@serve.zone/dcrouter 13.45.0 → 14.0.1

package/dist_ts_migrations/index.js

@@ -407,7 +407,7 @@ export async function createMigrationRunner(db, targetVersion, options = {}) {
         .from('13.1.0').to('13.8.1')
         .description('Rename DomainDoc.source value from "manual" to "dcrouter"')
         .up(async (ctx) => {
-        const collection = ctx.mongo.collection('domaindoc');
+        const collection = ctx.mongo.collection('DomainDoc');
         const result = await collection.updateMany({ source: 'manual' }, { $set: { source: 'dcrouter' } });
         ctx.log.log('info', `rename-domain-source-manual-to-dcrouter: migrated ${result.modifiedCount} domain(s)`);
     })
@@ -415,7 +415,7 @@ export async function createMigrationRunner(db, targetVersion, options = {}) {
         .from('13.8.1').to('13.8.2')
         .description('Rename DnsRecordDoc.source value from "manual" to "local"')
         .up(async (ctx) => {
-        const collection = ctx.mongo.collection('dnsrecorddoc');
+        const collection = ctx.mongo.collection('DnsRecordDoc');
         const result = await collection.updateMany({ source: 'manual' }, { $set: { source: 'local' } });
         ctx.log.log('info', `rename-record-source-manual-to-local: migrated ${result.modifiedCount} record(s)`);
     })

package/dist_ts_web/00_commitinfo_data.js

@@ -3,7 +3,7 @@
  */
 export const commitinfo = {
     name: '@serve.zone/dcrouter',
-    version: '13.45.0',
+    version: '14.0.1',
     description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 };
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vdHNfd2ViLzAwX2NvbW1pdGluZm9fZGF0YS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUNILE1BQU0sQ0FBQyxNQUFNLFVBQVUsR0FBRztJQUN4QixJQUFJLEVBQUUsc0JBQXNCO0lBQzVCLE9BQU8sRUFBRSxTQUFTO0lBQ2xCLFdBQVcsRUFBRSwwRUFBMEU7Q0FDeEYsQ0FBQSJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vdHNfd2ViLzAwX2NvbW1pdGluZm9fZGF0YS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUNILE1BQU0sQ0FBQyxNQUFNLFVBQVUsR0FBRztJQUN4QixJQUFJLEVBQUUsc0JBQXNCO0lBQzVCLE9BQU8sRUFBRSxRQUFRO0lBQ2pCLFdBQVcsRUFBRSwwRUFBMEU7Q0FDeEYsQ0FBQSJ9

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.45.0",
+  "version": "14.0.1",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "bin": {
@@ -50,7 +50,7 @@
     "@push.rocks/smartnetwork": "^4.7.2",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.12.6",
+    "@push.rocks/smartproxy": "^27.12.8",
     "@push.rocks/smartradius": "^1.3.0",
     "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.45.0',
+  version: '14.0.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts/acme/manager.acme-config.ts

@@ -1,14 +1,12 @@
 import { logger } from '../logger.js';
 import { AcmeConfigDoc } from '../db/documents/index.js';
-import type { IDcRouterOptions } from '../classes.dcrouter.js';
 import type { IAcmeConfig } from '../../ts_interfaces/data/acme-config.js';
 
 /**
  * AcmeConfigManager — owns the singleton ACME configuration in the DB.
  *
  * Lifecycle:
- *  - `start()` — loads from the DB; if empty, seeds from legacy constructor
- *    fields (`tls.contactEmail`, `smartProxyConfig.acme.*`) on first boot.
+ *  - `start()` — loads the DB-backed singleton configuration.
  *  - `getConfig()` — returns the in-memory cached `IAcmeConfig` (or null)
  *  - `updateConfig(args, updatedBy)` — upserts and refreshes the cache
  *
@@ -20,32 +18,12 @@ import type { IAcmeConfig } from '../../ts_interfaces/data/acme-config.js';
 export class AcmeConfigManager {
   private cached: IAcmeConfig | null = null;
 
