@serve.zone/dcrouter 13.7.1 → 13.9.0

package/ts/dns/manager.dns.ts

@@ -25,9 +25,9 @@ import type {
  * Responsibilities:
  *  - Load Domain/DnsRecord docs from the DB on start
  *  - First-boot seeding from legacy constructor config (dnsScopes/dnsRecords/dnsNsDomains)
- *  - Register manual-domain records with smartdns.DnsServer at startup
- *  - Provide CRUD methods used by OpsServer handlers (manual domains hit smartdns,
- *    provider domains hit the provider API)
+ *  - Register dcrouter-hosted domain records with smartdns.DnsServer at startup
+ *  - Provide CRUD methods used by OpsServer handlers (dcrouter-hosted domains hit
+ *    smartdns, provider domains hit the provider API)
  *  - Expose a provider lookup used by the ACME DNS-01 wiring in setupSmartProxy()
  *
  * Provider-managed domains are NEVER served from the embedded DnsServer — the
@@ -69,12 +69,12 @@ export class DnsManager {
 
   /**
    * Wire the embedded DnsServer instance after it has been created by
-   * DcRouter.setupDnsWithSocketHandler(). After this, manual records loaded
-   * from the DB are registered with the server.
+   * DcRouter.setupDnsWithSocketHandler(). After this, local records on
+   * dcrouter-hosted domains loaded from the DB are registered with the server.
    */
   public async attachDnsServer(dnsServer: plugins.smartdns.dnsServerMod.DnsServer): Promise<void> {
     this.dnsServer = dnsServer;
-    await this.applyManualDomainsToDnsServer();
+    await this.applyDcrouterDomainsToDnsServer();
   }
 
   // ==========================================================================
@@ -83,7 +83,8 @@ export class DnsManager {
 
   /**
    * If no DomainDocs exist yet but the constructor has legacy DNS fields,
-   * seed them as `source: 'manual'` records. On subsequent boots (DB has
+   * seed them as dcrouter-hosted (`domain.source: 'dcrouter'`) zones with
+   * local (`record.source: 'local'`) records. On subsequent boots (DB has
    * entries), constructor config is ignored with a warning.
    */
   private async seedFromConstructorConfigIfEmpty(): Promise<void> {
@@ -117,7 +118,7 @@ export class DnsManager {
       const domain = new DomainDoc();
       domain.id = plugins.uuid.v4();
       domain.name = scope.toLowerCase();
-      domain.source = 'manual';
+      domain.source = 'dcrouter';
       domain.authoritative = true;
       domain.createdAt = now;
       domain.updatedAt = now;
@@ -144,7 +145,7 @@ export class DnsManager {
       record.type = rec.type as TDnsRecordType;
       record.value = rec.value;
       record.ttl = rec.ttl ?? 300;
-      record.source = 'manual';
+      record.source = 'local';
       record.createdAt = now;
       record.updatedAt = now;
       record.createdBy = 'seed';
@@ -174,28 +175,31 @@ export class DnsManager {
   }
 
   // ==========================================================================
-  // Manual-domain DnsServer wiring
+  // DcRouter-hosted domain DnsServer wiring
   // ==========================================================================
 
   /**
-   * Register all manual-domain records from the DB with the embedded DnsServer.
-   * Called once after attachDnsServer().
+   * Register all records from dcrouter-hosted domains in the DB with the
+   * embedded DnsServer. Called once after attachDnsServer().
    */
-  private async applyManualDomainsToDnsServer(): Promise<void> {
+  private async applyDcrouterDomainsToDnsServer(): Promise<void> {
     if (!this.dnsServer) {
       return;
     }
     const allDomains = await DomainDoc.findAll();
-    const manualDomains = allDomains.filter((d) => d.source === 'manual');
+    const dcrouterDomains = allDomains.filter((d) => d.source === 'dcrouter');
     let registered = 0;
-    for (const domain of manualDomains) {
+    for (const domain of dcrouterDomains) {
       const records = await DnsRecordDoc.findByDomainId(domain.id);
       for (const rec of records) {
         this.registerRecordWithDnsServer(rec);
         registered++;
       }
     }
-    logger.log('info', `DnsManager: registered ${registered} manual DNS record(s) from DB`);
+    logger.log(
+      'info',
+      `DnsManager: registered ${registered} dcrouter-hosted DNS record(s) from DB`,
+    );
   }
 
   /**
@@ -381,6 +385,12 @@ export class DnsManager {
     credentials: TDnsProviderCredentials;
     createdBy: string;
   }): Promise<string> {
+    if (args.type === 'dcrouter') {
+      throw new Error(
+        'createProvider: cannot create a DnsProviderDoc with type "dcrouter" — ' +
+          'that type is reserved for the built-in pseudo-provider surfaced at read time.',
+      );
+    }
     const now = Date.now();
     const doc = new DnsProviderDoc();
     doc.id = plugins.uuid.v4();
@@ -473,10 +483,10 @@ export class DnsManager {
   }
 
