chore: cleanup and route refactoring

Signed-off-by: allanice001 <allanice001@gmail.com>
2026-02-13 04:40:05 +01:00 · 2025-11-14 06:12:59 +00:00
parent b358911b1b
commit fc1c83ba18
51 changed files with 4099 additions and 539 deletions
--- a/internal/api/mount_admin_routes.go
+++ b/internal/api/mount_admin_routes.go
@@ -0,0 +1,26 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/api/httpmiddleware"
+	"github.com/glueops/autoglue/internal/bg"
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountAdminRoutes(r chi.Router, db *gorm.DB, jobs *bg.Jobs, authUser func(http.Handler) http.Handler) {
+	r.Route("/admin", func(admin chi.Router) {
+		admin.Route("/archer", func(archer chi.Router) {
+			archer.Use(authUser)
+			archer.Use(httpmiddleware.RequirePlatformAdmin())
+
+			archer.Get("/jobs", handlers.AdminListArcherJobs(db))
+			archer.Post("/jobs", handlers.AdminEnqueueArcherJob(db, jobs))
+			archer.Post("/jobs/{id}/retry", handlers.AdminRetryArcherJob(db))
+			archer.Post("/jobs/{id}/cancel", handlers.AdminCancelArcherJob(db))
+			archer.Get("/queues", handlers.AdminListArcherQueues(db))
+		})
+	})
+}
--- a/internal/api/mount_annotation_routes.go
+++ b/internal/api/mount_annotation_routes.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountAnnotationRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/annotations", func(a chi.Router) {
+		a.Use(authOrg)
+		a.Get("/", handlers.ListAnnotations(db))
+		a.Post("/", handlers.CreateAnnotation(db))
+		a.Get("/{id}", handlers.GetAnnotation(db))
+		a.Patch("/{id}", handlers.UpdateAnnotation(db))
+		a.Delete("/{id}", handlers.DeleteAnnotation(db))
+	})
+}
--- a/internal/api/mount_api_routes.go
+++ b/internal/api/mount_api_routes.go
@@ -0,0 +1,37 @@
+package api
+
+import (
+	"github.com/glueops/autoglue/internal/api/httpmiddleware"
+	"github.com/glueops/autoglue/internal/bg"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountAPIRoutes(r chi.Router, db *gorm.DB, jobs *bg.Jobs) {
+	r.Route("/api", func(api chi.Router) {
+		api.Route("/v1", func(v1 chi.Router) {
+			authUser := httpmiddleware.AuthMiddleware(db, false)
+			authOrg := httpmiddleware.AuthMiddleware(db, true)
+
+			// shared basics
+			mountMetaRoutes(v1)
+			mountAuthRoutes(v1, db)
+
+			// admin
+			mountAdminRoutes(v1, db, jobs, authUser)
+
+			// user/org scoped
+			mountMeRoutes(v1, db, authUser)
+			mountOrgRoutes(v1, db, authUser, authOrg)
+
+			mountCredentialRoutes(v1, db, authOrg)
+			mountSSHRoutes(v1, db, authOrg)
+			mountServerRoutes(v1, db, authOrg)
+			mountTaintRoutes(v1, db, authOrg)
+			mountLabelRoutes(v1, db, authOrg)
+			mountAnnotationRoutes(v1, db, authOrg)
+			mountNodePoolRoutes(v1, db, authOrg)
+			mountDNSRoutes(v1, db, authOrg)
+		})
+	})
+}
--- a/internal/api/mount_auth_routes.go
+++ b/internal/api/mount_auth_routes.go
@@ -0,0 +1,16 @@
+package api
+
+import (
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountAuthRoutes(r chi.Router, db *gorm.DB) {
+	r.Route("/auth", func(a chi.Router) {
+		a.Post("/{provider}/start", handlers.AuthStart(db))
+		a.Get("/{provider}/callback", handlers.AuthCallback(db))
+		a.Post("/refresh", handlers.Refresh(db))
+		a.Post("/logout", handlers.Logout(db))
+	})
+}
--- a/internal/api/mount_credential_routes.go
+++ b/internal/api/mount_credential_routes.go
@@ -0,0 +1,21 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountCredentialRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/credentials", func(c chi.Router) {
+		c.Use(authOrg)
+		c.Get("/", handlers.ListCredentials(db))
+		c.Post("/", handlers.CreateCredential(db))
+		c.Get("/{id}", handlers.GetCredential(db))
+		c.Patch("/{id}", handlers.UpdateCredential(db))
+		c.Delete("/{id}", handlers.DeleteCredential(db))
+		c.Post("/{id}/reveal", handlers.RevealCredential(db))
+	})
+}
--- a/internal/api/mount_db_studio.go
+++ b/internal/api/mount_db_studio.go
@@ -0,0 +1,53 @@
+package api
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	pgapi "github.com/sosedoff/pgweb/pkg/api"
+	pgclient "github.com/sosedoff/pgweb/pkg/client"
+	pgcmd "github.com/sosedoff/pgweb/pkg/command"
+)
+
+func PgwebHandler(dbURL, prefix string, readonly bool) (http.Handler, error) {
+	// Normalize prefix for pgweb:
+	//  - no leading slash
+	//  - always trailing slash if not empty
+	prefix = strings.Trim(prefix, "/")
+	if prefix != "" {
+		prefix = prefix + "/"
+	}
+
+	pgcmd.Opts = pgcmd.Options{
+		URL:         dbURL,
+		Prefix:      prefix, // e.g. "db-studio/"
+		ReadOnly:    readonly,
+		Sessions:    false,
+		LockSession: true,
+		SkipOpen:    true,
+	}
+
+	cli, err := pgclient.NewFromUrl(dbURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	if readonly {
+		_ = cli.SetReadOnlyMode()
+	}
+
+	if err := cli.Test(); err != nil {
+		return nil, err
+	}
+
+	pgapi.DbClient = cli
+
+	gin.SetMode(gin.ReleaseMode)
+	g := gin.New()
+	g.Use(gin.Recovery())
+
+	pgapi.SetupRoutes(g)
+	pgapi.SetupMetrics(g)
+
+	return g, nil
+}
--- a/internal/api/mount_dns_routes.go
+++ b/internal/api/mount_dns_routes.go
@@ -0,0 +1,26 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountDNSRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/dns", func(d chi.Router) {
+		d.Use(authOrg)
+
+		d.Get("/domains", handlers.ListDomains(db))
+		d.Post("/domains", handlers.CreateDomain(db))
+		d.Get("/domains/{id}", handlers.GetDomain(db))
+		d.Patch("/domains/{id}", handlers.UpdateDomain(db))
+		d.Delete("/domains/{id}", handlers.DeleteDomain(db))
+
+		d.Get("/domains/{domain_id}/records", handlers.ListRecordSets(db))
+		d.Post("/domains/{domain_id}/records", handlers.CreateRecordSet(db))
+		d.Patch("/records/{id}", handlers.UpdateRecordSet(db))
+		d.Delete("/records/{id}", handlers.DeleteRecordSet(db))
+	})
+}
--- a/internal/api/mount_label_routes.go
+++ b/internal/api/mount_label_routes.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountLabelRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/labels", func(l chi.Router) {
+		l.Use(authOrg)
+		l.Get("/", handlers.ListLabels(db))
+		l.Post("/", handlers.CreateLabel(db))
+		l.Get("/{id}", handlers.GetLabel(db))
+		l.Patch("/{id}", handlers.UpdateLabel(db))
+		l.Delete("/{id}", handlers.DeleteLabel(db))
+	})
+}
--- a/internal/api/mount_me_routes.go
+++ b/internal/api/mount_me_routes.go
@@ -0,0 +1,22 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountMeRoutes(r chi.Router, db *gorm.DB, authUser func(http.Handler) http.Handler) {
+	r.Route("/me", func(me chi.Router) {
+		me.Use(authUser)
+
+		me.Get("/", handlers.GetMe(db))
+		me.Patch("/", handlers.UpdateMe(db))
+
+		me.Get("/api-keys", handlers.ListUserAPIKeys(db))
+		me.Post("/api-keys", handlers.CreateUserAPIKey(db))
+		me.Delete("/api-keys/{id}", handlers.DeleteUserAPIKey(db))
+	})
+}
--- a/internal/api/mount_meta_routes.go
+++ b/internal/api/mount_meta_routes.go
@@ -0,0 +1,13 @@
+package api
+
+import (
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+)
+
+func mountMetaRoutes(r chi.Router) {
+	// Versioned JWKS for swagger
+	r.Get("/.well-known/jwks.json", handlers.JWKSHandler)
+	r.Get("/healthz", handlers.HealthCheck)
+	r.Get("/version", handlers.Version)
+}
--- a/internal/api/mount_node_pool_routes.go
+++ b/internal/api/mount_node_pool_routes.go
@@ -0,0 +1,40 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountNodePoolRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/node-pools", func(n chi.Router) {
+		n.Use(authOrg)
+		n.Get("/", handlers.ListNodePools(db))
+		n.Post("/", handlers.CreateNodePool(db))
+		n.Get("/{id}", handlers.GetNodePool(db))
+		n.Patch("/{id}", handlers.UpdateNodePool(db))
+		n.Delete("/{id}", handlers.DeleteNodePool(db))
+
+		// Servers
+		n.Get("/{id}/servers", handlers.ListNodePoolServers(db))
+		n.Post("/{id}/servers", handlers.AttachNodePoolServers(db))
+		n.Delete("/{id}/servers/{serverId}", handlers.DetachNodePoolServer(db))
+
+		// Taints
+		n.Get("/{id}/taints", handlers.ListNodePoolTaints(db))
+		n.Post("/{id}/taints", handlers.AttachNodePoolTaints(db))
+		n.Delete("/{id}/taints/{taintId}", handlers.DetachNodePoolTaint(db))
+
+		// Labels
+		n.Get("/{id}/labels", handlers.ListNodePoolLabels(db))
+		n.Post("/{id}/labels", handlers.AttachNodePoolLabels(db))
+		n.Delete("/{id}/labels/{labelId}", handlers.DetachNodePoolLabel(db))
+
+		// Annotations
+		n.Get("/{id}/annotations", handlers.ListNodePoolAnnotations(db))
+		n.Post("/{id}/annotations", handlers.AttachNodePoolAnnotations(db))
+		n.Delete("/{id}/annotations/{annotationId}", handlers.DetachNodePoolAnnotation(db))
+	})
+}
--- a/internal/api/mount_org_routes.go
+++ b/internal/api/mount_org_routes.go
@@ -0,0 +1,35 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountOrgRoutes(r chi.Router, db *gorm.DB, authUser, authOrg func(http.Handler) http.Handler) {
+	r.Route("/orgs", func(o chi.Router) {
+		o.Use(authUser)
+		o.Get("/", handlers.ListMyOrgs(db))
+		o.Post("/", handlers.CreateOrg(db))
+
+		o.Group(func(og chi.Router) {
+			og.Use(authOrg)
+
+			og.Get("/{id}", handlers.GetOrg(db))
+			og.Patch("/{id}", handlers.UpdateOrg(db))
+			og.Delete("/{id}", handlers.DeleteOrg(db))
+
+			// members
+			og.Get("/{id}/members", handlers.ListMembers(db))
+			og.Post("/{id}/members", handlers.AddOrUpdateMember(db))
+			og.Delete("/{id}/members/{user_id}", handlers.RemoveMember(db))
+
+			// org-scoped key/secret pair
+			og.Get("/{id}/api-keys", handlers.ListOrgKeys(db))
+			og.Post("/{id}/api-keys", handlers.CreateOrgKey(db))
+			og.Delete("/{id}/api-keys/{key_id}", handlers.DeleteOrgKey(db))
+		})
+	})
+}
--- a/internal/api/mount_pprof_routes.go
+++ b/internal/api/mount_pprof_routes.go
@@ -0,0 +1,24 @@
+package api
+
+import (
+	httpPprof "net/http/pprof"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func mountPprofRoutes(r chi.Router) {
+	r.Route("/debug/pprof", func(pr chi.Router) {
+		pr.Get("/", httpPprof.Index)
+		pr.Get("/cmdline", httpPprof.Cmdline)
+		pr.Get("/profile", httpPprof.Profile)
+		pr.Get("/symbol", httpPprof.Symbol)
+		pr.Get("/trace", httpPprof.Trace)
+
+		pr.Handle("/allocs", httpPprof.Handler("allocs"))
+		pr.Handle("/block", httpPprof.Handler("block"))
+		pr.Handle("/goroutine", httpPprof.Handler("goroutine"))
+		pr.Handle("/heap", httpPprof.Handler("heap"))
+		pr.Handle("/mutex", httpPprof.Handler("mutex"))
+		pr.Handle("/threadcreate", httpPprof.Handler("threadcreate"))
+	})
+}
--- a/internal/api/mount_server_routes.go
+++ b/internal/api/mount_server_routes.go
@@ -0,0 +1,21 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountServerRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/servers", func(s chi.Router) {
+		s.Use(authOrg)
+		s.Get("/", handlers.ListServers(db))
+		s.Post("/", handlers.CreateServer(db))
+		s.Get("/{id}", handlers.GetServer(db))
+		s.Patch("/{id}", handlers.UpdateServer(db))
+		s.Delete("/{id}", handlers.DeleteServer(db))
+		s.Post("/{id}/reset-hostkey", handlers.ResetServerHostKey(db))
+	})
+}
--- a/internal/api/mount_ssh_routes.go
+++ b/internal/api/mount_ssh_routes.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountSSHRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/ssh", func(s chi.Router) {
+		s.Use(authOrg)
+		s.Get("/", handlers.ListPublicSshKeys(db))
+		s.Post("/", handlers.CreateSSHKey(db))
+		s.Get("/{id}", handlers.GetSSHKey(db))
+		s.Delete("/{id}", handlers.DeleteSSHKey(db))
+		s.Get("/{id}/download", handlers.DownloadSSHKey(db))
+	})
+}
--- a/internal/api/mount_swagger_routes.go
+++ b/internal/api/mount_swagger_routes.go
@@ -0,0 +1,15 @@
+package api
+
+import (
+	"github.com/glueops/autoglue/docs"
+	"github.com/go-chi/chi/v5"
+	httpSwagger "github.com/swaggo/http-swagger/v2"
+)
+
+func mountSwaggerRoutes(r chi.Router) {
+	r.Get("/swagger/*", httpSwagger.Handler(
+		httpSwagger.URL("swagger.json"),
+	))
+	r.Get("/swagger/swagger.json", serveSwaggerFromEmbed(docs.SwaggerJSON, "application/json"))
+	r.Get("/swagger/swagger.yaml", serveSwaggerFromEmbed(docs.SwaggerYAML, "application/x-yaml"))
+}
--- a/internal/api/mount_taint_routes.go
+++ b/internal/api/mount_taint_routes.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountTaintRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/taints", func(t chi.Router) {
+		t.Use(authOrg)
+		t.Get("/", handlers.ListTaints(db))
+		t.Post("/", handlers.CreateTaint(db))
+		t.Get("/{id}", handlers.GetTaint(db))
+		t.Patch("/{id}", handlers.UpdateTaint(db))
+		t.Delete("/{id}", handlers.DeleteTaint(db))
+	})
+}
--- a/internal/api/mw_security.go
+++ b/internal/api/mw_security.go
@@ -36,7 +36,7 @@ func SecurityHeaders(next http.Handler) http.Handler {
 				// Google font files
 				"font-src 'self' data: https://fonts.gstatic.com",
 				// HMR connections
-				"connect-src 'self' http://localhost:5173 ws://localhost:5173 ws://localhost:8080",
+				"connect-src 'self' http://localhost:5173 ws://localhost:5173 ws://localhost:8080 https://api.github.com",
 				"frame-ancestors 'none'",
 			}, "; "))
 		} else {
@@ -53,7 +53,7 @@ func SecurityHeaders(next http.Handler) http.Handler {
 				"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
 				"img-src 'self' data: blob:",
 				"font-src 'self' data: https://fonts.gstatic.com",
-				"connect-src 'self'",
+				"connect-src 'self' ws://localhost:8080 https://api.github.com",
 				"frame-ancestors 'none'",
 			}, "; "))
 		}
--- a/internal/api/routes.go
+++ b/internal/api/routes.go
@@ -3,11 +3,10 @@ package api
 import (
 	"fmt"
 	"net/http"
-	httpPprof "net/http/pprof"
 	"os"
+	"strings"
 	"time"