-  constructor(private options: IDcRouterOptions) {}
-
   public async start(): Promise<void> {
     logger.log('info', 'AcmeConfigManager: starting');
-    let doc = await AcmeConfigDoc.load();
+    const doc = await AcmeConfigDoc.load();
 
     if (!doc) {
-      // First-boot path: seed from legacy constructor fields if present.
-      const seed = this.deriveSeedFromOptions();
-      if (seed) {
-        doc = await this.createSeedDoc(seed);
-        logger.log(
-          'info',
-          `AcmeConfigManager: seeded from constructor legacy fields (accountEmail=${seed.accountEmail}, useProduction=${seed.useProduction})`,
-        );
-      } else {
-        logger.log(
-          'info',
-          'AcmeConfigManager: no AcmeConfig in DB and no legacy constructor fields — ACME disabled until configured via Domains > Certificates > Settings.',
-        );
-      }
-    } else if (this.deriveSeedFromOptions()) {
-      logger.log(
-        'warn',
-        'AcmeConfigManager: ignoring constructor tls.contactEmail / smartProxyConfig.acme — DB already has AcmeConfigDoc. Manage via Domains > Certificates > Settings.',
-      );
+      logger.log('info', 'AcmeConfigManager: no AcmeConfig in DB — ACME disabled until configured via Domains > Certificates > Settings.');
     }
 
     this.cached = doc ? this.toPlain(doc) : null;
@@ -116,58 +94,6 @@ export class AcmeConfigManager {
   // Internal helpers
   // ==========================================================================
 
-  /**
-   * Build a seed object from the legacy constructor fields. Returns null
-   * if the user has not provided any of them.
-   *
-   * Supports BOTH `tls.contactEmail` (short form) and `smartProxyConfig.acme`
-   * (full form). `smartProxyConfig.acme` wins when both are present.
-   */
-  private deriveSeedFromOptions(): Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'> | null {
-    const acme = this.options.smartProxyConfig?.acme;
-    const tls = this.options.tls;
-
-    // Prefer the explicit smartProxyConfig.acme block if present.
-    if (acme?.accountEmail) {
-      return {
-        accountEmail: acme.accountEmail,
-        enabled: acme.enabled !== false,
-        useProduction: acme.useProduction !== false,
-        autoRenew: acme.autoRenew !== false,
-        renewThresholdDays: acme.renewThresholdDays ?? 30,
-      };
-    }
-
-    // Fall back to the short tls.contactEmail form.
-    if (tls?.contactEmail) {
-      return {
-        accountEmail: tls.contactEmail,
-        enabled: true,
-        useProduction: true,
-        autoRenew: true,
-        renewThresholdDays: 30,
-      };
-    }
-
-    return null;
-  }
-
-  private async createSeedDoc(
-    seed: Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'>,
-  ): Promise<AcmeConfigDoc> {
-    const doc = new AcmeConfigDoc();
-    doc.configId = 'acme-config';
-    doc.accountEmail = seed.accountEmail;
-    doc.enabled = seed.enabled;
-    doc.useProduction = seed.useProduction;
-    doc.autoRenew = seed.autoRenew;
-    doc.renewThresholdDays = seed.renewThresholdDays;
-    doc.updatedAt = Date.now();
-    doc.updatedBy = 'seed';
-    await doc.save();
-    return doc;
-  }
-
   private toPlain(doc: AcmeConfigDoc): IAcmeConfig {
     return {
       accountEmail: doc.accountEmail,

package/ts/classes.dcrouter.ts

@@ -37,6 +37,8 @@ import type { IEmailPortConfig, IEmailServerSettings, IEmailServerSettingsSeed,
 import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressHubSettingsUpdate } from '../ts_interfaces/data/remoteingress.js';
 import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';
 