   /**
-   * Create a manual (authoritative) domain. dcrouter will serve DNS records
-   * for this domain via the embedded smartdns.DnsServer.
+   * Create a dcrouter-hosted (authoritative) domain. dcrouter will serve
+   * DNS records for this domain via the embedded smartdns.DnsServer.
    */
-  public async createManualDomain(args: {
+  public async createDcrouterDomain(args: {
     name: string;
     description?: string;
     createdBy: string;
@@ -485,7 +495,7 @@ export class DnsManager {
     const doc = new DomainDoc();
     doc.id = plugins.uuid.v4();
     doc.name = args.name.toLowerCase();
-    doc.source = 'manual';
+    doc.source = 'dcrouter';
     doc.authoritative = true;
     doc.description = args.description;
     doc.createdAt = now;
@@ -571,10 +581,11 @@ export class DnsManager {
   /**
    * Delete a domain and all of its DNS records. For provider domains, only
    * removes the local mirror — does NOT touch the provider.
-   * For manual domains, also unregisters records from the embedded DnsServer.
+   * For dcrouter-hosted domains, also unregisters records from the embedded
+   * DnsServer.
    *
    * Note: smartdns has no public unregister-by-name API in the version pinned
-   * here, so manual record deletes only take effect after a restart. The DB
+   * here, so local record deletes only take effect after a restart. The DB
    * is the source of truth and the next start will not register the deleted
    * record.
    */
@@ -652,7 +663,7 @@ export class DnsManager {
     doc.value = args.value;
     doc.ttl = args.ttl ?? 300;
     if (args.proxied !== undefined) doc.proxied = args.proxied;
-    doc.source = 'manual';
+    doc.source = 'local';
     doc.createdAt = now;
     doc.updatedAt = now;
     doc.createdBy = args.createdBy;
@@ -678,7 +689,7 @@ export class DnsManager {
         return { success: false, message: `Provider rejected record: ${(err as Error).message}` };
       }
     } else {
-      // Manual / authoritative — register with embedded DnsServer immediately
+      // dcrouter-hosted / authoritative — register with embedded DnsServer immediately
       this.registerRecordWithDnsServer(doc);
     }
 
@@ -722,7 +733,7 @@ export class DnsManager {
         return { success: false, message: `Provider rejected update: ${(err as Error).message}` };
       }
     } else {
-      // Re-register the manual record so the new closure picks up the updated fields
+      // Re-register the local record so the new closure picks up the updated fields
       this.registerRecordWithDnsServer(doc);
     }
 
@@ -748,7 +759,7 @@ export class DnsManager {
         }
       }
     }
-    // For manual records: smartdns has no unregister API in the pinned version,
+    // For local records: smartdns has no unregister API in the pinned version,
     // so the record stays served until the next restart. The DB delete still
     // takes effect — on restart, the record will not be re-registered.
 
@@ -807,7 +818,7 @@ export class DnsManager {
   public toPublicDomain(doc: DomainDoc): {
     id: string;
     name: string;
-    source: 'manual' | 'provider';
+    source: 'dcrouter' | 'provider';
     providerId?: string;
     authoritative: boolean;
     nameservers?: string[];

package/ts/dns/providers/factory.ts

@@ -38,6 +38,17 @@ export function createDnsProvider(
       }
       return new CloudflareDnsProvider(credentials.apiToken);
     }
+    case 'dcrouter': {
+      // The built-in DcRouter pseudo-provider has no runtime client — dcrouter
+      // itself serves the records via the embedded smartdns.DnsServer. This
+      // case exists only to satisfy the exhaustive switch; it should never
+      // actually run because the handler layer rejects any CRUD that would
+      // result in a DnsProviderDoc with type: 'dcrouter'.
+      throw new Error(
+        `createDnsProvider: 'dcrouter' is a built-in pseudo-provider — no runtime client exists. ` +
+          `This call indicates a DnsProviderDoc with type: 'dcrouter' was persisted, which should never happen.`,
+      );
+    }
     default: {
       // If you see a TypeScript error here after extending TDnsProviderType,
       // add a `case` for the new type above. The `never` enforces exhaustiveness.