-	"github.com/glueops/autoglue/docs"
 	"github.com/glueops/autoglue/internal/api/httpmiddleware"
 	"github.com/glueops/autoglue/internal/bg"
 	"github.com/glueops/autoglue/internal/config"
@@ -23,8 +22,6 @@ import (

 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-
-	httpSwagger "github.com/swaggo/http-swagger/v2"
 )

 func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
@@ -38,7 +35,6 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 	r.Use(middleware.RealIP)
 	r.Use(zeroLogMiddleware())
 	r.Use(middleware.Recoverer)
-	// r.Use(middleware.RedirectSlashes)
 	r.Use(SecurityHeaders)
 	r.Use(requestBodyLimit(10 << 20))
 	r.Use(httprate.LimitByIP(100, 1*time.Minute))
@@ -60,198 +56,44 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 		MaxAge:           600,
 	}))

-	r.Use(middleware.AllowContentType("application/json"))
+	r.Use(middleware.Maybe(
+		middleware.AllowContentType("application/json"),
+		func(r *http.Request) bool {
+			// return true  => run AllowContentType
+			// return false => skip AllowContentType for this request
+			return !strings.HasPrefix(r.URL.Path, "/db-studio")
+		}))
+	//r.Use(middleware.AllowContentType("application/json"))

+	// Unversioned, non-auth endpoints
 	r.Get("/.well-known/jwks.json", handlers.JWKSHandler)
-	r.Route("/api", func(api chi.Router) {
-		api.Route("/v1", func(v1 chi.Router) {
-			authUser := httpmiddleware.AuthMiddleware(db, false)
-			authOrg := httpmiddleware.AuthMiddleware(db, true)

-			// Also serving a versioned JWKS for swagger, which uses BasePath
-			v1.Get("/.well-known/jwks.json", handlers.JWKSHandler)
-
-			v1.Get("/healthz", handlers.HealthCheck)
-			v1.Get("/version", handlers.Version)
-
-			v1.Route("/auth", func(a chi.Router) {
-				a.Post("/{provider}/start", handlers.AuthStart(db))
-				a.Get("/{provider}/callback", handlers.AuthCallback(db))
-				a.Post("/refresh", handlers.Refresh(db))
-				a.Post("/logout", handlers.Logout(db))
-			})
-
-			v1.Route("/admin", func(admin chi.Router) {
-				admin.Route("/archer", func(archer chi.Router) {
-					archer.Use(authUser)
-					archer.Use(httpmiddleware.RequirePlatformAdmin())
-
-					archer.Get("/jobs", handlers.AdminListArcherJobs(db))
-					archer.Post("/jobs", handlers.AdminEnqueueArcherJob(db, jobs))
-					archer.Post("/jobs/{id}/retry", handlers.AdminRetryArcherJob(db))
-					archer.Post("/jobs/{id}/cancel", handlers.AdminCancelArcherJob(db))
-					archer.Get("/queues", handlers.AdminListArcherQueues(db))
-				})
-			})
-
-			v1.Route("/me", func(me chi.Router) {
-				me.Use(authUser)
-
-				me.Get("/", handlers.GetMe(db))
-				me.Patch("/", handlers.UpdateMe(db))
-
-				me.Get("/api-keys", handlers.ListUserAPIKeys(db))
-				me.Post("/api-keys", handlers.CreateUserAPIKey(db))
-				me.Delete("/api-keys/{id}", handlers.DeleteUserAPIKey(db))
-			})
-
-			v1.Route("/orgs", func(o chi.Router) {
-				o.Use(authUser)
-				o.Get("/", handlers.ListMyOrgs(db))
-				o.Post("/", handlers.CreateOrg(db))
-
-				o.Group(func(og chi.Router) {
-					og.Use(authOrg)
-					og.Get("/{id}", handlers.GetOrg(db))
-					og.Patch("/{id}", handlers.UpdateOrg(db))
-					og.Delete("/{id}", handlers.DeleteOrg(db))
-
-					// members
-					og.Get("/{id}/members", handlers.ListMembers(db))
-					og.Post("/{id}/members", handlers.AddOrUpdateMember(db))
-					og.Delete("/{id}/members/{user_id}", handlers.RemoveMember(db))
-
-					// org-scoped key/secret pair
-					og.Get("/{id}/api-keys", handlers.ListOrgKeys(db))
-					og.Post("/{id}/api-keys", handlers.CreateOrgKey(db))
-					og.Delete("/{id}/api-keys/{key_id}", handlers.DeleteOrgKey(db))
-				})
-			})
-
-			v1.Route("/credentials", func(c chi.Router) {
-				c.Use(authOrg)
-				c.Get("/", handlers.ListCredentials(db))
-				c.Post("/", handlers.CreateCredential(db))
-				c.Get("/{id}", handlers.GetCredential(db))
-				c.Patch("/{id}", handlers.UpdateCredential(db))
-				c.Delete("/{id}", handlers.DeleteCredential(db))
-				c.Post("/{id}/reveal", handlers.RevealCredential(db))
-			})
-
-			v1.Route("/ssh", func(s chi.Router) {
-				s.Use(authOrg)
-				s.Get("/", handlers.ListPublicSshKeys(db))
-				s.Post("/", handlers.CreateSSHKey(db))
-				s.Get("/{id}", handlers.GetSSHKey(db))
-				s.Delete("/{id}", handlers.DeleteSSHKey(db))
-				s.Get("/{id}/download", handlers.DownloadSSHKey(db))
-			})
-
-			v1.Route("/servers", func(s chi.Router) {
-				s.Use(authOrg)
-				s.Get("/", handlers.ListServers(db))
-				s.Post("/", handlers.CreateServer(db))
-				s.Get("/{id}", handlers.GetServer(db))
-				s.Patch("/{id}", handlers.UpdateServer(db))
-				s.Delete("/{id}", handlers.DeleteServer(db))
-			})
-
-			v1.Route("/taints", func(s chi.Router) {
-				s.Use(authOrg)
-				s.Get("/", handlers.ListTaints(db))
-				s.Post("/", handlers.CreateTaint(db))
-				s.Get("/{id}", handlers.GetTaint(db))
-				s.Patch("/{id}", handlers.UpdateTaint(db))
-				s.Delete("/{id}", handlers.DeleteTaint(db))
-			})
-
-			v1.Route("/labels", func(l chi.Router) {
-				l.Use(authOrg)
-				l.Get("/", handlers.ListLabels(db))
-				l.Post("/", handlers.CreateLabel(db))
-				l.Get("/{id}", handlers.GetLabel(db))
-				l.Patch("/{id}", handlers.UpdateLabel(db))
-				l.Delete("/{id}", handlers.DeleteLabel(db))
-			})
-
-			v1.Route("/annotations", func(a chi.Router) {
-				a.Use(authOrg)
-				a.Get("/", handlers.ListAnnotations(db))
-				a.Post("/", handlers.CreateAnnotation(db))
-				a.Get("/{id}", handlers.GetAnnotation(db))
-				a.Patch("/{id}", handlers.UpdateAnnotation(db))
-				a.Delete("/{id}", handlers.DeleteAnnotation(db))
-			})
-
-			v1.Route("/node-pools", func(n chi.Router) {
-				n.Use(authOrg)
-				n.Get("/", handlers.ListNodePools(db))
-				n.Post("/", handlers.CreateNodePool(db))
-				n.Get("/{id}", handlers.GetNodePool(db))
-				n.Patch("/{id}", handlers.UpdateNodePool(db))
-				n.Delete("/{id}", handlers.DeleteNodePool(db))
-
-				// Servers
-				n.Get("/{id}/servers", handlers.ListNodePoolServers(db))
-				n.Post("/{id}/servers", handlers.AttachNodePoolServers(db))
-				n.Delete("/{id}/servers/{serverId}", handlers.DetachNodePoolServer(db))
-
-				// Taints
-				n.Get("/{id}/taints", handlers.ListNodePoolTaints(db))
-				n.Post("/{id}/taints", handlers.AttachNodePoolTaints(db))
-				n.Delete("/{id}/taints/{taintId}", handlers.DetachNodePoolTaint(db))
-
-				// Labels
-				n.Get("/{id}/labels", handlers.ListNodePoolLabels(db))
-				n.Post("/{id}/labels", handlers.AttachNodePoolLabels(db))
-				n.Delete("/{id}/labels/{labelId}", handlers.DetachNodePoolLabel(db))
-
-				// Annotations
-				n.Get("/{id}/annotations", handlers.ListNodePoolAnnotations(db))
-				n.Post("/{id}/annotations", handlers.AttachNodePoolAnnotations(db))
-				n.Delete("/{id}/annotations/{annotationId}", handlers.DetachNodePoolAnnotation(db))
-			})
-		})
-	})
+	// Versioned API
+	mountAPIRoutes(r, db, jobs)