+type TInboundProxyProtocolPolicy = NonNullable<plugins.smartproxy.IRouteMatch['inboundProxyProtocol']>;
+
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
   baseDir?: string;
@@ -454,14 +456,13 @@ export class DcRouter {
     // AcmeConfigManager: optional, depends on DcRouterDb — owns the singleton
     // ACME configuration (accountEmail, useProduction, etc.). Must run before
     // SmartProxy so setupSmartProxy() can read the ACME config from the DB.
-    // On first boot, seeds from legacy `tls.contactEmail` / `smartProxyConfig.acme`.
     if (this.options.dbConfig?.enabled !== false) {
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('AcmeConfigManager')
           .optional()
           .dependsOn('DcRouterDb')
           .withStart(async () => {
-            this.acmeConfigManager = new AcmeConfigManager(this.options);
+            this.acmeConfigManager = new AcmeConfigManager();
             await this.acmeConfigManager.start();
           })
           .withStop(async () => {
@@ -648,6 +649,7 @@ export class DcRouter {
               },
               (preparedRoutes) => buildHttpRedirectRuntimeRoutes(preparedRoutes || []),
               (storedRoute: IRoute) => this.hydrateStoredRouteForRuntime(storedRoute),
+              (routes) => this.applyInboundProxyProtocolPolicies(routes),
             );
             this.apiTokenManager = new ApiTokenManager();
             await this.apiTokenManager.initialize();
@@ -813,7 +815,7 @@ export class DcRouter {
       ?? false;
   }
 
-  private getRemoteIngressHubSettingsLegacySeed(): TRemoteIngressHubSettingsUpdate {
+  private getRemoteIngressHubSettingsMigrationSeed(): TRemoteIngressHubSettingsUpdate {
     const remoteIngressConfig = this.options.remoteIngressConfig;
     const seed: TRemoteIngressHubSettingsUpdate = {};
     if (remoteIngressConfig?.enabled !== undefined) {
@@ -831,7 +833,7 @@ export class DcRouter {
     return seed;
   }
 
-  private getEmailSettingsLegacySeed(): IEmailServerSettingsSeed {
+  private getEmailSettingsMigrationSeed(): IEmailServerSettingsSeed {
     const seed: IEmailServerSettingsSeed = {};
     if (this.options.emailConfig) {
       seed.enabled = true;
@@ -1106,8 +1108,8 @@ export class DcRouter {
     // Run any pending data migrations before anything else reads from the DB.
     // This must complete before ConfigManagers loads profiles.
     const migration = await createMigrationRunner(this.dcRouterDb.getDb(), commitinfo.version, {
-      remoteIngressHubSettings: this.getRemoteIngressHubSettingsLegacySeed(),
-      emailServerSettings: this.getEmailSettingsLegacySeed(),
+      remoteIngressHubSettings: this.getRemoteIngressHubSettingsMigrationSeed(),
+      emailServerSettings: this.getEmailSettingsMigrationSeed(),
     });
     const migrationResult = await migration.run();
     if (migrationResult.stepsApplied.length > 0) {
@@ -1221,6 +1223,7 @@ export class DcRouter {
       routes = augmentRoutesWithHttp3(routes, http3Config);
       logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
     }
+    routes = this.applyInboundProxyProtocolPolicies(routes);
 
     const compiledSecurityPolicy = await this.securityPolicyManager?.compileSmartProxyPolicy();
     const mergedSecurityPolicy = this.mergeSecurityPolicies(
@@ -1380,27 +1383,12 @@ export class DcRouter {
         };
       }
       