package/ts/opsserver/classes.opsserver.ts

@@ -36,6 +36,7 @@ export class OpsServer {
   private dnsProviderHandler!: handlers.DnsProviderHandler;
   private domainHandler!: handlers.DomainHandler;
   private dnsRecordHandler!: handlers.DnsRecordHandler;
+  private acmeConfigHandler!: handlers.AcmeConfigHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -102,6 +103,7 @@ export class OpsServer {
     this.dnsProviderHandler = new handlers.DnsProviderHandler(this);
     this.domainHandler = new handlers.DomainHandler(this);
     this.dnsRecordHandler = new handlers.DnsRecordHandler(this);
+    this.acmeConfigHandler = new handlers.AcmeConfigHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }

package/ts/opsserver/handlers/acme-config.handler.ts

@@ -0,0 +1,94 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD handler for the singleton `AcmeConfigDoc`.
+ *
+ * Auth: same dual-mode pattern as other handlers — admin JWT or API token
+ * with `acme-config:read` / `acme-config:write` scope.
+ */
+export class AcmeConfigHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get current ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAcmeConfig>(
+        'getAcmeConfig',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'acme-config:read');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) return { config: null };
+          return { config: mgr.getConfig() };
+        },
+      ),
+    );
+
+    // Update (upsert) the ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateAcmeConfig>(
+        'updateAcmeConfig',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'acme-config:write');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) {
+            return {
+              success: false,
+              message: 'AcmeConfigManager not initialized (DB disabled?)',
+            };
+          }
+          try {
+            const updated = await mgr.updateConfig(
+              {
+                accountEmail: dataArg.accountEmail,
+                enabled: dataArg.enabled,
+                useProduction: dataArg.useProduction,
+                autoRenew: dataArg.autoRenew,
+                renewThresholdDays: dataArg.renewThresholdDays,
+              },
+              userId,
+            );
+            return { success: true, config: updated };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

package/ts/opsserver/handlers/dns-provider.handler.ts

@@ -46,15 +46,28 @@ export class DnsProviderHandler {
   }
 
   private registerHandlers(): void {
-    // Get all providers
+    // Get all providers — prepends the built-in DcRouter pseudo-provider
+    // so operators see a uniform "who serves this?" list that includes the
+    // authoritative dcrouter alongside external accounts.
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsProviders>(
         'getDnsProviders',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
-          if (!dnsManager) return { providers: [] };
-          return { providers: await dnsManager.listProviders() };
+          const synthetic: interfaces.data.IDnsProviderPublic = {
+            id: interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID,
+            name: 'DcRouter',
+            type: 'dcrouter',
+            status: 'ok',
+            createdAt: 0,
+            updatedAt: 0,
+            createdBy: 'system',
+            hasCredentials: false,
+            builtIn: true,
+          };
+          const real = dnsManager ? await dnsManager.listProviders() : [];
+          return { providers: [synthetic, ...real] };
         },
       ),
     );
@@ -78,6 +91,12 @@ export class DnsProviderHandler {
         'createDnsProvider',
         async (dataArg) => {
           const userId = await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.type === 'dcrouter') {
+            return {
+              success: false,
+              message: 'cannot create built-in provider',
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) {
             return { success: false, message: 'DnsManager not initialized (DB disabled?)' };
@@ -99,6 +118,9 @@ export class DnsProviderHandler {
         'updateDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot edit built-in provider' };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           const ok = await dnsManager.updateProvider(dataArg.id, {
@@ -116,6 +138,9 @@ export class DnsProviderHandler {
         'deleteDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot delete built-in provider' };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           return await dnsManager.deleteProvider(dataArg.id, dataArg.force ?? false);
@@ -129,6 +154,13 @@ export class DnsProviderHandler {
         'testDnsProvider',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              ok: false,
+              error: 'built-in provider has no external connection to test',
+              testedAt: Date.now(),
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) {
             return { ok: false, error: 'DnsManager not initialized', testedAt: Date.now() };
@@ -144,6 +176,12 @@ export class DnsProviderHandler {
         'listProviderDomains',
         async (dataArg) => {
           await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.providerId === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              success: false,
+              message: 'built-in provider has no external domain listing — use "Add DcRouter Domain" instead',
+            };
+          }
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           try {

package/ts/opsserver/handlers/domain.handler.ts

@@ -71,7 +71,7 @@ export class DomainHandler {
       ),
     );
 
-    // Create manual domain
+    // Create dcrouter-hosted domain
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDomain>(
         'createDomain',
@@ -80,7 +80,7 @@ export class DomainHandler {
           const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
           if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
           try {
-            const id = await dnsManager.createManualDomain({
+            const id = await dnsManager.createDcrouterDomain({
               name: dataArg.name,
               description: dataArg.description,
               createdBy: userId,

package/ts/opsserver/handlers/index.ts

@@ -16,4 +16,5 @@ export * from './network-target.handler.js';
 export * from './users.handler.js';
 export * from './dns-provider.handler.js';
 export * from './domain.handler.js';
-export * from './dns-record.handler.js';
+export * from './dns-record.handler.js';
+export * from './acme-config.handler.js';