+	// Optional DB studio
 	if studio != nil {
 		r.Group(func(gr chi.Router) {
 			authUser := httpmiddleware.AuthMiddleware(db, false)
 			adminOnly := httpmiddleware.RequirePlatformAdmin()
-			gr.Use(authUser)
-			gr.Use(adminOnly)
+			gr.Use(authUser, adminOnly)
 			gr.Mount("/db-studio", studio)
 		})
 	}

+	// pprof
 	if config.IsDebug() {
-		r.Route("/debug/pprof", func(pr chi.Router) {
-			pr.Get("/", httpPprof.Index)
-			pr.Get("/cmdline", httpPprof.Cmdline)
-			pr.Get("/profile", httpPprof.Profile)
-			pr.Get("/symbol", httpPprof.Symbol)
-			pr.Get("/trace", httpPprof.Trace)
-
-			pr.Handle("/allocs", httpPprof.Handler("allocs"))
-			pr.Handle("/block", httpPprof.Handler("block"))
-			pr.Handle("/goroutine", httpPprof.Handler("goroutine"))
-			pr.Handle("/heap", httpPprof.Handler("heap"))
-			pr.Handle("/mutex", httpPprof.Handler("mutex"))
-			pr.Handle("/threadcreate", httpPprof.Handler("threadcreate"))
-		})
+		mountPprofRoutes(r)
 	}

+	// Swagger
 	if config.IsSwaggerEnabled() {
-		r.Get("/swagger/*", httpSwagger.Handler(
-			httpSwagger.URL("swagger.json"),
-		))
-		r.Get("/swagger/swagger.json", serveSwaggerFromEmbed(docs.SwaggerJSON, "application/json"))
-		r.Get("/swagger/swagger.yaml", serveSwaggerFromEmbed(docs.SwaggerYAML, "application/x-yaml"))
+		mountSwaggerRoutes(r)
 	}

+	// UI dev/prod
 	if config.IsUIDev() {
 		fmt.Println("Running in development mode")
-		// Dev: isolate proxy from chi middlewares so WS upgrade can hijack.
 		proxy, err := web.DevProxy("http://localhost:5173")
 		if err != nil {
 			log.Error().Err(err).Msg("dev proxy init failed")
@@ -259,23 +101,20 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 		}

 		mux := http.NewServeMux()
-		// Send API/Swagger/pprof to chi
 		mux.Handle("/api/", r)
 		mux.Handle("/api", r)
 		mux.Handle("/swagger/", r)
 		mux.Handle("/db-studio/", r)
 		mux.Handle("/debug/pprof/", r)
-		// Everything else (/, /brand-preview, assets) → proxy (no middlewares)
 		mux.Handle("/", proxy)
-
 		return mux
+	}
+
+	fmt.Println("Running in production mode")
+	if h, err := web.SPAHandler(); err == nil {
+		r.NotFound(h.ServeHTTP)
 	} else {
-		fmt.Println("Running in production mode")
-		if h, err := web.SPAHandler(); err == nil {
-			r.NotFound(h.ServeHTTP)
-		} else {
-			log.Error().Err(err).Msg("spa handler init failed")
-		}
+		log.Error().Err(err).Msg("spa handler init failed")
 	}

 	return r
--- a/internal/app/runtime.go
+++ b/internal/app/runtime.go
@@ -41,6 +41,8 @@ func NewRuntime() *Runtime {
 		&models.NodePool{},
 		&models.Cluster{},
 		&models.Credential{},
+		&models.Domain{},
+		&models.RecordSet{},
 	)

 	if err != nil {
--- a/internal/bg/backup_s3.go
+++ b/internal/bg/backup_s3.go
@@ -29,7 +29,7 @@ import (
 )

 type DbBackupArgs struct {
-	// kept in case you want to change retention or add dry-run later
+	IntervalS int `json:"interval_seconds,omitempty"`
 }

 type s3Scope struct {
@@ -44,6 +44,13 @@ type encAWS struct {

 func DbBackupWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 	return func(ctx context.Context, j job.Job) (any, error) {
+		args := DbBackupArgs{IntervalS: 3600}
+		_ = j.ParseArguments(&args)
+
+		if args.IntervalS <= 0 {
+			args.IntervalS = 3600
+		}
+
 		if err := DbBackup(ctx, db); err != nil {
 			return nil, err
 		}
@@ -53,7 +60,7 @@ func DbBackupWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 			queue = "db_backup_s3"
 		}

-		next := time.Now().UTC().Add(1 * time.Hour)
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)

 		payload := DbBackupArgs{}

@@ -73,7 +80,6 @@ func DbBackupWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {

 func DbBackup(ctx context.Context, db *gorm.DB) error {
 	cfg, err := config.Load()
-	log.Info().Err(err).Msg("loading config")
 	if err != nil {
 		return fmt.Errorf("load config: %w", err)
 	}
--- a/internal/bg/bastion.go
+++ b/internal/bg/bastion.go
@@ -2,8 +2,8 @@ package bg

 import (
 	"context"
+	"encoding/base64"
 	"fmt"
-	"log"
 	"net"
 	"strings"
 	"time"
@@ -13,13 +13,16 @@ import (
 	"github.com/glueops/autoglue/internal/models"
 	"github.com/glueops/autoglue/internal/utils"
 	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/ssh"
 	"gorm.io/gorm"
 )

 // ----- Public types -----

-type BastionBootstrapArgs struct{}
+type BastionBootstrapArgs struct {
+	IntervalS int `json:"interval_seconds,omitempty"`
+}

 type BastionBootstrapFailure struct {
 	ID     uuid.UUID `json:"id"`
@@ -39,11 +42,17 @@ type BastionBootstrapResult struct {

 // ----- Worker -----

-func BastionBootstrapWorker(db *gorm.DB) archer.WorkerFn {
+func BastionBootstrapWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 	return func(ctx context.Context, j job.Job) (any, error) {
+		args := BastionBootstrapArgs{IntervalS: 120}
 		jobID := j.ID
 		start := time.Now()

+		_ = j.ParseArguments(&args)
+		if args.IntervalS <= 0 {
+			args.IntervalS = 120
+		}
+
 		var servers []models.Server
 		if err := db.
 			Preload("SshKey").
@@ -105,7 +114,7 @@ func BastionBootstrapWorker(db *gorm.DB) archer.WorkerFn {
 			// 4) SSH + install docker
 			host := net.JoinHostPort(*s.PublicIPAddress, "22")
 			runCtx, cancel := context.WithTimeout(ctx, perHostTimeout)
-			out, err := sshInstallDockerWithOutput(runCtx, host, s.SSHUser, []byte(privKey))
+			out, err := sshInstallDockerWithOutput(runCtx, db, s, host, s.SSHUser, []byte(privKey))
 			cancel()

 			if err != nil {
@@ -147,9 +156,17 @@ func BastionBootstrapWorker(db *gorm.DB) archer.WorkerFn {
 			Failures:     failures,
 		}

-		// log.Printf("[bastion] level=INFO job=%s step=finish processed=%d ready=%d failed=%d elapsed_ms=%d",
-		// 	jobID, proc, ok, fail, res.ElapsedMs)
+		log.Debug().Int("processed", proc).Int("ready", ok).Int("failed", fail).Msg("[bastion] reconcile tick ok")

+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(
+			ctx,
+			uuid.NewString(),
+			"bootstrap_bastion",
+			args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
 		return res, nil
 	}
 }
@@ -187,16 +204,24 @@ func logHostInfo(jobID string, s *models.Server, step, msg string, kv ...any) {
 // ----- SSH & command execution -----

 // returns combined stdout/stderr so caller can log it on error
-func sshInstallDockerWithOutput(ctx context.Context, host, user string, privateKeyPEM []byte) (string, error) {
+func sshInstallDockerWithOutput(
+	ctx context.Context,
+	db *gorm.DB,
+	s *models.Server,
+	host, user string,
+	privateKeyPEM []byte,
+) (string, error) {
 	signer, err := ssh.ParsePrivateKey(privateKeyPEM)
 	if err != nil {
 		return "", fmt.Errorf("parse private key: %w", err)
 	}

+	hkcb := makeDBHostKeyCallback(db, s)
+
 	config := &ssh.ClientConfig{
 		User:            user,
 		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer)},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(), // TODO: known_hosts verification
+		HostKeyCallback: hkcb,
 		Timeout:         30 * time.Second,
 	}

@@ -494,3 +519,38 @@ func wrapSSHError(err error, output string) error {
 func sshEscape(s string) string {
 	return fmt.Sprintf("%q", s)
 }
+
+// makeDBHostKeyCallback returns a HostKeyCallback bound to a specific server row.
+// TOFU semantics:
+//   - If s.SSHHostKey is empty: store the current key in DB and accept.
+//   - If s.SSHHostKey is set: require exact match, else error (possible MITM/reinstall).
+func makeDBHostKeyCallback(db *gorm.DB, s *models.Server) ssh.HostKeyCallback {
+	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+		algo := key.Type()
+		enc := base64.StdEncoding.EncodeToString(key.Marshal())
+
+		// First-time connect: persist key (TOFU).
+		if s.SSHHostKey == "" {
+			if err := db.Model(&models.Server{}).
+				Where("id = ? AND (ssh_host_key IS NULL or ssh_host_key = '')", s.ID).
+				Updates(map[string]any{
+					"ssh_host_key":      enc,
+					"ssh_host_key_algo": algo,
+				}).Error; err != nil {
+				return fmt.Errorf("store new host key for %s (%s): %w", hostname, s.ID, err)
+			}
+
+			s.SSHHostKey = enc
+			s.SSHHostKeyAlgo = algo
+			return nil
+		}
+
+		if s.SSHHostKeyAlgo != algo || s.SSHHostKey != enc {
+			return fmt.Errorf(
+				"host key mismatch for %s (server_id=%s, stored=%s/%s, got=%s/%s) - POSSIBLE MITM or host reinstalled",
+				hostname, s.ID, s.SSHHostKeyAlgo, s.SSHHostKey, algo, enc,
+			)
+		}
+		return nil
+	}
+}
--- a/internal/bg/bg.go
+++ b/internal/bg/bg.go
@@ -75,7 +75,7 @@ func NewJobs(gdb *gorm.DB, dbUrl string) (*Jobs, error) {

 	c.Register(
 		"bootstrap_bastion",
-		BastionBootstrapWorker(gdb),
+		BastionBootstrapWorker(gdb, jobs),
 		archer.WithInstances(instances),
 		archer.WithTimeout(time.Duration(timeoutSec)*time.Second),
 	)
@@ -100,6 +100,13 @@ func NewJobs(gdb *gorm.DB, dbUrl string) (*Jobs, error) {
 		archer.WithInstances(1),
 		archer.WithTimeout(15*time.Minute),
 	)
+
+	c.Register(
+		"dns_reconcile",
+		DNSReconsileWorker(gdb, jobs),
+		archer.WithInstances(1),
+		archer.WithTimeout(2*time.Minute),
+	)
 	return jobs, nil
 }

