From e05114233445cf5af834b8a0195499ff00e82e8e Mon Sep 17 00:00:00 2001
From: Dennis <github@infinite-ways.de>
Date: Mon, 22 Dec 2025 17:44:56 +0100
Subject: [PATCH 001/314] Add region-based resource rule

---
 messages/de-DE.json                           |  28 +++
 messages/en-US.json                           |  34 +++
 messages/ru-RU.json                           |  28 +++
 server/db/regions.ts                          | 196 +++++++++++++++
 server/routers/badger/verifySession.test.ts   |  96 ++++++-
 server/routers/badger/verifySession.ts        |  46 ++++
 server/routers/resource/createResourceRule.ts |  12 +-
 server/routers/resource/updateResourceRule.ts |  12 +-
 .../resources/proxy/[niceId]/rules/page.tsx   | 238 +++++++++++++++++-
 9 files changed, 678 insertions(+), 12 deletions(-)
 create mode 100644 server/db/regions.ts

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 13ab3d11c..94950748f 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1734,6 +1734,34 @@
     "exitNode": "Exit-Node",
     "country": "Land",
     "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
+    "region": "Region",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Nordafrika",
+    "regionEasternAfrica": "Ostafrika",
+    "regionMiddleAfrica": "Zentralafrika",
+    "regionSouthernAfrica": "Südliches Afrika",
+    "regionWesternAfrica": "Westafrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibik",
+    "regionCentralAmerica": "Mittelamerika",
+    "regionSouthAmerica": "Südamerika",
+    "regionNorthernAmerica": "Nordamerika",
+    "regionAsia": "Asien",
+    "regionCentralAsia": "Zentralasien",
+    "regionEasternAsia": "Ostasien",
+    "regionSouthEasternAsia": "Südostasien",
+    "regionSouthernAsia": "Südasien",
+    "regionWesternAsia": "Westasien",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Osteuropa",
+    "regionNorthernEurope": "Nordeuropa",
+    "regionSouthernEurope": "Südeuropa",
+    "regionWesternEurope": "Westeuropa",
+    "regionOceania": "Ozeanien",
+    "regionAustraliaAndNewZealand": "Australien und Neuseeland",
+    "regionMelanesia": "Melanesien",
+    "regionMicronesia": "Mikronesien",
+    "regionPolynesia": "Polynesien",
     "managedSelfHosted": {
         "title": "Verwaltetes Selbsthosted",
         "description": "Zuverlässiger und wartungsarmer Pangolin Server mit zusätzlichen Glocken und Pfeifen",
diff --git a/messages/en-US.json b/messages/en-US.json
index b023ac754..55cf2d6bd 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1734,6 +1734,40 @@
     "exitNode": "Exit Node",
     "country": "Country",
     "rulesMatchCountry": "Currently based on source IP",
+    "region": "Region",
+    "selectRegion": "Select region",
+    "searchRegions": "Search regions...",
+    "noRegionFound": "No region found.",
+    "rulesMatchRegion": "Select a regional grouping of countries",
+    "rulesErrorInvalidRegion": "Invalid region",
+    "rulesErrorInvalidRegionDescription": "Please select a valid region.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Northern Africa",
+    "regionEasternAfrica": "Eastern Africa",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Southern Africa",
+    "regionWesternAfrica": "Western Africa",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "Caribbean",
+    "regionCentralAmerica": "Central America",
+    "regionSouthAmerica": "South America",
+    "regionNorthernAmerica": "Northern America",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Central Asia",
+    "regionEasternAsia": "Eastern Asia",
+    "regionSouthEasternAsia": "South-Eastern Asia",
+    "regionSouthernAsia": "Southern Asia",
+    "regionWesternAsia": "Western Asia",
+    "regionEurope": "Europe",
+    "regionEasternEurope": "Eastern Europe",
+    "regionNorthernEurope": "Northern Europe",
+    "regionSouthernEurope": "Southern Europe",
+    "regionWesternEurope": "Western Europe",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia and New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Managed Self-Hosted",
         "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index d687b7837..5eb1ee076 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1734,6 +1734,34 @@
     "exitNode": "Узел выхода",
     "country": "Страна",
     "rulesMatchCountry": "В настоящее время основано на исходном IP",
+    "region": "Регион",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северная Африка",
+    "regionEasternAfrica": "Восточная Африка",
+    "regionMiddleAfrica": "Центральная Африка",
+    "regionSouthernAfrica": "Южная Африка",
+    "regionWesternAfrica": "Западная Африка",
+    "regionAmericas": "Америка",
+    "regionCaribbean": "Карибы",
+    "regionCentralAmerica": "Центральная Америка",
+    "regionSouthAmerica": "Южная Америка",
+    "regionNorthernAmerica": "Северная Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Центральная Азия",
+    "regionEasternAsia": "Восточная Азия",
+    "regionSouthEasternAsia": "Юго-Восточная Азия",
+    "regionSouthernAsia": "Южная Азия",
+    "regionWesternAsia": "Западная Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Восточная Европа",
+    "regionNorthernEurope": "Северная Европа",
+    "regionSouthernEurope": "Южная Европа",
+    "regionWesternEurope": "Западная Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Новая Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
     "managedSelfHosted": {
         "title": "Управляемый с самовывоза",
         "description": "Более надежный и низко обслуживаемый сервер Pangolin с дополнительными колокольнями и свистками",
diff --git a/server/db/regions.ts b/server/db/regions.ts
new file mode 100644
index 000000000..90a380a29
--- /dev/null
+++ b/server/db/regions.ts
@@ -0,0 +1,196 @@
+// Regions of the World
+// as of 2025-10-25
+//
+// Adapted according to the United Nations Geoscheme
+// see https://www.unicode.org/cldr/charts/48/supplemental/territory_containment_un_m_49.html
+// see https://unstats.un.org/unsd/methodology/m49
+
+export const REGIONS = [
+    {
+        name: "regionAfrica",
+        id: "002",
+        includes: [
+            {
+                name: "regionNorthernAfrica",
+                id: "015",
+                countries: ["DZ", "EG", "LY", "MA", "SD", "TN", "EH"]
+            },
+            {
+                name: "regionEasternAfrica",
+                id: "014",
+                countries: ["IO", "BI", "KM", "DJ", "ER", "ET", "TF", "KE", "MG", "MW", "MU", "YT", "MZ", "RE", "RW", "SC", "SO", "SS", "UG", "ZM", "ZW"]
+            },
+            {