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.7.1',
+  version: '13.9.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts

@@ -197,6 +197,28 @@ export const certificateStatePart = await appState.getStatePart<ICertificateStat
   'soft'
 );
 
+// ============================================================================
+// ACME Config State (DB-backed singleton, managed via Domains > Certificates)
+// ============================================================================
+
+export interface IAcmeConfigState {
+  config: interfaces.data.IAcmeConfig | null;
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const acmeConfigStatePart = await appState.getStatePart<IAcmeConfigState>(
+  'acmeConfig',
+  {
+    config: null,
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
 // ============================================================================
 // Remote Ingress State
 // ============================================================================
@@ -1771,7 +1793,7 @@ export async function fetchProviderDomains(
   return await request.fire({ identity: context.identity, providerId });
 }
 
-export const createManualDomainAction = domainsStatePart.createAction<{
+export const createDcrouterDomainAction = domainsStatePart.createAction<{
   name: string;
   description?: string;
 }>(async (statePartArg, dataArg, actionContext): Promise<IDomainsState> => {
@@ -1953,6 +1975,72 @@ export const deleteDnsRecordAction = domainsStatePart.createAction<{ id: string;
   },
 );
 
+// ============================================================================
+// ACME Config Actions
+// ============================================================================
+
+export const fetchAcmeConfigAction = acmeConfigStatePart.createAction(
+  async (statePartArg): Promise<IAcmeConfigState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetAcmeConfig
+      >('/typedrequest', 'getAcmeConfig');
+      const response = await request.fire({ identity: context.identity });
+      return {
+        config: response.config,
+        isLoading: false,
+        error: null,
+        lastUpdated: Date.now(),
+      };
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        isLoading: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch ACME config',
+      };
+    }
+  },
+);
+
+export const updateAcmeConfigAction = acmeConfigStatePart.createAction<{
+  accountEmail?: string;
+  enabled?: boolean;
+  useProduction?: boolean;
+  autoRenew?: boolean;
+  renewThresholdDays?: number;
+}>(async (statePartArg, dataArg, actionContext): Promise<IAcmeConfigState> => {
+  const context = getActionContext();
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateAcmeConfig
+    >('/typedrequest', 'updateAcmeConfig');
+    const response = await request.fire({
+      identity: context.identity!,
+      accountEmail: dataArg.accountEmail,
+      enabled: dataArg.enabled,
+      useProduction: dataArg.useProduction,
+      autoRenew: dataArg.autoRenew,
+      renewThresholdDays: dataArg.renewThresholdDays,
+    });
+    if (!response.success) {
+      return {
+        ...statePartArg.getState()!,
+        error: response.message || 'Failed to update ACME config',
+      };
+    }
+    return await actionContext!.dispatch(fetchAcmeConfigAction, null);
+  } catch (error: unknown) {
+    return {
+      ...statePartArg.getState()!,
+      error: error instanceof Error ? error.message : 'Failed to update ACME config',
+    };
+  }
+});
+
 // ============================================================================
 // Route Management Actions
 // ============================================================================

package/ts_web/elements/domains/dns-provider-form.ts

@@ -44,12 +44,15 @@ export class DnsProviderForm extends DeesElement {
   accessor providerName: string = '';
 
   /**
-   * Currently selected provider type. Initialized to the first descriptor;
-   * caller can override before mounting (e.g. for edit dialogs).
+   * Currently selected provider type. Initialized to the first user-creatable
+   * descriptor; caller can override before mounting (e.g. for edit dialogs).
+   * The built-in 'dcrouter' pseudo-provider is excluded from the picker —
+   * operators cannot create another one.
    */
   @state()
   accessor selectedType: interfaces.data.TDnsProviderType =
-    interfaces.data.dnsProviderTypeDescriptors[0]?.type ?? 'cloudflare';
+    interfaces.data.dnsProviderTypeDescriptors.find((d) => d.type !== 'dcrouter')?.type ??
+    'cloudflare';
 
   /** When true, hide the type picker — used in edit dialogs. */
   @property({ type: Boolean })
@@ -102,7 +105,12 @@ export class DnsProviderForm extends DeesElement {
   ];
 
   public render(): TemplateResult {
-    const descriptors = interfaces.data.dnsProviderTypeDescriptors;
+    // Exclude the built-in 'dcrouter' pseudo-provider from the type picker —
+    // operators cannot create another one, it's surfaced at read time by the
+    // backend handler instead.
+    const descriptors = interfaces.data.dnsProviderTypeDescriptors.filter(
+      (d) => d.type !== 'dcrouter',
+    );
     const descriptor = interfaces.data.getDnsProviderTypeDescriptor(this.selectedType);
 
     return html`