-      // When remoteIngress is enabled, the hub binary forwards tunneled connections
-      // to SmartProxy with PROXY protocol v1 headers to preserve client IPs.
-      if (this.isRemoteIngressHubEnabled()) {
-        smartProxyConfig.acceptProxyProtocol = true;
-        if (!smartProxyConfig.proxyIPs) {
-          smartProxyConfig.proxyIPs = [];
-        }
-        if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
-          smartProxyConfig.proxyIPs.push('127.0.0.1');
-        }
-      }
-
-      // VPN uses socket mode with PP v2 — SmartProxy must accept proxy protocol from localhost
-      if (this.options.vpnConfig?.enabled) {
-        smartProxyConfig.acceptProxyProtocol = true;
-        if (!smartProxyConfig.proxyIPs) {
-          smartProxyConfig.proxyIPs = [];
-        }
-        if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
-          smartProxyConfig.proxyIPs.push('127.0.0.1');
-        }
+      // RemoteIngress and VPN forward through localhost with PROXY protocol.
+      // SmartProxy only uses this as a trust list; routes still opt in per listener.
+      if (this.isRemoteIngressHubEnabled() || this.options.vpnConfig?.enabled) {
+        const trustedProxyIPs = new Set(smartProxyConfig.trustedProxyIPs || []);
+        trustedProxyIPs.add('127.0.0.1');
+        smartProxyConfig.trustedProxyIPs = [...trustedProxyIPs];
       }
 
       // Create SmartProxy instance
@@ -1577,6 +1565,101 @@ export class DcRouter {
    
    
 
+  private applyInboundProxyProtocolPolicies(
+    routes: plugins.smartproxy.IRouteConfig[],
+  ): plugins.smartproxy.IRouteConfig[] {
+    const policiesByListener = new Map<string, TInboundProxyProtocolPolicy>();
+
+    for (const route of routes) {
+      const policy = route.match?.inboundProxyProtocol || this.getDesiredInboundProxyProtocolPolicy(route);
+      if (!policy) {
+        continue;
+      }
+      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+        const mergedPolicy = this.mergeInboundProxyProtocolPolicies(
+          policiesByListener.get(listenerKey),
+          policy,
+        );
+        if (mergedPolicy) {
+          policiesByListener.set(listenerKey, mergedPolicy);
+        }
+      }
+    }
+
+    if (policiesByListener.size === 0) {
+      return routes;
+    }
+
+    return routes.map((route) => {
+      if (route.match?.inboundProxyProtocol) {
+        return route;
+      }
+      let listenerPolicy: TInboundProxyProtocolPolicy | undefined;
+      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+        listenerPolicy = this.mergeInboundProxyProtocolPolicies(
+          listenerPolicy,
+          policiesByListener.get(listenerKey),
+        );
+      }
+      if (!listenerPolicy) {
+        return route;
+      }
+      return {
+        ...route,
+        match: {
+          ...route.match,
+          inboundProxyProtocol: listenerPolicy,
+        },
+      };
+    });
+  }
+
+  private getDesiredInboundProxyProtocolPolicy(
+    route: plugins.smartproxy.IRouteConfig,
+  ): TInboundProxyProtocolPolicy | undefined {
+    const dcRoute = route as IDcRouterRouteConfig;
+    if (this.isRemoteIngressHubEnabled() && dcRoute.remoteIngress?.enabled) {
+      const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
+      if (ports.some((port) => port === 25 || port === 587)) {
+        return { mode: 'required' };
+      }
+      return { mode: 'optional' };
+    }
+    if (this.options.vpnConfig?.enabled) {
+      return { mode: 'optional' };
+    }
+    return undefined;
+  }
+
+  private getInboundProxyListenerKeys(route: plugins.smartproxy.IRouteConfig): string[] {
+    const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
+    const transports = route.match.transport === 'udp'
+      ? ['udp']
+      : route.match.transport === 'all'
+        ? ['tcp', 'udp']
+        : ['tcp'];
+    const keys: string[] = [];
+    for (const port of ports) {
+      for (const transport of transports) {
+        keys.push(`${transport}:${port}`);
+      }
+    }
+    return keys;
+  }
+
+  private mergeInboundProxyProtocolPolicies(
+    current?: TInboundProxyProtocolPolicy,
+    next?: TInboundProxyProtocolPolicy,
+  ): TInboundProxyProtocolPolicy | undefined {
+    if (!current) return next;
+    if (!next) return current;
+    if (current.mode === 'required') return current;
+    if (next.mode === 'required') return next;
+    if (current.mode === 'optional') return current;
+    if (next.mode === 'optional') return next;
+    return current;
+  }
+
   /**
    * Generate SmartProxy routes for email configuration
    */
@@ -1658,13 +1741,18 @@ export class DcRouter {
       const routeConfig: IDcRouterRouteConfig = {
         name: routeName,
         match: {
-          ports: [port]
+          ports: [port],
+          transport: 'tcp',
         },
         action: action
       };
 
