.scope,
+                scopeDisplay,
+                expiresAt: token.expiresAt,
+                createdAt: token.createdAt,
+                lastUsedAt: token.lastUsedAt,
+                createdBy: token.createdBy,
+                isExpired: false,
+              },
+              plainToken,
+            },
+          };
+        },
+      ),
+    );
+
+    // Delete registry token
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRegistryToken>(
+        'deleteRegistryToken',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const token = this.opsServerRef.oneboxRef.database.getRegistryTokenById(dataArg.tokenId);
+          if (!token) {
+            throw new plugins.typedrequest.TypedResponseError('Token not found');
+          }
+          this.opsServerRef.oneboxRef.database.deleteRegistryToken(dataArg.tokenId);
+          return { ok: true };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/schedules.handler.ts

@@ -0,0 +1,93 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class SchedulesHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupSchedules>(
+        'getBackupSchedules',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const schedules = this.opsServerRef.oneboxRef.backupScheduler.getAllSchedules();
+          return { schedules };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateBackupSchedule>(
+        'createBackupSchedule',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const schedule = await this.opsServerRef.oneboxRef.backupScheduler.createSchedule(
+            dataArg.scheduleConfig,
+          );
+          return { schedule };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupSchedule>(
+        'getBackupSchedule',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const schedule = this.opsServerRef.oneboxRef.backupScheduler.getScheduleById(dataArg.scheduleId);
+          if (!schedule) {
+            throw new plugins.typedrequest.TypedResponseError('Schedule not found');
+          }
+          return { schedule };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateBackupSchedule>(
+        'updateBackupSchedule',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const schedule = await this.opsServerRef.oneboxRef.backupScheduler.updateSchedule(
+            dataArg.scheduleId,
+            dataArg.updates,
+          );
+          return { schedule };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBackupSchedule>(
+        'deleteBackupSchedule',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.backupScheduler.deleteSchedule(dataArg.scheduleId);
+          return { ok: true };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TriggerBackupSchedule>(
+        'triggerBackupSchedule',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.backupScheduler.triggerBackup(dataArg.scheduleId);
+          // triggerBackup is void; the backup is created async by the scheduler
+          // Return the most recent backup for the schedule
+          const allBackups = this.opsServerRef.oneboxRef.backupManager.listBackups();
+          const latestBackup = allBackups.find((b: any) => b.scheduleId === dataArg.scheduleId);
+          return { backup: latestBackup! };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/services.handler.ts