--- a/internal/bg/dns.go
+++ b/internal/bg/dns.go
@@ -0,0 +1,597 @@
+package bg
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/dyaksa/archer"
+	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	r53 "github.com/aws/aws-sdk-go-v2/service/route53"
+	r53types "github.com/aws/aws-sdk-go-v2/service/route53/types"
+)
+
+/************* args & small DTOs *************/
+
+type DNSReconcileArgs struct {
+	MaxDomains int `json:"max_domains,omitempty"`
+	MaxRecords int `json:"max_records,omitempty"`
+	IntervalS  int `json:"interval_seconds,omitempty"`
+}
+
+// TXT marker content (compact)
+type ownershipMarker struct {
+	Ver string `json:"v"`   // "ag1"
+	Org string `json:"org"` // org UUID
+	Rec string `json:"rec"` // record UUID
+	Fp  string `json:"fp"`  // short fp (first 16 of sha256)
+}
+
+// ExternalDNS poison owner id – MUST NOT match any real external-dns --txt-owner-id
+const externalDNSPoisonOwner = "autoglue-lock"
+
+// ExternalDNS poison content – fake owner so real external-dns skips it.
+const externalDNSPoisonValue = "heritage=external-dns,external-dns/owner=" + externalDNSPoisonOwner + ",external-dns/resource=manual/autoglue"
+
+/************* entrypoint worker *************/
+
+func DNSReconsileWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
+	return func(ctx context.Context, j job.Job) (any, error) {
+		args := DNSReconcileArgs{MaxDomains: 25, MaxRecords: 100, IntervalS: 30}
+		_ = j.ParseArguments(&args)
+
+		if args.MaxDomains <= 0 {
+			args.MaxDomains = 25
+		}
+		if args.MaxRecords <= 0 {
+			args.MaxRecords = 100
+		}
+		if args.IntervalS <= 0 {
+			args.IntervalS = 30
+		}
+
+		processedDomains, processedRecords, err := reconcileDNSOnce(ctx, db, args)
+		if err != nil {
+			log.Error().Err(err).Msg("[dns] reconcile tick failed")
+		} else {
+			log.Debug().
+				Int("domains", processedDomains).
+				Int("records", processedRecords).
+				Msg("[dns] reconcile tick ok")
+		}
+
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(ctx, uuid.NewString(), "dns_reconcile", args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
+
+		return map[string]any{
+			"domains_processed": processedDomains,
+			"records_processed": processedRecords,
+		}, nil
+	}
+}
+
+/************* core tick *************/
+
+func reconcileDNSOnce(ctx context.Context, db *gorm.DB, args DNSReconcileArgs) (int, int, error) {
+	var domains []models.Domain
+
+	// 1) validate/backfill pending domains
+	if err := db.
+		Where("status = ?", "pending").
+		Order("created_at ASC").
+		Limit(args.MaxDomains).
+		Find(&domains).Error; err != nil {
+		return 0, 0, err
+	}
+
+	domainsProcessed := 0
+	for i := range domains {
+		if err := processDomain(ctx, db, &domains[i]); err != nil {
+			log.Error().Err(err).Str("domain", domains[i].DomainName).Msg("[dns] domain processing failed")
+		} else {
+			domainsProcessed++
+		}
+	}
+
+	// 2) apply pending record sets for ready domains
+	var readyDomains []models.Domain
+	if err := db.Where("status = ?", "ready").Find(&readyDomains).Error; err != nil {
+		return domainsProcessed, 0, err
+	}
+
+	recordsProcessed := 0
+	for i := range readyDomains {
+		n, err := processPendingRecordsForDomain(ctx, db, &readyDomains[i], args.MaxRecords)
+		if err != nil {
+			log.Error().Err(err).Str("domain", readyDomains[i].DomainName).Msg("[dns] record processing failed")
+			continue
+		}
+		recordsProcessed += n
+	}
+
+	return domainsProcessed, recordsProcessed, nil
+}
+
+/************* domain processing *************/
+
+func processDomain(ctx context.Context, db *gorm.DB, d *models.Domain) error {
+	orgID := d.OrganizationID
+
+	// 1) Load credential (org-guarded)
+	var cred models.Credential
+	if err := db.Where("id = ? AND organization_id = ?", d.CredentialID, orgID).First(&cred).Error; err != nil {
+		return setDomainFailed(db, d, fmt.Errorf("credential not found: %w", err))
+	}
+
+	// 2) Decrypt → dto.AWSCredential
+	secret, err := utils.DecryptForOrg(orgID, cred.EncryptedData, cred.IV, cred.Tag, db)
+	if err != nil {
+		return setDomainFailed(db, d, fmt.Errorf("decrypt: %w", err))
+	}
+	var awsCred dto.AWSCredential
+	if err := jsonUnmarshalStrict([]byte(secret), &awsCred); err != nil {
+		return setDomainFailed(db, d, fmt.Errorf("secret decode: %w", err))
+	}
+
+	// 3) Client
+	r53c, _, err := newRoute53Client(ctx, awsCred)
+	if err != nil {
+		return setDomainFailed(db, d, err)
+	}
+
+	// 4) Backfill zone id if missing
+	zoneID := strings.TrimSpace(d.ZoneID)
+	if zoneID == "" {
+		zid, err := findHostedZoneID(ctx, r53c, d.DomainName)
+		if err != nil {
+			return setDomainFailed(db, d, fmt.Errorf("discover zone id: %w", err))
+		}
+		zoneID = zid
+		d.ZoneID = zoneID
+	}
+
+	// 5) Sanity: can fetch zone
+	if _, err := r53c.GetHostedZone(ctx, &r53.GetHostedZoneInput{Id: aws.String(zoneID)}); err != nil {
+		return setDomainFailed(db, d, fmt.Errorf("get hosted zone: %w", err))
+	}
+
+	// 6) Mark ready
+	d.Status = "ready"
+	d.LastError = ""
+	if err := db.Save(d).Error; err != nil {
+		return err
+	}
+	return nil
+}
+
+func setDomainFailed(db *gorm.DB, d *models.Domain, cause error) error {
+	d.Status = "failed"
+	d.LastError = truncateErr(cause.Error())
+	_ = db.Save(d).Error
+	return cause
+}
+
+/************* record processing *************/
+
+func processPendingRecordsForDomain(ctx context.Context, db *gorm.DB, d *models.Domain, max int) (int, error) {
+	orgID := d.OrganizationID
+
+	// reload credential
+	var cred models.Credential
+	if err := db.Where("id = ? AND organization_id = ?", d.CredentialID, orgID).First(&cred).Error; err != nil {
+		return 0, err
+	}
+
+	secret, err := utils.DecryptForOrg(orgID, cred.EncryptedData, cred.IV, cred.Tag, db)
+	if err != nil {
+		return 0, err
+	}
+
+	var awsCred dto.AWSCredential
+	if err := jsonUnmarshalStrict([]byte(secret), &awsCred); err != nil {
+		return 0, err
+	}
+	r53c, _, err := newRoute53Client(ctx, awsCred)
+	if err != nil {
+		return 0, err
+	}
+
+	var records []models.RecordSet
+	if err := db.
+		Where("domain_id = ? AND status = ?", d.ID, "pending").
+		Order("created_at ASC").
+		Limit(max).
+		Find(&records).Error; err != nil {
+		return 0, err
+	}
+
+	applied := 0
+	for i := range records {
+		if err := applyRecord(ctx, db, r53c, d, &records[i]); err != nil {
+			log.Error().Err(err).Str("rr", records[i].Name).Msg("[dns] apply record failed")
+			_ = setRecordFailed(db, &records[i], err)
+			continue
+		}
+		applied++
+	}
+	return applied, nil
+}
+
+// core write + ownership + external-dns hardening
+
+func applyRecord(ctx context.Context, db *gorm.DB, r53c *r53.Client, d *models.Domain, r *models.RecordSet) error {
+	zoneID := strings.TrimSpace(d.ZoneID)
+	if zoneID == "" {
+		return errors.New("domain has no zone_id")
+	}
+
+	rt := strings.ToUpper(r.Type)
+
+	// FQDN & marker
+	fq := recordFQDN(r.Name, d.DomainName) // ends with "."
+	mname := markerName(fq)
+	expected := buildMarkerValue(d.OrganizationID.String(), r.ID.String(), r.Fingerprint)
+
+	// ---- ExternalDNS preflight ----
+	extOwned, err := hasExternalDNSOwnership(ctx, r53c, zoneID, fq, rt)
+	if err != nil {
+		return fmt.Errorf("external_dns_lookup: %w", err)
+	}
+	if extOwned {
+		r.Owner = "external"
+		_ = db.Save(r).Error
+		return fmt.Errorf("ownership_conflict: external-dns claims %s; refusing to modify", strings.TrimSuffix(fq, "."))
+	}
+
+	// ---- Autoglue ownership preflight via _autoglue.<fqdn> TXT ----
+	markerVals, err := getMarkerTXTValues(ctx, r53c, zoneID, mname)
+	if err != nil {
+		return fmt.Errorf("marker lookup: %w", err)
+	}
+	hasForeignOwner := false
+	hasOurExact := false
+	for _, v := range markerVals {
+		mk, ok := parseMarkerValue(v)
+		if !ok {
+			continue
+		}
+		switch {
+		case mk.Org == d.OrganizationID.String() && mk.Rec == r.ID.String() && mk.Fp == shortFP(r.Fingerprint):
+			hasOurExact = true
+		case mk.Org != d.OrganizationID.String() || mk.Rec != r.ID.String():
+			hasForeignOwner = true
+		}
+	}
+	if hasForeignOwner {
+		r.Owner = "external"
+		_ = db.Save(r).Error
+		return fmt.Errorf("ownership_conflict: marker for %s is owned by another controller; refusing to modify", strings.TrimSuffix(fq, "."))
+	}
+
+	// Build RR change (UPSERT)
+	rrChange := r53types.Change{
+		Action: r53types.ChangeActionUpsert,
+		ResourceRecordSet: &r53types.ResourceRecordSet{
+			Name: aws.String(fq),
+			Type: r53types.RRType(rt),
+		},
+	}
+
+	// Decode user values
+	var userVals []string
+	if len(r.Values) > 0 {
+		if err := jsonUnmarshalStrict([]byte(r.Values), &userVals); err != nil {
+			return fmt.Errorf("values decode: %w", err)
+		}
+	}
+
+	// Quote TXT values as required by Route53
+	recs := make([]r53types.ResourceRecord, 0, len(userVals))
+	for _, v := range userVals {
+		v = strings.TrimSpace(v)
+		if rt == "TXT" && !(strings.HasPrefix(v, `"`) && strings.HasSuffix(v, `"`)) {
+			v = strconv.Quote(v)
+		}
+		recs = append(recs, r53types.ResourceRecord{Value: aws.String(v)})
+	}
+	rrChange.ResourceRecordSet.ResourceRecords = recs
+	if r.TTL != nil {
+		ttl := int64(*r.TTL)
+		rrChange.ResourceRecordSet.TTL = aws.Int64(ttl)
+	}
+
+	// Build marker TXT change (UPSERT)
+	markerChange := r53types.Change{
+		Action: r53types.ChangeActionUpsert,
+		ResourceRecordSet: &r53types.ResourceRecordSet{
+			Name: aws.String(mname),
+			Type: r53types.RRTypeTxt,
+			TTL:  aws.Int64(300),
+			ResourceRecords: []r53types.ResourceRecord{
+				{Value: aws.String(strconv.Quote(expected))},
+			},
+		},
+	}
+
+	// Build external-dns poison TXT changes
+	poisonChanges := buildExternalDNSPoisonTXTChanges(fq, rt)
+
+	// Apply all in one batch (atomic-ish)
+	changes := []r53types.Change{rrChange, markerChange}
+	changes = append(changes, poisonChanges...)
+
+	_, err = r53c.ChangeResourceRecordSets(ctx, &r53.ChangeResourceRecordSetsInput{
+		HostedZoneId: aws.String(zoneID),
+		ChangeBatch:  &r53types.ChangeBatch{Changes: changes},
+	})
+	if err != nil {
+		return err
+	}
+
+	// Success → mark ready & ownership
+	r.Status = "ready"
+	r.LastError = ""
+	r.Owner = "autoglue"
+	if err := db.Save(r).Error; err != nil {
+		return err
+	}
+	_ = hasOurExact // could be used to skip marker write in future
+	return nil
+}
+
+func setRecordFailed(db *gorm.DB, r *models.RecordSet, cause error) error {
+	msg := truncateErr(cause.Error())
+	r.Status = "failed"
+	r.LastError = msg
+	// classify ownership on conflict
+	if strings.HasPrefix(msg, "ownership_conflict") {
+		r.Owner = "external"
+	} else if r.Owner == "" || r.Owner == "unknown" {
+		r.Owner = "unknown"
+	}
+	_ = db.Save(r).Error
+	return cause
+}
+
+/************* AWS helpers *************/
+
+func newRoute53Client(ctx context.Context, cred dto.AWSCredential) (*r53.Client, *aws.Config, error) {
+	// Route53 is global, but config still wants a region
+	region := strings.TrimSpace(cred.Region)
+	if region == "" {
+		region = "us-east-1"
+	}
+	cfg, err := config.LoadDefaultConfig(ctx,
+		config.WithRegion(region),
+		config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
+			cred.AccessKeyID, cred.SecretAccessKey, "",
+		)),
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	return r53.NewFromConfig(cfg), &cfg, nil
+}
+
+func findHostedZoneID(ctx context.Context, c *r53.Client, domain string) (string, error) {
+	d := normalizeDomain(domain)
+	out, err := c.ListHostedZonesByName(ctx, &r53.ListHostedZonesByNameInput{
+		DNSName: aws.String(d),
+	})
+	if err != nil {
+		return "", err
+	}
+	for _, hz := range out.HostedZones {
+		if strings.TrimSuffix(aws.ToString(hz.Name), ".") == d {
+			return trimZoneID(aws.ToString(hz.Id)), nil
+		}
+	}
+	return "", fmt.Errorf("hosted zone not found for %q", d)
+}
+
+func trimZoneID(id string) string {
+	return strings.TrimPrefix(id, "/hostedzone/")
+}
+
+func normalizeDomain(s string) string {
+	s = strings.TrimSpace(strings.ToLower(s))
+	return strings.TrimSuffix(s, ".")
+}
+
+func recordFQDN(name, domain string) string {
+	name = strings.TrimSpace(name)
+	if name == "" || name == "@" {
+		return normalizeDomain(domain) + "."
+	}
+	if strings.HasSuffix(name, ".") {
+		return name
+	}
+	return fmt.Sprintf("%s.%s.", name, normalizeDomain(domain))
+}
+
+/************* TXT marker / external-dns helpers *************/
+
+func markerName(fqdn string) string {
+	trimmed := strings.TrimSuffix(fqdn, ".")
+	return "_autoglue." + trimmed + "."
+}
+
+func shortFP(full string) string {
+	if len(full) > 16 {
+		return full[:16]
+	}
+	return full
+}
+
+func buildMarkerValue(orgID, recID, fp string) string {
+	return "v=ag1 org=" + orgID + " rec=" + recID + " fp=" + shortFP(fp)
+}
+
+func parseMarkerValue(s string) (ownershipMarker, bool) {
+	out := ownershipMarker{}
+	fields := strings.Fields(s)
+	if len(fields) < 4 {
+		return out, false
+	}
+	kv := map[string]string{}
+	for _, f := range fields {
+		parts := strings.SplitN(f, "=", 2)
+		if len(parts) == 2 {
+			kv[parts[0]] = parts[1]
+		}
+	}
+	if kv["v"] == "" || kv["org"] == "" || kv["rec"] == "" || kv["fp"] == "" {
+		return out, false
+	}
+	out.Ver, out.Org, out.Rec, out.Fp = kv["v"], kv["org"], kv["rec"], kv["fp"]
+	return out, true
+}
+
+func getMarkerTXTValues(ctx context.Context, c *r53.Client, zoneID, marker string) ([]string, error) {
+	return getTXTValues(ctx, c, zoneID, marker)
+}
+
+// generic TXT fetcher
+func getTXTValues(ctx context.Context, c *r53.Client, zoneID, name string) ([]string, error) {
+	out, err := c.ListResourceRecordSets(ctx, &r53.ListResourceRecordSetsInput{
+		HostedZoneId:    aws.String(zoneID),
+		StartRecordName: aws.String(name),
+		StartRecordType: r53types.RRTypeTxt,
+		MaxItems:        aws.Int32(1),
+	})
+	if err != nil {
+		return nil, err
+	}
+	if len(out.ResourceRecordSets) == 0 {
+		return nil, nil
+	}
+	rrset := out.ResourceRecordSets[0]
+	if aws.ToString(rrset.Name) != name || rrset.Type != r53types.RRTypeTxt {
+		return nil, nil
+	}
+	vals := make([]string, 0, len(rrset.ResourceRecords))
+	for _, rr := range rrset.ResourceRecords {
+		vals = append(vals, aws.ToString(rr.Value))
+	}
+	return vals, nil
+}
+
+// detect external-dns-style ownership for this fqdn/type
+func hasExternalDNSOwnership(ctx context.Context, c *r53.Client, zoneID, fqdn, rrType string) (bool, error) {
+	base := strings.TrimSuffix(fqdn, ".")
+	candidates := []string{
+		// with txtPrefix=extdns-, external-dns writes both:
+		// extdns-<fqdn> and extdns-<rrtype-lc>-<fqdn>
+		"extdns-" + base + ".",
+		"extdns-" + strings.ToLower(rrType) + "-" + base + ".",
+	}
+	for _, name := range candidates {
+		vals, err := getTXTValues(ctx, c, zoneID, name)
+		if err != nil {
+			return false, err
+		}
+		for _, raw := range vals {
+			v := strings.TrimSpace(raw)
+			// strip surrounding quotes if present
+			if len(v) >= 2 && v[0] == '"' && v[len(v)-1] == '"' {
+				if unq, err := strconv.Unquote(v); err == nil {
+					v = unq
+				}
+			}
+			meta := parseExternalDNSMeta(v)
+			if meta == nil {
+				continue
+			}
+			if meta["heritage"] == "external-dns" &&
+				meta["external-dns/owner"] != "" &&
+				meta["external-dns/owner"] != externalDNSPoisonOwner {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+// parseExternalDNSMeta parses the comma-separated external-dns TXT format into a small map.
+func parseExternalDNSMeta(v string) map[string]string {
+	parts := strings.Split(v, ",")
+	if len(parts) == 0 {
+		return nil
+	}
+	meta := make(map[string]string, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		kv := strings.SplitN(p, "=", 2)
+		if len(kv) != 2 {
+			continue
+		}
+		meta[kv[0]] = kv[1]
+	}
+	if len(meta) == 0 {
+		return nil
+	}
+	return meta
+}
+
+// build poison TXT records so external-dns thinks some *other* owner manages this
+func buildExternalDNSPoisonTXTChanges(fqdn, rrType string) []r53types.Change {
+	base := strings.TrimSuffix(fqdn, ".")
+	names := []string{
+		"extdns-" + base + ".",
+		"extdns-" + strings.ToLower(rrType) + "-" + base + ".",
+	}
+	val := strconv.Quote(externalDNSPoisonValue)
+	changes := make([]r53types.Change, 0, len(names))
+	for _, n := range names {
+		changes = append(changes, r53types.Change{
+			Action: r53types.ChangeActionUpsert,
+			ResourceRecordSet: &r53types.ResourceRecordSet{
+				Name: aws.String(n),
+				Type: r53types.RRTypeTxt,
+				TTL:  aws.Int64(300),
+				ResourceRecords: []r53types.ResourceRecord{
+					{Value: aws.String(val)},
+				},
+			},
+		})
+	}
+	return changes
+}
+
+/************* misc utils *************/
+
+func truncateErr(s string) string {
+	const max = 2000
+	if len(s) > max {
+		return s[:max]
+	}
+	return s
+}
+
+// Strict unmarshal that treats "null" -> zero value correctly.
+func jsonUnmarshalStrict(b []byte, dst any) error {
+	if len(b) == 0 {
+		return errors.New("empty json")
+	}
+	return json.Unmarshal(b, dst)
+}
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -371,6 +371,21 @@ func Refresh(db *gorm.DB) http.HandlerFunc {
 			return
 		}