       if (this.isRemoteIngressHubEnabled()) {
         routeConfig.remoteIngress = { enabled: true };
+        const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(port);
+        if (inboundProxyProtocol) {
+          routeConfig.match.inboundProxyProtocol = inboundProxyProtocol;
+        }
       }
       
       // Add the route to our list
@@ -1765,8 +1853,15 @@ export class DcRouter {
     }
 
     const targetHost = target.host === 'localhost' ? '127.0.0.1' : target.host;
+    const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(routePorts[0]);
     return {
       ...route,
+      match: {
+        ...route.match,
+        ...(inboundProxyProtocol
+          ? { inboundProxyProtocol }
+          : {}),
+      },
       action: {
         type: 'socket-handler' as any,
         socketHandler: this.createEmailSocketProxyHandler(targetHost, target.port),
@@ -1774,6 +1869,15 @@ export class DcRouter {
     };
   }
 
+  private getRemoteIngressEmailInboundProxyPolicy(
+    port: number,
+  ): TInboundProxyProtocolPolicy | undefined {
+    if (!this.isRemoteIngressHubEnabled()) {
+      return undefined;
+    }
+    return { mode: port === 25 || port === 587 ? 'required' : 'optional' };
+  }
+
   private createEmailSocketProxyHandler(
     targetHost: string,
     targetPort: number,
@@ -1972,28 +2076,9 @@ export class DcRouter {
       465: 10465   // SMTPS
     };
     
-    // Transform domains if they are provided as strings
-    let transformedDomains = this.options.emailConfig.domains;
-    if (transformedDomains && transformedDomains.length > 0) {
-      // Check if domains are strings (for backward compatibility)
-      if (typeof transformedDomains[0] === 'string') {
-        transformedDomains = (transformedDomains as any).map((domain: string) => ({
-          domain,
-          dnsMode: 'external-dns' as const,
-          dkim: {
-            selector: 'default',
-            keySize: 2048,
-            rotateKeys: false,
-            rotationInterval: 90
-          }
-        }));
-      }
-    }
-    
     // Create config with mapped ports
     const emailConfig: IUnifiedEmailServerOptions = await this.workAppMailManager.applyStoredIdentitiesToEmailConfig({
       ...this.options.emailConfig,
-      domains: transformedDomains,
       ports: this.options.emailConfig.ports.map(port => portMapping[port] || port + 10000),
       persistRoutes: this.options.emailConfig.persistRoutes ?? false,
       queue: {
@@ -2363,8 +2448,8 @@ export class DcRouter {
      // Ensure DKIM keys exist for internal-dns domains before generating records.
      await this.initializeDkimForEmailDomains();
      
-     // Generate DKIM records directly from smartmta instead of scanning legacy JSON files.
-     const dkimRecords = await this.loadDkimRecords();
+      // Generate DKIM records directly from smartmta.
+      const dkimRecords = await this.loadDkimRecords();
     
     // Combine all records: authoritative, email, DKIM, and user-defined
     const allRecords = [...authoritativeRecords, ...emailDnsRecords, ...dkimRecords];

package/ts/config/classes.api-token-manager.ts

@@ -111,13 +111,13 @@ export class ApiTokenManager {
     const scopes = new Set<TApiTokenScope>([...token.scopes, ...(token.policy?.scopes || [])]);
     if (scopes.has(scope)) return true;
 