@@ -0,0 +1,244 @@
+import * as plugins from '../../plugins.ts';
+import { logger } from '../../logging.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class ServicesHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Get all services
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServices>(
+        'getServices',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const services = this.opsServerRef.oneboxRef.services.listServices();
+          return { services };
+        },
+      ),
+    );
+
+    // Get single service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetService>(
+        'getService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          if (!service) {
+            throw new plugins.typedrequest.TypedResponseError('Service not found');
+          }
+          return { service };
+        },
+      ),
+    );
+
+    // Create service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateService>(
+        'createService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = await this.opsServerRef.oneboxRef.services.deployService(dataArg.serviceConfig);
+          return { service };
+        },
+      ),
+    );
+
+    // Update service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateService>(
+        'updateService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = await this.opsServerRef.oneboxRef.services.updateService(
+            dataArg.serviceName,
+            dataArg.updates,
+          );
+          return { service };
+        },
+      ),
+    );
+
+    // Delete service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteService>(
+        'deleteService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.services.removeService(dataArg.serviceName);
+          return { ok: true };
+        },
+      ),
+    );
+
+    // Start service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StartService>(
+        'startService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.services.startService(dataArg.serviceName);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          return { service: service! };
+        },
+      ),
+    );
+
+    // Stop service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_StopService>(
+        'stopService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.services.stopService(dataArg.serviceName);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          return { service: service! };
+        },
+      ),
+    );
+
+    // Restart service
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RestartService>(
+        'restartService',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.services.restartService(dataArg.serviceName);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          return { service: service! };
+        },
+      ),
+    );
+
+    // Get service logs
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceLogs>(
+        'getServiceLogs',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const logs = await this.opsServerRef.oneboxRef.services.getServiceLogs(dataArg.serviceName);
+          return { logs: String(logs) };
+        },
+      ),
+    );
+
+    // Get service stats
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceStats>(
+        'getServiceStats',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          if (!service || !service.containerID) {
+            throw new plugins.typedrequest.TypedResponseError('Service has no container');
+          }
+          const stats = await this.opsServerRef.oneboxRef.docker.getContainerStats(service.containerID);
+          if (!stats) {
+            throw new plugins.typedrequest.TypedResponseError('Could not retrieve container stats');
+          }
+          return { stats };
+        },
+      ),
+    );
+
+    // Get service metrics
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceMetrics>(
+        'getServiceMetrics',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          if (!service || !service.id) {
+            throw new plugins.typedrequest.TypedResponseError('Service not found');
+          }
+          const metrics = this.opsServerRef.oneboxRef.database.getMetrics(service.id, dataArg.limit || 60);
+          return { metrics };
+        },
+      ),
+    );
+
+    // Get service platform resources
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServicePlatformResources>(
+        'getServicePlatformResources',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const rawResources = await this.opsServerRef.oneboxRef.services.getServicePlatformResources(
+            dataArg.serviceName,
+          );
+          const resources = rawResources.map((r: any) => ({
+            id: r.resource.id,
+            resourceType: r.resource.resourceType,
+            resourceName: r.resource.resourceName,
+            platformService: {
+              type: r.platformService.type,
+              name: r.platformService.name,
+              status: r.platformService.status,
+            },
+            envVars: Object.keys(r.credentials).reduce((acc: Record<string, string>, key: string) => {
+              const value = r.credentials[key];
+              if (key.toLowerCase().includes('password') || key.toLowerCase().includes('secret')) {
+                acc[key] = '********';
+              } else {
+                acc[key] = value;
+              }
+              return acc;
+            }, {}),
+            createdAt: r.resource.createdAt,
+          }));
+          return { resources };
+        },
+      ),
+    );
+
+    // Get service backups
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceBackups>(
+        'getServiceBackups',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backups = this.opsServerRef.oneboxRef.backupManager.listBackups(dataArg.serviceName);
+          return { backups };
+        },
+      ),
+    );
+
+    // Create service backup
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateServiceBackup>(
+        'createServiceBackup',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.opsServerRef.oneboxRef.backupManager.createBackup(dataArg.serviceName);
+          return { backup: result.backup };
+        },
+      ),
+    );
+
+    // Get service backup schedules
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServiceBackupSchedules>(
+        'getServiceBackupSchedules',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const service = this.opsServerRef.oneboxRef.services.getService(dataArg.serviceName);
+          if (!service) {
+            throw new plugins.typedrequest.TypedResponseError('Service not found');
+          }
+          const schedules = this.opsServerRef.oneboxRef.backupScheduler.getSchedulesForService(
+            dataArg.serviceName,
+          );
+          return { schedules };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/settings.handler.ts

@@ -0,0 +1,86 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class SettingsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private getSettingsObject(): interfaces.data.ISettings {
+    const db = this.opsServerRef.oneboxRef.database;
+    const settingsMap = db.getAllSettings(); // Returns Record<string, string>
+
+    return {
+      cloudflareToken: settingsMap['cloudflareToken'] || '',
+      cloudflareZoneId: settingsMap['cloudflareZoneId'] || '',
+      autoRenewCerts: settingsMap['autoRenewCerts'] === 'true',
+      renewalThreshold: parseInt(settingsMap['renewalThreshold'] || '30', 10),
+      acmeEmail: settingsMap['acmeEmail'] || '',
+      httpPort: parseInt(settingsMap['httpPort'] || '80', 10),
+      httpsPort: parseInt(settingsMap['httpsPort'] || '443', 10),
+      forceHttps: settingsMap['forceHttps'] === 'true',
+    };
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSettings>(
+        'getSettings',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const settings = this.getSettingsObject();
+          return { settings };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSettings>(
+        'updateSettings',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const db = this.opsServerRef.oneboxRef.database;
+          const updates = dataArg.settings;
+
+          // Store each setting as key-value pair
+          for (const [key, value] of Object.entries(updates)) {
+            if (value !== undefined) {
+              db.setSetting(key, String(value));
+            }
+          }
+
+          const settings = this.getSettingsObject();
+          return { settings };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetBackupPassword>(
+        'setBackupPassword',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          this.opsServerRef.oneboxRef.database.setSetting('backupPassword', dataArg.password);
+          return { ok: true };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBackupPasswordStatus>(
+        'getBackupPasswordStatus',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const backupPassword = this.opsServerRef.oneboxRef.database.getSetting('backupPassword');
+          const isConfigured = !!backupPassword;
+          return { status: { isConfigured } };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/ssl.handler.ts