+                name: "regionMiddleAfrica",
+                id: "017",
+                countries: ["AO", "CM", "CF", "TD", "CG", "CD", "GQ", "GA", "ST"]
+            },
+            {
+                name: "regionSouthernAfrica",
+                id: "018",
+                countries: ["BW", "SZ", "LS", "NA", "ZA"]
+            },
+            {
+                name: "regionWesternAfrica",
+                id: "011",
+                countries: ["BJ", "BF", "CV", "CI", "GM", "GH", "GN", "GW", "LR", "ML", "MR", "NE", "NG", "SH", "SN", "SL", "TG"]
+            }
+        ]
+    },
+    {
+        name: "regionAmericas",
+        id: "019",
+        includes: [
+            {
+                name: "regionCaribbean",
+                id: "029",
+                countries: ["AI", "AG", "AW", "BS", "BB", "BQ", "VG", "KY", "CU", "CW", "DM", "DO", "GD", "GP", "HT", "JM", "MQ", "MS", "PR", "BL", "KN", "LC", "MF", "VC", "SX", "TT", "TC", "VI"]
+            },
+            {
+                name: "regionCentralAmerica",
+                id: "013",
+                countries: ["BZ", "CR", "SV", "GT", "HN", "MX", "NI", "PA"]
+            },
+            {
+                name: "regionSouthAmerica",
+                id: "005",
+                countries: ["AR", "BO", "BV", "BR", "CL", "CO", "EC", "FK", "GF", "GY", "PY", "PE", "GS", "SR", "UY", "VE"]
+            },
+            {
+                name: "regionNorthernAmerica",
+                id: "021",
+                countries: ["BM", "CA", "GL", "PM", "US"]
+            }
+        ]
+    },
+    {
+        name: "regionAsia",
+        id: "142",
+        includes: [
+            {
+                name: "regionCentralAsia",
+                id: "143",
+                countries: ["KZ", "KG", "TJ", "TM", "UZ"]
+            },
+            {
+                name: "regionEasternAsia",
+                id: "030",
+                countries: ["CN", "HK", "MO", "KP", "JP", "MN", "KR"]
+            },
+            {
+                name: "regionSouthEasternAsia",
+                id: "035",
+                countries: ["BN", "KH", "ID", "LA", "MY", "MM", "PH", "SG", "TH", "TL", "VN"]
+            },
+            {
+                name: "regionSouthernAsia",
+                id: "034",
+                countries: ["AF", "BD", "BT", "IN", "IR", "MV", "NP", "PK", "LK"]
+            },
+            {
+                name: "regionWesternAsia",
+                id: "145",
+                countries: ["AM", "AZ", "BH", "CY", "GE", "IQ", "IL", "JO", "KW", "LB", "OM", "QA", "SA", "PS", "SY", "TR", "AE", "YE"]
+            }
+        ]
+    },
+    {
+        name: "regionEurope",
+        id: "150",
+        includes: [
+            {
+                name: "regionEasternEurope",
+                id: "151",
+                countries: ["BY", "BG", "CZ", "HU", "PL", "MD", "RO", "RU", "SK", "UA"]
+            },
+            {
+                name: "regionNorthernEurope",
+                id: "154",
+                countries: ["AX", "DK", "EE", "FO", "FI", "GG", "IS", "IE", "IM", "JE", "LV", "LT", "NO", "SJ", "SE", "GB"]
+            },
+            {
+                name: "regionSouthernEurope",
+                id: "039",
+                countries: ["AL", "AD", "BA", "HR", "GI", "GR", "VA", "IT", "MT", "ME", "MK", "PT", "SM", "RS", "SI", "ES"]
+            },
+            {
+                name: "regionWesternEurope",
+                id: "155",
+                countries: ["AT", "BE", "FR", "DE", "LI", "LU", "MC", "NL", "CH"]
+            }
+        ]
+    },
+    {
+        name: "regionOceania",
+        id: "009",
+        includes: [
+            {
+                name: "regionAustraliaAndNewZealand",
+                id: "053",
+                countries: ["AU", "CX", "CC", "HM", "NZ", "NF"]
+            },
+            {
+                name: "regionMelanesia",
+                id: "054",
+                countries: ["FJ", "NC", "PG", "SB", "VU"]
+            },
+            {
+                name: "regionMicronesia",
+                id: "057",
+                countries: ["GU", "KI", "MH", "FM", "NR", "MP", "PW", "UM"]
+            },
+            {
+                name: "regionPolynesia",
+                id: "061",
+                countries: ["AS", "CK", "PF", "NU", "PN", "WS", "TK", "TO", "TV", "WF"]
+            }
+        ]
+    }
+];
+
+type Subregion = {
+    name: string;
+    id: string;
+    countries: string[];
+};
+
+type Region = {
+    name: string;
+    id: string;
+    includes: Subregion[];
+};
+
+export function getRegionNameById(regionId: string): string | undefined {
+    // Check top-level regions
+    const region = REGIONS.find((r) => r.id === regionId);
+    if (region) {
+        return region.name;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        for (const subregion of region.includes) {
+            if (subregion.id === regionId) {
+                return subregion.name;
+            }
+        }
+    }
+
+    return undefined;
+}
+
+export function isValidRegionId(regionId: string): boolean {
+    // Check top-level regions
+    if (REGIONS.find((r) => r.id === regionId)) {
+        return true;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        if (region.includes.find((s) => s.id === regionId)) {
+            return true;
+        }
+    }
+
+    return false;
+}
\ No newline at end of file
diff --git a/server/routers/badger/verifySession.test.ts b/server/routers/badger/verifySession.test.ts
index 7c967acef..8333a4578 100644
--- a/server/routers/badger/verifySession.test.ts
+++ b/server/routers/badger/verifySession.test.ts
@@ -1,4 +1,37 @@
 import { assertEquals } from "@test/assert";
+import { REGIONS } from "@server/db/regions";
+
+function isIpInRegion(
+    ipCountryCode: string | undefined,
+    checkRegionCode: string
+): boolean {
+    if (!ipCountryCode) {
+        return false;
+    }
+
+    const upperCode = ipCountryCode.toUpperCase();
+
+    for (const region of REGIONS) {
+        // Check if it's a top-level region (continent)
+        if (region.id === checkRegionCode) {
+            for (const subregion of region.includes) {
+                if (subregion.countries.includes(upperCode)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        // Check subregions
+        for (const subregion of region.includes) {
+            if (subregion.id === checkRegionCode) {
+                return subregion.countries.includes(upperCode);
+            }
+        }
+    }
+
+    return false;
+}
 