-    const compatibilityAliases: Partial<Record<TApiTokenScope, TApiTokenScope[]>> = {
+    const equivalentScopes: Partial<Record<TApiTokenScope, TApiTokenScope[]>> = {
       'gateway-clients:read': ['workhosters:read'],
       'gateway-clients:write': ['workhosters:write'],
       'workhosters:read': ['gateway-clients:read'],
       'workhosters:write': ['gateway-clients:write'],
     };
-    return Boolean(compatibilityAliases[scope]?.some((alias) => scopes.has(alias)));
+    return Boolean(equivalentScopes[scope]?.some((alias) => scopes.has(alias)));
   }
 
   /**

package/ts/config/classes.route-config-manager.ts

@@ -68,6 +68,7 @@ export class RouteConfigManager {
     private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void | Promise<void>,
     private getRuntimeRoutes?: (preparedRoutes?: plugins.smartproxy.IRouteConfig[]) => plugins.smartproxy.IRouteConfig[],
     private hydrateStoredRoute?: (storedRoute: IRoute) => plugins.smartproxy.IRouteConfig | undefined,
+    private applyInboundProxyPolicies?: (routes: plugins.smartproxy.IRouteConfig[]) => plugins.smartproxy.IRouteConfig[],
   ) {}
 
   /** Expose routes map for reference resolution lookups. */
@@ -714,12 +715,15 @@ export class RouteConfigManager {
       const smartProxy = this.getSmartProxy();
       if (!smartProxy) return;
 
-      const enabledRoutes = this.getPreparedEnabledRoutesForApply();
+      let enabledRoutes = this.getPreparedEnabledRoutesForApply();
 
       const runtimeRoutes = this.getRuntimeRoutes?.(enabledRoutes) || [];
       for (const route of runtimeRoutes) {
         enabledRoutes.push(this.prepareRouteForApply(route));
       }
+      if (this.applyInboundProxyPolicies) {
+        enabledRoutes = this.applyInboundProxyPolicies(enabledRoutes);
+      }
 
       await smartProxy.updateRoutes(enabledRoutes);
 

package/ts/db/documents/classes.acme-config.doc.ts

@@ -8,9 +8,7 @@ const getDb = () => DcRouterDb.getInstance().getDb();
  * keyed on the fixed `configId = 'acme-config'` following the
  * `VpnServerKeysDoc` pattern.
  *
- * Replaces the legacy `tls.contactEmail` and `smartProxyConfig.acme.*`
- * constructor fields. Managed via the OpsServer UI at
- * **Domains > Certificates > Settings**.
+ * Managed via the OpsServer UI at **Domains > Certificates > Settings**.
  */
 @plugins.smartdata.Collection(() => getDb())
 export class AcmeConfigDoc extends plugins.smartdata.SmartDataDbDoc<AcmeConfigDoc, AcmeConfigDoc> {

package/ts/dns/manager.dns.ts

@@ -24,7 +24,6 @@ import type {
  *
  * Responsibilities:
  *  - Load Domain/DnsRecord docs from the DB on start
- *  - First-boot seeding from legacy constructor config (dnsScopes/dnsRecords/dnsNsDomains)
  *  - Register dcrouter-hosted domain records with smartdns.DnsServer at startup
  *  - Provide CRUD methods used by OpsServer handlers (dcrouter-hosted domains hit
  *    smartdns, provider domains hit the provider API)
@@ -53,13 +52,8 @@ export class DnsManager {
   // Lifecycle
   // ==========================================================================
 
-  /**
-   * Called from DcRouter after DcRouterDb is up. Performs first-boot seeding
-   * from legacy constructor config if (and only if) the DB is empty.
-   */
   public async start(): Promise<void> {
     logger.log('info', 'DnsManager: starting');
-    await this.seedFromConstructorConfigIfEmpty();
   }
 
   public async stop(): Promise<void> {
@@ -77,103 +71,6 @@ export class DnsManager {
     await this.applyDcrouterDomainsToDnsServer();
   }
 