+		secure := strings.HasPrefix(cfg.OAuthRedirectBase, "https://")
+		if xf := r.Header.Get("X-Forwarded-Proto"); xf != "" {
+			secure = strings.EqualFold(xf, "https")
+		}
+
+		http.SetCookie(w, &http.Cookie{
+			Name:     "ag_jwt",
+			Value:    "Bearer " + access,
+			Path:     "/",
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			Secure:   secure,
+			MaxAge:   int((time.Hour * 8).Seconds()),
+		})
+
 		utils.WriteJSON(w, 200, dto.TokenPair{
 			AccessToken:  access,
 			RefreshToken: newPair.Plain,
--- a/internal/handlers/dns.go
+++ b/internal/handlers/dns.go
@@ -0,0 +1,802 @@
+package handlers
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/glueops/autoglue/internal/api/httpmiddleware"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"gorm.io/datatypes"
+	"gorm.io/gorm"
+)
+
+// ---------- Helpers ----------
+
+func normLowerNoDot(s string) string {
+	s = strings.TrimSpace(strings.ToLower(s))
+	return strings.TrimSuffix(s, ".")
+}
+
+func fqdn(domain string, rel string) string {
+	d := normLowerNoDot(domain)
+	r := normLowerNoDot(rel)
+	if r == "" || r == "@" {
+		return d
+	}
+	return r + "." + d
+}
+
+func canonicalJSONAny(v any) ([]byte, error) {
+	b, err := json.Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	var anyv any
+	if err := json.Unmarshal(b, &anyv); err != nil {
+		return nil, err
+	}
+	return marshalSortedDNS(anyv)
+}
+
+func marshalSortedDNS(v any) ([]byte, error) {
+	switch vv := v.(type) {
+	case map[string]any:
+		keys := make([]string, 0, len(vv))
+		for k := range vv {
+			keys = append(keys, k)
+		}
+		sortStrings(keys)
+		var buf bytes.Buffer
+		buf.WriteByte('{')
+		for i, k := range keys {
+			if i > 0 {
+				buf.WriteByte(',')
+			}
+			kb, _ := json.Marshal(k)
+			buf.Write(kb)
+			buf.WriteByte(':')
+			b, err := marshalSortedDNS(vv[k])
+			if err != nil {
+				return nil, err
+			}
+			buf.Write(b)
+		}
+		buf.WriteByte('}')
+		return buf.Bytes(), nil
+	case []any:
+		var buf bytes.Buffer
+		buf.WriteByte('[')
+		for i, e := range vv {
+			if i > 0 {
+				buf.WriteByte(',')
+			}
+			b, err := marshalSortedDNS(e)
+			if err != nil {
+				return nil, err
+			}
+			buf.Write(b)
+		}
+		buf.WriteByte(']')
+		return buf.Bytes(), nil
+	default:
+		return json.Marshal(v)
+	}
+}
+
+func sortStrings(a []string) {
+	for i := 0; i < len(a); i++ {
+		for j := i + 1; j < len(a); j++ {
+			if a[j] < a[i] {
+				a[i], a[j] = a[j], a[i]
+			}
+		}
+	}
+}
+
+func sha256HexBytes(b []byte) string {
+	sum := sha256.Sum256(b)
+	return hex.EncodeToString(sum[:])
+}
+
+/* Fingerprint (provider-agnostic) */
+type desiredRecord struct {
+	ZoneID string   `json:"zone_id"`
+	FQDN   string   `json:"fqdn"`
+	Type   string   `json:"type"`
+	TTL    *int     `json:"ttl,omitempty"`
+	Values []string `json:"values,omitempty"`
+}
+
+func computeFingerprint(zoneID, fqdn, typ string, ttl *int, values datatypes.JSON) (string, error) {
+	var vals []string
+	if len(values) > 0 && string(values) != "null" {
+		if err := json.Unmarshal(values, &vals); err != nil {
+			return "", err
+		}
+		sortStrings(vals)
+	}
+	payload := &desiredRecord{
+		ZoneID: zoneID, FQDN: fqdn, Type: strings.ToUpper(typ), TTL: ttl, Values: vals,
+	}
+	can, err := canonicalJSONAny(payload)
+	if err != nil {
+		return "", err
+	}
+	return sha256HexBytes(can), nil
+}
+
+func mustSameOrgDomainWithCredential(db *gorm.DB, orgID uuid.UUID, credID uuid.UUID) error {
+	var cred models.Credential
+	if err := db.Where("id = ? AND organization_id = ?", credID, orgID).First(&cred).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return fmt.Errorf("credential not found or belongs to different org")
+		}
+		return err
+	}
+	if cred.Provider != "aws" || cred.ScopeKind != "service" {
+		return fmt.Errorf("credential must be AWS Route 53 service scoped")
+	}
+	var scope map[string]any
+	if err := json.Unmarshal(cred.Scope, &scope); err != nil {
+		return fmt.Errorf("credential scope invalid json: %w", err)
+	}
+	if strings.ToLower(fmt.Sprint(scope["service"])) != "route53" {
+		return fmt.Errorf("credential scope.service must be route53")
+	}
+	return nil
+}
+
+// ---------- Domain Handlers ----------
+
+// ListDomains godoc
+//
+//	@ID				ListDomains
+//	@Summary		List domains (org scoped)
+//	@Description	Returns domains for X-Org-ID. Filters: `domain_name`, `status`, `q` (contains).
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			domain_name	query		string	false	"Exact domain name (lowercase, no trailing dot)"
+//	@Param			status		query		string	false	"pending|provisioning|ready|failed"
+//	@Param			q			query		string	false	"Domain contains (case-insensitive)"
+//	@Success		200			{array}		dto.DomainResponse
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"db error"
+//	@Router			/dns/domains [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func ListDomains(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		q := db.Model(&models.Domain{}).Where("organization_id = ?", orgID)
+		if v := strings.TrimSpace(strings.ToLower(r.URL.Query().Get("domain_name"))); v != "" {
+			q = q.Where("LOWER(domain_name) = ?", v)
+		}
+		if v := strings.TrimSpace(strings.ToLower(r.URL.Query().Get("status"))); v != "" {
+			q = q.Where("status = ?", v)
+		}
+		if needle := strings.TrimSpace(strings.ToLower(r.URL.Query().Get("q"))); needle != "" {
+			q = q.Where("LOWER(domain_name) LIKE ?", "%"+needle+"%")
+		}
+
+		var rows []models.Domain
+		if err := q.Order("created_at DESC").Find(&rows).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		out := make([]dto.DomainResponse, 0, len(rows))
+		for i := range rows {
+			out = append(out, domainOut(&rows[i]))
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// GetDomain godoc
+//
+//	@ID				GetDomain
+//	@Summary		Get a domain (org scoped)
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Domain ID (UUID)"
+//	@Success		200			{object}	dto.DomainResponse
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Router			/dns/domains/{id} [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func GetDomain(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+		var row models.Domain
+		if err := db.Where("organization_id = ? AND id = ?", orgID, id).First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "domain not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		utils.WriteJSON(w, http.StatusOK, domainOut(&row))
+	}
+}
+
+// CreateDomain godoc
+//
+//	@ID				CreateDomain
+//	@Summary		Create a domain (org scoped)
+//	@Description	Creates a domain bound to a Route 53 scoped credential. Archer will backfill ZoneID if omitted.
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			body		body		dto.CreateDomainRequest	true	"Domain payload"
+//	@Success		201			{object}	dto.DomainResponse
+//	@Failure		400			{string}	string	"validation error"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"db error"
+//	@Router			/dns/domains [post]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func CreateDomain(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		var in dto.CreateDomainRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+		if err := dto.DNSValidate(in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "validation_error", err.Error())
+			return
+		}
+		credID, _ := uuid.Parse(in.CredentialID)
+		if err := mustSameOrgDomainWithCredential(db, orgID, credID); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "invalid_credential", err.Error())
+			return
+		}
+
+		row := &models.Domain{
+			OrganizationID: orgID,
+			DomainName:     normLowerNoDot(in.DomainName),
+			ZoneID:         strings.TrimSpace(in.ZoneID),
+			Status:         "pending",
+			LastError:      "",
+			CredentialID:   credID,
+		}
+		if err := db.Create(row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusCreated, domainOut(row))
+	}
+}
+
+// UpdateDomain godoc
+//
+//	@ID				UpdateDomain
+//	@Summary		Update a domain (org scoped)
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Domain ID (UUID)"
+//	@Param			body		body	dto.UpdateDomainRequest true "Fields to update"
+//	@Success		200			{object} dto.DomainResponse
+//	@Failure		400			{string} string "validation error"
+//	@Failure		403			{string} string "organization required"
+//	@Failure		404			{string} string "not found"
+//	@Router			/dns/domains/{id} [patch]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func UpdateDomain(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+		var row models.Domain
+		if err := db.Where("organization_id = ? AND id = ?", orgID, id).First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "domain not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		var in dto.UpdateDomainRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+		if err := dto.DNSValidate(in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "validation_error", err.Error())
+			return
+		}
+		if in.DomainName != nil {
+			row.DomainName = normLowerNoDot(*in.DomainName)
+		}
+		if in.CredentialID != nil {
+			credID, _ := uuid.Parse(*in.CredentialID)
+			if err := mustSameOrgDomainWithCredential(db, orgID, credID); err != nil {
+				utils.WriteError(w, http.StatusBadRequest, "invalid_credential", err.Error())
+				return
+			}
+			row.CredentialID = credID
+			row.Status = "pending"
+			row.LastError = ""
+		}
+		if in.ZoneID != nil {
+			row.ZoneID = strings.TrimSpace(*in.ZoneID)
+		}
+		if in.Status != nil {
+			row.Status = *in.Status
+			if row.Status == "pending" {
+				row.LastError = ""
+			}
+		}
+		if err := db.Save(&row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusOK, domainOut(&row))
+	}
+}
+
+// DeleteDomain godoc
+//
+//	@ID				DeleteDomain
+//	@Summary		Delete a domain
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Domain ID (UUID)"
+//	@Success		204
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Router			/dns/domains/{id} [delete]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func DeleteDomain(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+		res := db.Where("organization_id = ? AND id = ?", orgID, id).Delete(&models.Domain{})
+		if res.Error != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", res.Error.Error())
+			return
+		}
+		if res.RowsAffected == 0 {
+			utils.WriteError(w, http.StatusNotFound, "not_found", "domain not found")
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
+
+// ---------- Record Set Handlers ----------
+
+// ListRecordSets godoc
+//
+//	@ID				ListRecordSets
+//	@Summary		List record sets for a domain
+//	@Description	Filters: `name`, `type`, `status`.
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			domain_id	path	string	true	"Domain ID (UUID)"
+//	@Param			name		query	string	false	"Exact relative name or FQDN (server normalizes)"
+//	@Param			type		query	string	false	"RR type (A, AAAA, CNAME, TXT, MX, NS, SRV, CAA)"
+//	@Param			status		query	string	false	"pending|provisioning|ready|failed"
+//	@Success		200			{array}		dto.RecordSetResponse
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"domain not found"
+//	@Router			/dns/domains/{domain_id}/records [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func ListRecordSets(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		did, err := uuid.Parse(chi.URLParam(r, "domain_id"))
+		if err != nil {
+			log.Info().Msg(err.Error())
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid domain UUID:")
+			return
+		}
+		var domain models.Domain
+		if err := db.Where("organization_id = ? AND id = ?", orgID, did).First(&domain).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "domain not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+
+		q := db.Model(&models.RecordSet{}).Where("domain_id = ?", did)
+		if v := strings.TrimSpace(strings.ToLower(r.URL.Query().Get("name"))); v != "" {
+			dn := strings.ToLower(domain.DomainName)
+			rel := v
+			// normalize apex or FQDN into relative
+			if v == dn || v == dn+"." {
+				rel = ""
+			} else {
+				rel = strings.TrimSuffix(v, "."+dn)
+				rel = normLowerNoDot(rel)
+			}
+			q = q.Where("LOWER(name) = ?", rel)
+		}
+		if v := strings.TrimSpace(strings.ToUpper(r.URL.Query().Get("type"))); v != "" {
+			q = q.Where("type = ?", v)