 function isPathAllowed(pattern: string, path: string): boolean {
     // Normalize and split paths into segments
@@ -272,12 +305,71 @@ function runTests() {
         "Root path should not match non-root path"
     );
 
-    console.log("All tests passed!");
+    console.log("All path matching tests passed!");
+}
+
+function runRegionTests() {
+    console.log("\nRunning isIpInRegion tests...");
+
+    // Test undefined country code
+    assertEquals(
+        isIpInRegion(undefined, "150"),
+        false,
+        "Undefined country code should return false"
+    );
+
+    // Test subregion matching (Western Europe)
+    assertEquals(
+        isIpInRegion("DE", "155"),
+        true,
+        "Country should match its subregion"
+    );
+    assertEquals(
+        isIpInRegion("GB", "155"),
+        false,
+        "Country should NOT match wrong subregion"
+    );
+
+    // Test continent matching (Europe)
+    assertEquals(
+        isIpInRegion("DE", "150"),
+        true,
+        "Country should match its continent"
+    );
+    assertEquals(
+        isIpInRegion("GB", "150"),
+        true,
+        "Different European country should match Europe"
+    );
+    assertEquals(
+        isIpInRegion("US", "150"),
+        false,
+        "Non-European country should NOT match Europe"
+    );
+
+    // Test case insensitivity
+    assertEquals(
+        isIpInRegion("de", "155"),
+        true,
+        "Lowercase country code should work"
+    );
+
+    // Test invalid region code
+    assertEquals(
+        isIpInRegion("DE", "999"),
+        false,
+        "Invalid region code should return false"
+    );
+
+    console.log("All region tests passed!");
 }
 
