| 4.1 | domain-service scaffolding & proto | Scaffold the domain-service NestJS application with gRPC transport, define domain.proto (AddDomain, VerifyDomain, ListDomains, RemoveDomain RPCs), and generate TypeScript stubs. | Service starts, registers with the API Gateway, and responds to a health-check RPC. |
| 4.2 | DNS TXT verification logic | Implement the server-side logic that generates a unique TXT record value per domain, performs a DNS lookup to check for the record, and marks the domain as verified on success. | Given a domain with the correct TXT record, VerifyDomain returns VERIFIED; without the record it returns PENDING. |
| 4.3 | Auto-polling + manual verify | Add a background job (NATS-scheduled or cron) that re-checks pending domains every 5 minutes, and expose a "Verify Now" button in the UI that triggers an immediate check. | Pending domains are automatically verified within 5 minutes of the TXT record appearing; the manual button triggers an instant check and updates the UI. |
| 4.4 | SpiceDB domain ownership integration | On successful verification, write a domain:owner relationship to SpiceDB. All scan and domain RPCs must check this relationship before proceeding. | Only the verified owner (or org members with the domain:viewer relation) can list or scan the domain; unauthorized access returns PERMISSION_DENIED. |
| 4.5 | Domain management UI | Build the admin portal domain page: add domain form, list of domains with status badges (Pending / Verified / Failed), TXT record instructions, verify button, and delete action. | Users can add, view, verify, and remove domains entirely through the UI; status badges update in real time via WebSocket. |