+		}
+		if v := strings.TrimSpace(strings.ToLower(r.URL.Query().Get("status"))); v != "" {
+			q = q.Where("status = ?", v)
+		}
+
+		var rows []models.RecordSet
+		if err := q.Order("created_at DESC").Find(&rows).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		out := make([]dto.RecordSetResponse, 0, len(rows))
+		for i := range rows {
+			out = append(out, recordOut(&rows[i]))
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// CreateRecordSet godoc
+//
+//	@ID				CreateRecordSet
+//	@Summary		Create a record set (pending; Archer will UPSERT to Route 53)
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			domain_id	path	string	true	"Domain ID (UUID)"
+//	@Param			body		body	dto.CreateRecordSetRequest true "Record set payload"
+//	@Success		201			{object} dto.RecordSetResponse
+//	@Failure		400			{string} string "validation error"
+//	@Failure		403			{string} string "organization required"
+//	@Failure		404			{string} string "domain not found"
+//	@Router			/dns/domains/{domain_id}/records [post]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func CreateRecordSet(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		did, err := uuid.Parse(chi.URLParam(r, "domain_id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid domain UUID")
+			return
+		}
+		var domain models.Domain
+		if err := db.Where("organization_id = ? AND id = ?", orgID, did).First(&domain).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "domain not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+
+		var in dto.CreateRecordSetRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+		if err := dto.DNSValidate(in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "validation_error", err.Error())
+			return
+		}
+		t := strings.ToUpper(in.Type)
+		if t == "CNAME" && len(in.Values) != 1 {
+			utils.WriteError(w, http.StatusBadRequest, "validation_error", "CNAME requires exactly one value")
+			return
+		}
+
+		rel := normLowerNoDot(in.Name)
+		fq := fqdn(domain.DomainName, rel)
+
+		// Pre-flight: block duplicate tuple and protect from non-autoglue rows
+		var existing models.RecordSet
+		if err := db.Where("domain_id = ? AND LOWER(name) = ? AND type = ?",
+			domain.ID, strings.ToLower(rel), t).First(&existing).Error; err == nil {
+			if existing.Owner != "" && existing.Owner != "autoglue" {
+				utils.WriteError(w, http.StatusConflict, "ownership_conflict",
+					"record with the same (name,type) exists but is not owned by autoglue")
+				return
+			}
+			utils.WriteError(w, http.StatusConflict, "already_exists",
+				"a record with the same (name,type) already exists; use PATCH to modify")
+			return
+		} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+
+		valuesJSON, _ := json.Marshal(in.Values)
+		fp, err := computeFingerprint(domain.ZoneID, fq, t, in.TTL, datatypes.JSON(valuesJSON))
+		if err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "fingerprint_error", err.Error())
+			return
+		}
+
+		row := &models.RecordSet{
+			DomainID:    domain.ID,
+			Name:        rel,
+			Type:        t,
+			TTL:         in.TTL,
+			Values:      datatypes.JSON(valuesJSON),
+			Fingerprint: fp,
+			Status:      "pending",
+			LastError:   "",
+			Owner:       "autoglue",
+		}
+		if err := db.Create(row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusCreated, recordOut(row))
+	}
+}
+
+// UpdateRecordSet godoc
+//
+//	@ID				UpdateRecordSet
+//	@Summary		Update a record set (flips to pending for reconciliation)
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Record Set ID (UUID)"
+//	@Param			body		body	dto.UpdateRecordSetRequest true "Fields to update"
+//	@Success		200			{object} dto.RecordSetResponse
+//	@Failure		400			{string} string "validation error"
+//	@Failure		403			{string} string "organization required"
+//	@Failure		404			{string} string "not found"
+//	@Router			/dns/records/{id} [patch]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func UpdateRecordSet(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+
+		var row models.RecordSet
+		if err := db.
+			Joins("Domain").
+			Where(`record_sets.id = ? AND "Domain"."organization_id" = ?`, id, orgID).
+			First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "record set not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		var domain models.Domain
+		if err := db.Where("id = ?", row.DomainID).First(&domain).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+
+		var in dto.UpdateRecordSetRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+		if err := dto.DNSValidate(in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "validation_error", err.Error())
+			return
+		}
+		if row.Owner != "" && row.Owner != "autoglue" {
+			utils.WriteError(w, http.StatusConflict, "ownership_conflict",
+				"record is not owned by autoglue; refuse to modify")
+			return
+		}
+
+		// Mutations
+		if in.Name != nil {
+			row.Name = normLowerNoDot(*in.Name)
+		}
+		if in.Type != nil {
+			row.Type = strings.ToUpper(*in.Type)
+		}
+		if in.TTL != nil {
+			row.TTL = in.TTL
+		}
+		if in.Values != nil {
+			t := row.Type
+			if in.Type != nil {
+				t = strings.ToUpper(*in.Type)
+			}
+			if t == "CNAME" && len(*in.Values) != 1 {
+				utils.WriteError(w, http.StatusBadRequest, "validation_error", "CNAME requires exactly one value")
+				return
+			}
+			b, _ := json.Marshal(*in.Values)
+			row.Values = datatypes.JSON(b)
+		}
+
+		if in.Status != nil {
+			row.Status = *in.Status
+		} else {
+			row.Status = "pending"
+			row.LastError = ""
+		}
+
+		fq := fqdn(domain.DomainName, row.Name)
+		fp, err := computeFingerprint(domain.ZoneID, fq, row.Type, row.TTL, row.Values)
+		if err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "fingerprint_error", err.Error())
+			return
+		}
+		row.Fingerprint = fp
+
+		if err := db.Save(&row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusOK, recordOut(&row))
+	}
+}
+
+// DeleteRecordSet godoc
+//
+//	@ID				DeleteRecordSet
+//	@Summary		Delete a record set (API removes row; worker can optionally handle external deletion policy)
+//	@Tags			DNS
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Record Set ID (UUID)"
+//	@Success		204
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Router			/dns/records/{id} [delete]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func DeleteRecordSet(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+		sub := db.Model(&models.RecordSet{}).
+			Select("record_sets.id").
+			Joins("JOIN domains ON domains.id = record_sets.domain_id").
+			Where("record_sets.id = ? AND domains.organization_id = ?", id, orgID)
+
+		res := db.Where("id IN (?)", sub).Delete(&models.RecordSet{})
+		if res.Error != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", res.Error.Error())
+			return
+		}
+		if res.RowsAffected == 0 {
+			utils.WriteError(w, http.StatusNotFound, "not_found", "record set not found")
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
+
+// ---------- Out mappers ----------
+
+func domainOut(m *models.Domain) dto.DomainResponse {
+	return dto.DomainResponse{
+		ID:             m.ID.String(),
+		OrganizationID: m.OrganizationID.String(),
+		DomainName:     m.DomainName,
+		ZoneID:         m.ZoneID,
+		Status:         m.Status,
+		LastError:      m.LastError,
+		CredentialID:   m.CredentialID.String(),
+		CreatedAt:      m.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:      m.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func recordOut(r *models.RecordSet) dto.RecordSetResponse {
+	vals := r.Values
+	if len(vals) == 0 {
+		vals = datatypes.JSON("[]")
+	}
+	return dto.RecordSetResponse{
+		ID:          r.ID.String(),
+		DomainID:    r.DomainID.String(),
+		Name:        r.Name,
+		Type:        r.Type,
+		TTL:         r.TTL,
+		Values:      []byte(vals),
+		Fingerprint: r.Fingerprint,
+		Status:      r.Status,
+		LastError:   r.LastError,
+		Owner:       r.Owner,
+		CreatedAt:   r.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:   r.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
--- a/internal/handlers/dto/dns.go
+++ b/internal/handlers/dto/dns.go
@@ -0,0 +1,103 @@
+package dto
+
+import (
+	"encoding/json"
+	"strings"
+
+	"github.com/go-playground/validator/v10"
+)
+
+var dnsValidate = validator.New()
+
+func init() {
+	_ = dnsValidate.RegisterValidation("fqdn", func(fl validator.FieldLevel) bool {
+		s := strings.TrimSpace(fl.Field().String())
+		if s == "" || len(s) > 253 {
+			return false
+		}
+		// Minimal: lower-cased, no trailing dot in our API (normalize server-side)
+		// You can add stricter checks later.
+		return !strings.HasPrefix(s, ".") && !strings.Contains(s, "..")
+	})
+	_ = dnsValidate.RegisterValidation("rrtype", func(fl validator.FieldLevel) bool {
+		switch strings.ToUpper(fl.Field().String()) {
+		case "A", "AAAA", "CNAME", "TXT", "MX", "NS", "SRV", "CAA":
+			return true
+		default:
+			return false
+		}
+	})
+}
+
+// ---- Domains ----
+
+type CreateDomainRequest struct {
+	DomainName   string `json:"domain_name" validate:"required,fqdn"`
+	CredentialID string `json:"credential_id" validate:"required,uuid4"`
+	ZoneID       string `json:"zone_id,omitempty" validate:"omitempty,max=128"`
+}
+
+type UpdateDomainRequest struct {
+	CredentialID *string `json:"credential_id,omitempty" validate:"omitempty,uuid4"`
+	ZoneID       *string `json:"zone_id,omitempty" validate:"omitempty,max=128"`
+	Status       *string `json:"status,omitempty" validate:"omitempty,oneof=pending provisioning ready failed"`
+	DomainName   *string `json:"domain_name,omitempty" validate:"omitempty,fqdn"`
+}
+
+type DomainResponse struct {
+	ID             string `json:"id"`
+	OrganizationID string `json:"organization_id"`
+	DomainName     string `json:"domain_name"`
+	ZoneID         string `json:"zone_id"`
+	Status         string `json:"status"`
+	LastError      string `json:"last_error"`
+	CredentialID   string `json:"credential_id"`
+	CreatedAt      string `json:"created_at"`
+	UpdatedAt      string `json:"updated_at"`
+}
+
+// ---- Record Sets ----
+
+type AliasTarget struct {
+	HostedZoneID         string `json:"hosted_zone_id" validate:"required"`
+	DNSName              string `json:"dns_name" validate:"required"`
+	EvaluateTargetHealth bool   `json:"evaluate_target_health"`
+}
+
+type CreateRecordSetRequest struct {
+	// Name relative to domain ("endpoint") OR FQDN ("endpoint.example.com").
+	// Server normalizes to relative.
+	Name   string   `json:"name" validate:"required,max=253"`
+	Type   string   `json:"type" validate:"required,rrtype"`
+	TTL    *int     `json:"ttl,omitempty" validate:"omitempty,gte=1,lte=86400"`
+	Values []string `json:"values" validate:"omitempty,dive,min=1,max=1024"`
+}
+
+type UpdateRecordSetRequest struct {
+	// Any change flips status back to pending (worker will UPSERT)
+	Name   *string   `json:"name,omitempty" validate:"omitempty,max=253"`
+	Type   *string   `json:"type,omitempty" validate:"omitempty,rrtype"`
+	TTL    *int      `json:"ttl,omitempty" validate:"omitempty,gte=1,lte=86400"`
+	Values *[]string `json:"values,omitempty" validate:"omitempty,dive,min=1,max=1024"`
+	Status *string   `json:"status,omitempty" validate:"omitempty,oneof=pending provisioning ready failed"`
+}
+
+type RecordSetResponse struct {
+	ID          string          `json:"id"`
+	DomainID    string          `json:"domain_id"`
+	Name        string          `json:"name"`
+	Type        string          `json:"type"`
+	TTL         *int            `json:"ttl,omitempty"`
+	Values      json.RawMessage `json:"values" swaggertype:"object"` // []string JSON
+	Fingerprint string          `json:"fingerprint"`
+	Status      string          `json:"status"`
+	LastError   string          `json:"last_error"`
+	Owner       string          `json:"owner"`
+	CreatedAt   string          `json:"created_at"`
+	UpdatedAt   string          `json:"updated_at"`
+}
+
+// DNSValidate Quick helper to validate DTOs in handlers
+func DNSValidate(i any) error {
+	return dnsValidate.Struct(i)
+}
--- a/internal/handlers/servers.go
+++ b/internal/handlers/servers.go
@@ -370,6 +370,63 @@ func DeleteServer(db *gorm.DB) http.HandlerFunc {
 	}
 }