@@ -0,0 +1,64 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class SslHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ObtainCertificate>(
+        'obtainCertificate',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.ssl.obtainCertificate(dataArg.domain, false);
+          const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
+          return { certificate: certificate as unknown as interfaces.data.ICertificate };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListCertificates>(
+        'listCertificates',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const certificates = this.opsServerRef.oneboxRef.ssl.listCertificates();
+          return { certificates: certificates as unknown as interfaces.data.ICertificate[] };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificate>(
+        'getCertificate',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
+          if (!certificate) {
+            throw new plugins.typedrequest.TypedResponseError('Certificate not found');
+          }
+          return { certificate: certificate as unknown as interfaces.data.ICertificate };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RenewCertificate>(
+        'renewCertificate',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await this.opsServerRef.oneboxRef.ssl.renewCertificate(dataArg.domain);
+          const certificate = this.opsServerRef.oneboxRef.ssl.getCertificate(dataArg.domain);
+          return { certificate: certificate as unknown as interfaces.data.ICertificate };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/status.handler.ts

@@ -0,0 +1,26 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class StatusHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSystemStatus>(
+        'getSystemStatus',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const status = await this.opsServerRef.oneboxRef.getSystemStatus();
+          return { status: status as unknown as interfaces.data.ISystemStatus };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/helpers/guards.ts

@@ -0,0 +1,29 @@
+import * as plugins from '../../plugins.ts';
+import type { AdminHandler } from '../handlers/admin.handler.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+
+export async function requireValidIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+  adminHandler: AdminHandler,
+  dataArg: T,
+): Promise<void> {
+  if (!dataArg.identity) {
+    throw new plugins.typedrequest.TypedResponseError('No identity provided');
+  }
+  const passed = await adminHandler.validIdentityGuard.exec({ identity: dataArg.identity });
+  if (!passed) {
+    throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+  }
+}
+
+export async function requireAdminIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+  adminHandler: AdminHandler,
+  dataArg: T,
+): Promise<void> {
+  if (!dataArg.identity) {
+    throw new plugins.typedrequest.TypedResponseError('No identity provided');
+  }
+  const passed = await adminHandler.adminIdentityGuard.exec({ identity: dataArg.identity });
+  if (!passed) {
+    throw new plugins.typedrequest.TypedResponseError('Admin access required');
+  }
+}

ts/opsserver/index.ts

@@ -0,0 +1 @@
+export * from './classes.opsserver.ts';

ts/plugins.ts

@@ -17,10 +17,6 @@ export { path, fs, http, encoding };
 import { Database } from '@db/sqlite';
 export const sqlite = { DB: Database };
 
-// Systemd Daemon Integration
-import * as smartdaemon from '@push.rocks/smartdaemon';
-export { smartdaemon };
-
 // Docker API Client
 import { DockerHost } from '@apiclient.xyz/docker';
 export const docker = { Docker: DockerHost };
@@ -61,3 +57,13 @@ export { crypto };
 import * as nodeHttps from 'node:https';
 import * as nodeHttp from 'node:http';
 export { nodeHttps, nodeHttp };
+
+// TypedRequest/TypedServer infrastructure
+import * as typedrequest from '@api.global/typedrequest';
+import * as typedserver from '@api.global/typedserver';
+export { typedrequest, typedserver };
+
+// Auth & Guards
+import * as smartguard from '@push.rocks/smartguard';
+import * as smartjwt from '@push.rocks/smartjwt';
+export { smartguard, smartjwt };

ts_interfaces/data/auth.ts

@@ -0,0 +1,16 @@
+/**
+ * Auth-related data shapes for Onebox
+ */
+
+export interface IIdentity {
+  jwt: string;
+  userId: string;
+  username: string;
+  expiresAt: number;
+  role: 'admin' | 'user';
+}
+
+export interface IUser {
+  username: string;
+  role: 'admin' | 'user';
+}

