diff --git a/.gitea/workflows/deploy-to-phoenix.yml b/.gitea/workflows/deploy-to-phoenix.yml
index 50d7cdf2..f0f8a3d5 100644
--- a/.gitea/workflows/deploy-to-phoenix.yml
+++ b/.gitea/workflows/deploy-to-phoenix.yml
@@ -31,3 +31,41 @@ jobs:
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
             -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"default\"}"
+
+  deploy-atomic-swap-dapp:
+    needs: validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Trigger Atomic Swap dApp deployment (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"atomic-swap-dapp-live\"}"
+
+  # After app deploy, ask Phoenix to run path-gated Cloudflare DNS sync on the host that has
+  # PHOENIX_REPO_ROOT + .env (not on this runner). Skips unless PHOENIX_CLOUDFLARE_SYNC=1 on that host.
+  # continue-on-error: first-time or missing opt-in should not block the main deploy.
+  cloudflare:
+    needs:
+      - deploy
+      - deploy-atomic-swap-dapp
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Request Cloudflare DNS sync (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"cloudflare-sync\"}"
diff --git a/phoenix-deploy-api/deploy-targets.json b/phoenix-deploy-api/deploy-targets.json
index 8aae46d2..91a8fd61 100644
--- a/phoenix-deploy-api/deploy-targets.json
+++ b/phoenix-deploy-api/deploy-targets.json
@@ -27,6 +27,36 @@
         "timeout_ms": 10000
       }
     },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "main",
+      "target": "cloudflare-sync",
+      "description": "Optional: sync Cloudflare DNS from repo .env (path-gated; set PHOENIX_CLOUDFLARE_SYNC=1 on host).",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/gitea-cloudflare-sync.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "timeout_sec": 600
+    },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "main",
+      "target": "cloudflare-sync-force",
+      "description": "Same as cloudflare-sync but skips path filter (operator / manual).",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/gitea-cloudflare-sync.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "timeout_sec": 600
+    },
     {
       "repo": "d-bis/proxmox",
       "branch": "main",
@@ -50,6 +80,28 @@
         "timeout_ms": 10000
       }
     },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "main",
+      "target": "atomic-swap-dapp-live",
+      "description": "Deploy the Atomic Swap dApp to VMID 5801 on Proxmox.",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/deploy-atomic-swap-dapp-5801.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "healthcheck": {
+        "url": "https://atomic-swap.defi-oracle.io/data/live-route-registry.json",
+        "expect_status": 200,
+        "expect_body_includes": "\"liveBridgeRoutes\"",
+        "attempts": 10,
+        "delay_ms": 5000,
+        "timeout_ms": 15000
+      }
+    },
     {
       "repo": "d-bis/proxmox",
       "branch": "master",
@@ -74,6 +126,58 @@
         "timeout_ms": 10000
       }
     },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "master",
+      "target": "atomic-swap-dapp-live",
+      "description": "Deploy the Atomic Swap dApp to VMID 5801 on Proxmox.",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/deploy-atomic-swap-dapp-5801.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "healthcheck": {
+        "url": "https://atomic-swap.defi-oracle.io/data/live-route-registry.json",
+        "expect_status": 200,
+        "expect_body_includes": "\"liveBridgeRoutes\"",
+        "attempts": 10,
+        "delay_ms": 5000,
+        "timeout_ms": 15000
+      }
+    },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "master",
+      "target": "cloudflare-sync",
+      "description": "Optional: sync Cloudflare DNS from repo .env (path-gated; set PHOENIX_CLOUDFLARE_SYNC=1 on host).",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/gitea-cloudflare-sync.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "timeout_sec": 600
+    },
+    {
+      "repo": "d-bis/proxmox",
+      "branch": "master",
+      "target": "cloudflare-sync-force",
+      "description": "Same as cloudflare-sync but skips path filter (operator / manual).",
+      "cwd": "${PHOENIX_REPO_ROOT}",
+      "command": [
+        "bash",
+        "scripts/deployment/gitea-cloudflare-sync.sh"
+      ],
+      "required_env": [
+        "PHOENIX_REPO_ROOT"
+      ],
+      "timeout_sec": 600
+    },
     {
       "repo": "d-bis/proxmox",
       "branch": "master",