+// ResetServerHostKey godoc
+//
+//	@ID				ResetServerHostKey
+//	@Summary		Reset SSH host key (org scoped)
+//	@Description	Clears the stored SSH host key for this server. The next SSH connection will re-learn the host key (trust-on-first-use).
+//	@Tags			Servers
+//	@Accept			json
+//	@Produce		json
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			id			path		string	true	"Server ID (UUID)"
+//	@Success		200			{object}	dto.ServerResponse
+//	@Failure		400			{string}	string	"invalid id"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Failure		500			{string}	string	"reset failed"
+//	@Router			/servers/{id}/reset-hostkey [post]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func ResetServerHostKey(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "id_invalid", "invalid id")
+			return
+		}
+
+		var server models.Server
+		if err := db.Where("id = ? AND organization_id = ?", id, orgID).First(&server).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "server_not_found", "server not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "failed to get server")
+			return
+		}
+
+		// Clear stored host key so next SSH handshake will TOFU and persist a new one.
+		server.SSHHostKey = ""
+		server.SSHHostKeyAlgo = ""
+
+		if err := db.Save(&server).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "failed to reset host key")
+			return
+		}
+
+		utils.WriteJSON(w, http.StatusOK, server)
+	}
+}
+
 // --- Helpers ---

 func validStatus(status string) bool {
--- a/internal/models/backup.go
+++ b/internal/models/backup.go
@@ -0,0 +1,18 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type Backup struct {
+	ID             uuid.UUID    `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
+	OrganizationID uuid.UUID    `gorm:"type:uuid;not null;index;uniqueIndex:uniq_org_credential,priority:1"`
+	Organization   Organization `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
+	Enabled        bool         `gorm:"not null;default:false" json:"enabled"`
+	CredentialID   uuid.UUID    `gorm:"type:uuid;not null;uniqueIndex:uniq_org_credential,priority:2" json:"credential_id"`
+	Credential     Credential   `gorm:"foreignKey:CredentialID" json:"credential,omitempty"`
+	CreatedAt      time.Time    `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt      time.Time    `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+}
--- a/internal/models/domain.go
+++ b/internal/models/domain.go
@@ -4,18 +4,38 @@ import (
 	"time"