-  // ==========================================================================
-  // First-boot seeding
-  // ==========================================================================
-
-  /**
-   * If no DomainDocs exist yet but the constructor has legacy DNS fields,
-   * seed them as dcrouter-hosted (`domain.source: 'dcrouter'`) zones with
-   * local (`record.source: 'local'`) records. On subsequent boots (DB has
-   * entries), constructor config is ignored with a warning.
-   */
-  private async seedFromConstructorConfigIfEmpty(): Promise<void> {
-    const existingDomains = await DomainDoc.findAll();
-    const hasLegacyConfig =
-      (this.options.dnsScopes && this.options.dnsScopes.length > 0) ||
-      (this.options.dnsRecords && this.options.dnsRecords.length > 0);
-
-    if (existingDomains.length > 0) {
-      if (hasLegacyConfig) {
-        logger.log(
-          'warn',
-          'DnsManager: DB has DomainDoc entries — ignoring legacy dnsScopes/dnsRecords constructor config. ' +
-            'dnsNsDomains is still required for nameserver and DoH bootstrap unless that moves into DB-backed config.',
-        );
-      }
-      return;
-    }
-
-    if (!hasLegacyConfig) {
-      return;
-    }
-
-    logger.log('info', 'DnsManager: seeding DB from legacy constructor DNS config');
-
-    const now = Date.now();
-    const seededDomains = new Map<string, DomainDoc>();
-
-    // Create one DomainDoc per dnsScope (these are the authoritative zones)
-    for (const scope of this.options.dnsScopes ?? []) {
-      const domain = new DomainDoc();
-      domain.id = plugins.uuid.v4();
-      domain.name = scope.toLowerCase();
-      domain.source = 'dcrouter';
-      domain.authoritative = true;
-      domain.createdAt = now;
-      domain.updatedAt = now;
-      domain.createdBy = 'seed';
-      await domain.save();
-      seededDomains.set(domain.name, domain);
-      logger.log('info', `DnsManager: seeded DomainDoc for ${domain.name}`);
-    }
-
-    // Map each legacy dnsRecord to its parent DomainDoc
-    for (const rec of this.options.dnsRecords ?? []) {
-      const parent = this.findParentDomain(rec.name, seededDomains);
-      if (!parent) {
-        logger.log(
-          'warn',
-          `DnsManager: legacy dnsRecord '${rec.name}' has no matching dnsScope — skipping seed`,
-        );
-        continue;
-      }
-      const record = new DnsRecordDoc();
-      record.id = plugins.uuid.v4();
-      record.domainId = parent.id;
-      record.name = rec.name.toLowerCase();
-      record.type = rec.type as TDnsRecordType;
-      record.value = rec.value;
-      record.ttl = rec.ttl ?? 300;
-      record.source = 'local';
-      record.createdAt = now;
-      record.updatedAt = now;
-      record.createdBy = 'seed';
-      await record.save();
-    }
-
-    logger.log(
-      'info',
-      `DnsManager: seeded ${seededDomains.size} domain(s) and ${this.options.dnsRecords?.length ?? 0} record(s) from legacy config`,
-    );
-  }
-
-  private findParentDomain(
-    recordName: string,
-    domains: Map<string, DomainDoc>,
-  ): DomainDoc | null {
-    const lower = recordName.toLowerCase().replace(/^\*\./, '');
-    let candidate: DomainDoc | null = null;
-    for (const [name, doc] of domains) {
-      if (lower === name || lower.endsWith(`.${name}`)) {
-        if (!candidate || name.length > candidate.name.length) {
-          candidate = doc;
-        }
-      }
-    }
-    return candidate;
-  }
-
   // ==========================================================================
   // DcRouter-hosted domain DnsServer wiring
   // ==========================================================================