tiny-forge/plans/cloudflare-dns-management/phase-1-settings-model.md

# Phase 1: Settings Model & API

**Status:** ⬜ Not Started
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** backend

## Objective
Extend the Settings model and API to support DNS provider configuration.

## Tasks

- [ ] Task 1: Add new fields to `Settings` struct in `internal/store/models.go`
  - `WildcardDNS` (bool, default true)
  - `DNSProvider` (string, default "")
  - `CloudflareAPIToken` (string, encrypted)
  - `CloudflareZoneID` (string)
- [ ] Task 2: Add migration columns in `internal/store/store.go`
  - `wildcard_dns` INTEGER DEFAULT 1
  - `dns_provider` TEXT DEFAULT ''
  - `cloudflare_api_token` TEXT DEFAULT ''
  - `cloudflare_zone_id` TEXT DEFAULT ''
- [ ] Task 3: Update `GetSettings()` and `UpdateSettings()` in `internal/store/settings.go`
  - Read/write new fields
  - Encrypt/decrypt `cloudflare_api_token`
- [ ] Task 4: Update `GET /api/settings` handler to include new fields (mask token)
- [ ] Task 5: Update `PUT /api/settings` handler to accept new fields
- [ ] Task 6: Add `POST /api/settings/dns/test` endpoint — validate Cloudflare token + zone
- [ ] Task 7: Add `GET /api/settings/dns/zones` endpoint — list Cloudflare zones for picker
- [ ] Task 8: Register new routes in `internal/api/router.go`

## Files to Modify/Create
- `internal/store/models.go` — add fields to Settings struct
- `internal/store/store.go` — add migration columns
- `internal/store/settings.go` — update read/write queries
- `internal/api/settings.go` — update handlers, add new endpoints
- `internal/api/router.go` — register new routes

## Acceptance Criteria
- New settings fields are persisted and retrievable
- Cloudflare API token is encrypted at rest
- GET /api/settings returns new fields (token masked)
- PUT /api/settings accepts and stores new fields
- DNS test and zones endpoints registered (can return placeholder until Phase 2)

## Notes
- Token encryption uses existing `crypto.Encrypt/Decrypt`
- `has_cloudflare_api_token` bool in GET response (same pattern as npm_password)
- DNS test/zones endpoints will make real Cloudflare API calls — Phase 2 client needed
  for full implementation, but can use inline HTTP calls for these two endpoints

## Review Checklist
- [ ] All tasks completed
- [ ] Code follows project conventions
- [ ] No unintended side effects
- [ ] Build passes
- [ ] Tests pass (new + existing)

## Handoff to Next Phase
<!-- Filled in after completion -->