# Phase 7: Nginx Proxy Manager Integration

**Status:** ⬜ Not Started
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** backend

## Objective
Implement Nginx Proxy Manager integration to display proxy hosts, SSL certificate expiry warnings, and upstream reachability status.

## Tasks

- [ ] Task 1: Create `src/lib/server/integrations/npm/schema.ts` — Zod schemas for auth config (`{ email: string, password: string }`) and endpoint responses.
- [ ] Task 2: Create `src/lib/server/integrations/npm/client.ts` — HTTP client for NPM API. Session-based auth: POST `/api/tokens` with email+password → get JWT → use for subsequent requests. Endpoints: `/api/nginx/proxy-hosts`, `/api/nginx/certificates`, `/api/nginx/proxy-hosts/{id}`. Cache session token.
- [ ] Task 3: Create `src/lib/server/integrations/npm/transform.ts` — Transform: proxy hosts → list with domain/status/SSL info, certificates → list with expiry countdown (red <7d, yellow <14d, green >14d), upstream → list with reachable/unreachable indicator.
- [ ] Task 4: Create `src/lib/server/integrations/npm/index.ts` — Integration implementation. Endpoints: `proxy-hosts` (list), `ssl-certificates` (list), `upstream-status` (list). testConnection: authenticate and fetch proxy hosts.
- [ ] Task 5: Register NPM integration in registry.

## Files to Modify/Create
- `src/lib/server/integrations/npm/schema.ts` — new
- `src/lib/server/integrations/npm/client.ts` — new
- `src/lib/server/integrations/npm/transform.ts` — new
- `src/lib/server/integrations/npm/index.ts` — new
- `src/lib/server/integrations/registry.ts` — modify: register NPM

## Acceptance Criteria
- Proxy hosts list with domain name, enabled/disabled status
- SSL certificates with expiry date and color-coded countdown
- Upstream status shows reachable/unreachable per host
- Session-based auth works (login → token → API calls)
- Handles expired session token (re-authenticate automatically)
- Test connection validates email/password credentials

## Notes
- NPM uses session-based auth, not API keys — need to login first, cache the JWT
- SSL expiry is the highest-value feature here — highlight expiring certs prominently
- The session token has a limited lifetime — handle re-authentication on 401 responses
- NPM API is relatively simple and well-documented

## Review Checklist
- [ ] All tasks completed
- [ ] Session token caching and re-auth implemented
- [ ] Code follows project conventions

## Handoff to Next Phase
<!-- Filled in after completion -->