 	"github.com/google/uuid"
+	"gorm.io/datatypes"
 )

 type Domain struct {
 	ID             uuid.UUID    `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
-	OrganizationID uuid.UUID    `gorm:"type:uuid;not null;uniqueIndex:idx_credentials_org_provider" json:"organization_id"`
+	OrganizationID uuid.UUID    `gorm:"type:uuid;not null;index;uniqueIndex:uniq_org_domain,priority:1"`
 	Organization   Organization `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
-	ClusterID      *uuid.UUID   `gorm:"type:uuid" json:"cluster_id,omitempty"`
-	Cluster        *Cluster     `gorm:"foreignKey:ClusterID" json:"cluster,omitempty"`
-	DomainName     string       `gorm:"not null;index" json:"domain_name,omitempty"`
-	DomainID       string
-	CredentialID   uuid.UUID  `gorm:"type:uuid;not null" json:"credential_id"`
-	Credential     Credential `gorm:"foreignKey:CredentialID" json:"credential,omitempty"`
-	CreatedAt      time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
-	UpdatedAt      time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+	DomainName     string       `gorm:"type:varchar(253);not null;uniqueIndex:uniq_org_domain,priority:2"`
+	ZoneID         string       `gorm:"type:varchar(128);not null;default:''"`       // backfilled for R53 (e.g. "/hostedzone/Z123...")
+	Status         string       `gorm:"type:varchar(20);not null;default:'pending'"` // pending, provisioning, ready, failed
+	LastError      string       `gorm:"type:text;not null;default:''"`
+	CredentialID   uuid.UUID    `gorm:"type:uuid;not null" json:"credential_id"`
+	Credential     Credential   `gorm:"foreignKey:CredentialID" json:"credential,omitempty"`
+	CreatedAt      time.Time    `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt      time.Time    `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+}
+
+type RecordSet struct {
+	ID          uuid.UUID      `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
+	DomainID    uuid.UUID      `gorm:"type:uuid;not null;index"`
+	Domain      Domain         `gorm:"foreignKey:DomainID;constraint:OnDelete:CASCADE"`
+	Name        string         `gorm:"type:varchar(253);not null"`      // e.g. "endpoint" (relative to DomainName)
+	Type        string         `gorm:"type:varchar(10);not null;index"` // A, AAAA, CNAME, TXT, MX, SRV, NS, CAA...
+	TTL         *int           `gorm:""`                                // nil for alias targets (Route 53 ignores TTL for alias)
+	Values      datatypes.JSON `gorm:"type:jsonb;not null;default:'[]'"`
+	Fingerprint string         `gorm:"type:char(64);not null;index"` // sha256 of canonical(name,type,ttl,values|alias)
+	Status      string         `gorm:"type:varchar(20);not null;default:'pending'"`
+	Owner       string         `gorm:"type:varchar(16);not null;default:'unknown'"` // 'autoglue' | 'external' | 'unknown'
+	LastError   string         `gorm:"type:text;not null;default:''"`
+	_           struct{}       `gorm:"uniqueIndex:uniq_domain_name_type,priority:1"` // tag holder
+	_           struct{}       `gorm:"uniqueIndex:uniq_domain_name_type,priority:2"`
+	_           struct{}       `gorm:"uniqueIndex:uniq_domain_name_type,priority:3"`
+	CreatedAt   time.Time      `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt   time.Time      `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
 }
--- a/internal/models/server.go
+++ b/internal/models/server.go
@@ -22,6 +22,8 @@ type Server struct {
 	Role             string       `gorm:"not null" json:"role" enums:"master,worker,bastion"`                           // e.g., "master", "worker", "bastion"
 	Status           string       `gorm:"default:'pending'" json:"status" enums:"pending, provisioning, ready, failed"` // pending, provisioning, ready, failed
 	NodePools        []NodePool   `gorm:"many2many:node_servers;constraint:OnDelete:CASCADE" json:"node_pools,omitempty"`
+	SSHHostKey       string       `gorm:"column:ssh_host_key"`
+	SSHHostKeyAlgo   string       `gorm:"column:ssh_host_key_algo"`
 	CreatedAt        time.Time    `gorm:"not null;default:now()" json:"created_at" format:"date-time"`
 	UpdatedAt        time.Time    `gorm:"not null;default:now()" json:"updated_at" format:"date-time"`
 }
--- a/internal/web/pgweb_embed.go
+++ b/internal/web/pgweb_embed.go
@@ -1,85 +0,0 @@
-package web
-
-import (
-	"crypto/sha256"
-	"embed"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"runtime"
-)
-
-//go:embed pgwebbin/*
-var pgwebFS embed.FS
-
-type pgwebAsset struct {
-	Path   string
-	SHA256 string
-}
-
-var pgwebIndex = map[string]pgwebAsset{
-	"linux/amd64":  {Path: "pgwebbin/pgweb-linux-amd64", SHA256: ""},
-	"linux/arm64":  {Path: "pgwebbin/pgweb-linux-arm64", SHA256: ""},
-	"darwin/amd64": {Path: "pgwebbin/pgweb-darwin-amd64", SHA256: ""},
-	"darwin/arm64": {Path: "pgwebbin/pgweb-darwin-arm64", SHA256: ""},
-}
-
-func ExtractPgweb() (string, error) {
-	key := runtime.GOOS + "/" + runtime.GOARCH
-	as, ok := pgwebIndex[key]
-	if !ok {
-		return "", fmt.Errorf("pgweb not embedded for %s", key)
-	}
-	f, err := pgwebFS.Open(as.Path)
-	if err != nil {
-		return "", fmt.Errorf("embedded pgweb missing: %w", err)
-	}
-	defer f.Close()
-
-	tmpDir, err := os.MkdirTemp("", "pgweb-*")
-	if err != nil {
-		return "", err
-	}
-
-	filename := "pgweb"
-	if runtime.GOOS == "windows" {
-		filename += ".exe"
-	}
-	outPath := filepath.Join(tmpDir, filename)
-
-	out, err := os.OpenFile(outPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o700)
-	if err != nil {
-		return "", err
-	}
-	defer out.Close()
-
-	h := sha256.New()
-	if _, err = io.Copy(io.MultiWriter(out, h), f); err != nil {
-		return "", err
-	}
-
-	if as.SHA256 != "" {
-		got := hex.EncodeToString(h.Sum(nil))
-		if got != as.SHA256 {
-			return "", fmt.Errorf("pgweb checksum mismatch: got=%s want=%s", got, as.SHA256)
-		}
-	}
-
-	// Make sure it’s executable on Unix; Windows ignores this.
-	_ = os.Chmod(outPath, 0o700)
-	return outPath, nil
-}
-
-func CleanupPgweb(pgwebPath string) error {
-	if pgwebPath == "" {
-		return nil
-	}
-	dir := filepath.Dir(pgwebPath)
-	if dir == "" || dir == "/" || dir == "." {
-		return errors.New("refusing to remove suspicious directory")
-	}
-	return os.RemoveAll(dir)
-}
--- a/internal/web/pgweb_proxy.go
+++ b/internal/web/pgweb_proxy.go
@@ -1,107 +0,0 @@
-package web
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"os/exec"
-	"time"
-)
-
-type Pgweb struct {
-	cmd  *exec.Cmd
-	host string
-	port string
-	bin  string
-}
-
-func StartPgweb(dbURL, host, port string, readonly bool, user, pass string) (*Pgweb, error) {
-	// pick random port if 0/empty
-	if port == "" || port == "0" {
-		l, err := net.Listen("tcp", net.JoinHostPort(host, "0"))
-		if err != nil {
-			return nil, err
-		}
-		defer l.Close()
-		_, p, _ := net.SplitHostPort(l.Addr().String())
-		port = p
-	}
-
-	args := []string{
-		"--url", dbURL,
-		"--bind", host,
-		"--listen", port,
-		"--prefix", "db-studio",
-		"--skip-open",
-	}
-	if readonly {
-		args = append(args, "--readonly")
-	}
-	if user != "" && pass != "" {
-		args = append(args, "--auth-user", user, "--auth-pass", pass)
-	}
-
-	pgwebBinary, err := ExtractPgweb()
-	if err != nil {
-		return nil, fmt.Errorf("pgweb extract: %w", err)
-	}
-
-	cmd := exec.Command(pgwebBinary, args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	if err := cmd.Start(); err != nil {
-		return nil, err
-	}
-
-	// wait for port to be ready
-	deadline := time.Now().Add(4 * time.Second)
-	for time.Now().Before(deadline) {
-		c, err := net.DialTimeout("tcp", net.JoinHostPort(host, port), 200*time.Millisecond)
-		if err == nil {
-			_ = c.Close()
-			return &Pgweb{cmd: cmd, host: host, port: port}, nil
-		}
-		time.Sleep(120 * time.Millisecond)
-	}
-	// still return object so caller can Stop()
-	//return &Pgweb{cmd: cmd, host: host, port: port, bin: pgwebBinary}, nil
-	return nil, fmt.Errorf("pgweb did not become ready on %s:%s", host, port)
-}
-
-func (p *Pgweb) Proxy() http.HandlerFunc {
-	target, _ := url.Parse("http://" + net.JoinHostPort(p.host, p.port))
-	proxy := httputil.NewSingleHostReverseProxy(target)
-	proxy.FlushInterval = 100 * time.Millisecond
-	return func(w http.ResponseWriter, r *http.Request) {
-		r.Host = target.Host
-		// Let pgweb handle its paths; we mount it at a prefix.
-		proxy.ServeHTTP(w, r)
-	}
-}
-
-func (p *Pgweb) Stop(ctx context.Context) error {
-	if p == nil || p.cmd == nil || p.cmd.Process == nil {
-		return nil
-	}
-	_ = p.cmd.Process.Kill()
-	done := make(chan struct{})
-	go func() { _, _ = p.cmd.Process.Wait(); close(done) }()
-	select {
-	case <-done:
-		if p.bin != "" {
-			_ = CleanupPgweb(p.bin)
-		}
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-	return nil
-}
-
-func (p *Pgweb) Port() string {
-	return p.port
-}
--- a/internal/web/pgwebbin/pgweb-darwin-amd64
+++ b/internal/web/pgwebbin/pgweb-darwin-amd64
--- a/internal/web/pgwebbin/pgweb-darwin-arm64
+++ b/internal/web/pgwebbin/pgweb-darwin-arm64
--- a/internal/web/pgwebbin/pgweb-linux-amd64
+++ b/internal/web/pgwebbin/pgweb-linux-amd64
--- a/internal/web/pgwebbin/pgweb-linux-arm64
+++ b/internal/web/pgwebbin/pgweb-linux-arm64