ts_interfaces/data/backup.ts

@@ -0,0 +1,89 @@
+/**
+ * Backup-related data shapes for Onebox
+ */
+
+import type { TPlatformServiceType } from './platform.ts';
+
+export type TBackupRestoreMode = 'restore' | 'import' | 'clone';
+export type TBackupScheduleScope = 'all' | 'pattern' | 'service';
+
+export interface IRetentionPolicy {
+  hourly: number;
+  daily: number;
+  weekly: number;
+  monthly: number;
+}
+
+export const RETENTION_PRESETS = {
+  standard: { hourly: 0, daily: 7, weekly: 4, monthly: 12 },
+  frequent: { hourly: 24, daily: 7, weekly: 4, monthly: 12 },
+  minimal: { hourly: 0, daily: 3, weekly: 2, monthly: 6 },
+  longterm: { hourly: 0, daily: 14, weekly: 8, monthly: 24 },
+} as const;
+
+export type TRetentionPreset = keyof typeof RETENTION_PRESETS | 'custom';
+
+export interface IBackup {
+  id?: number;
+  serviceId: number;
+  serviceName: string;
+  filename: string;
+  sizeBytes: number;
+  createdAt: number;
+  includesImage: boolean;
+  platformResources: TPlatformServiceType[];
+  checksum: string;
+  scheduleId?: number;
+}
+
+export interface IBackupSchedule {
+  id?: number;
+  scopeType: TBackupScheduleScope;
+  scopePattern?: string;
+  serviceId?: number;
+  serviceName?: string;
+  cronExpression: string;
+  retention: IRetentionPolicy;
+  enabled: boolean;
+  lastRunAt: number | null;
+  nextRunAt: number | null;
+  lastStatus: 'success' | 'failed' | null;
+  lastError: string | null;
+  createdAt: number;
+  updatedAt: number;
+}
+
+export interface IBackupScheduleCreate {
+  scopeType: TBackupScheduleScope;
+  scopePattern?: string;
+  serviceName?: string;
+  cronExpression: string;
+  retention: IRetentionPolicy;
+  enabled?: boolean;
+}
+
+export interface IBackupScheduleUpdate {
+  cronExpression?: string;
+  retention?: IRetentionPolicy;
+  enabled?: boolean;
+}
+
+export interface IRestoreOptions {
+  mode: TBackupRestoreMode;
+  newServiceName?: string;
+  overwriteExisting?: boolean;
+  skipPlatformData?: boolean;
+}
+
+export interface IRestoreResult {
+  service: {
+    name: string;
+    status: string;
+  };
+  platformResourcesRestored: number;
+  warnings: string[];
+}
+
+export interface IBackupPasswordStatus {
+  isConfigured: boolean;
+}

ts_interfaces/data/domain.ts

@@ -0,0 +1,59 @@
+/**
+ * Domain, DNS, and certificate data shapes for Onebox
+ */
+
+export interface IDomain {
+  id?: number;
+  domain: string;
+  dnsProvider: 'cloudflare' | 'manual' | null;
+  cloudflareZoneId?: string;
+  isObsolete: boolean;
+  defaultWildcard: boolean;
+  createdAt: number;
+  updatedAt: number;
+}
+
+export interface ICertificate {
+  id?: number;
+  domainId: number;
+  certDomain: string;
+  isWildcard: boolean;
+  certPem: string;
+  keyPem: string;
+  fullchainPem: string;
+  expiryDate: number;
+  issuer: string;
+  isValid: boolean;
+  createdAt: number;
+  updatedAt: number;
+}
+
+export interface ICertRequirement {
+  id?: number;
+  domainId: number;
+  serviceId: number;
+  subdomain: string;
+  status: 'pending' | 'active' | 'renewing' | 'failed';
+  certificateId?: number;
+  createdAt: number;
+  updatedAt: number;
+}
+
+export interface IDomainDetail {
+  domain: IDomain;
+  certificates: ICertificate[];
+  requirements: ICertRequirement[];
+  serviceCount: number;
+  certificateStatus: 'valid' | 'expiring-soon' | 'expired' | 'pending' | 'none';
+  daysRemaining: number | null;
+}
+
+export interface IDnsRecord {
+  id?: number;
+  domain: string;
+  type: 'A' | 'AAAA' | 'CNAME';
+  value: string;