 // Run all tests
 try {
     runTests();
+    runRegionTests();
+    console.log("\n✅ All tests passed!");
 } catch (error) {
-    console.error("Test failed:", error);
+    console.error("❌ Test failed:", error);
+    process.exit(1);
 }
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 0e3a3489c..0bc9bde88 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -39,6 +39,7 @@ import {
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
 import cache from "@server/lib/cache";
+import { REGIONS } from "@server/db/regions";
 
 const verifyResourceSessionSchema = z.object({
     sessions: z.record(z.string(), z.string()).optional(),
@@ -967,6 +968,12 @@ async function checkRules(
             (await isIpInAsn(ipAsn, rule.value))
         ) {
             return rule.action as any;
+        } else if (
+            clientIp &&
+            rule.match == "REGION" &&
+            (await isIpInRegion(ipCC, rule.value))
+        ) {
+            return rule.action as any;
         }
     }
 
@@ -1133,6 +1140,45 @@ async function isIpInAsn(
     return match;
 }
 
+export async function isIpInRegion(
+    ipCountryCode: string | undefined,
+    checkRegionCode: string
+): Promise<boolean> {
+    if (!ipCountryCode) {
+        return false;
+    }
+
+    const upperCode = ipCountryCode.toUpperCase();
+
+    for (const region of REGIONS) {
+        // Check if it's a top-level region (continent)
+        if (region.id === checkRegionCode) {
+            for (const subregion of region.includes) {
+                if (subregion.countries.includes(upperCode)) {
+                    logger.debug(`Country ${upperCode} is in region ${region.id} (${region.name})`);
+                    return true;
+                }
+            }
+            logger.debug(`Country ${upperCode} is not in region ${region.id} (${region.name})`);
+            return false;
+        }
+
+        // Check subregions
+        for (const subregion of region.includes) {
+            if (subregion.id === checkRegionCode) {
+                if (subregion.countries.includes(upperCode)) {
+                    logger.debug(`Country ${upperCode} is in region ${subregion.id} (${subregion.name})`);
+                    return true;
+                }
+                logger.debug(`Country ${upperCode} is not in region ${subregion.id} (${subregion.name})`);
+                return false;
+            }
+        }
+    }
+
+    return false;
+}
+
 async function getAsnFromIp(ip: string): Promise<number | undefined> {
     const asnCacheKey = `asn:${ip}`;
 
diff --git a/server/routers/resource/createResourceRule.ts b/server/routers/resource/createResourceRule.ts
index a516d14af..0796191b1 100644
--- a/server/routers/resource/createResourceRule.ts
+++ b/server/routers/resource/createResourceRule.ts
@@ -14,10 +14,11 @@ import {
     isValidUrlGlobPattern
 } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
+import { isValidRegionId } from "@server/db/regions";
 
 const createResourceRuleSchema = z.strictObject({
     action: z.enum(["ACCEPT", "DROP", "PASS"]),
-    match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN"]),
+    match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN", "REGION"]),
     value: z.string().min(1),
     priority: z.int(),
     enabled: z.boolean().optional()
@@ -126,6 +127,15 @@ export async function createResourceRule(
                     )
                 );
             }
+        } else if (match === "REGION") {
+            if (!isValidRegionId(value)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid region ID provided"
+                    )
+                );
+            }
         }
 
         // Create the new resource rule
diff --git a/server/routers/resource/updateResourceRule.ts b/server/routers/resource/updateResourceRule.ts
index b443bd1c2..fe717bb5e 100644
--- a/server/routers/resource/updateResourceRule.ts
+++ b/server/routers/resource/updateResourceRule.ts
@@ -14,6 +14,7 @@ import {
     isValidUrlGlobPattern
 } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
+import { isValidRegionId } from "@server/db/regions";
 
 // Define Zod schema for request parameters validation
 const updateResourceRuleParamsSchema = z.strictObject({
@@ -25,7 +26,7 @@ const updateResourceRuleParamsSchema = z.strictObject({
 const updateResourceRuleSchema = z
     .strictObject({
         action: z.enum(["ACCEPT", "DROP", "PASS"]).optional(),
-        match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN"]).optional(),
+        match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN", "REGION"]).optional(),
         value: z.string().min(1).optional(),
         priority: z.int(),
         enabled: z.boolean().optional()
@@ -166,6 +167,15 @@ export async function updateResourceRule(
                         )
                     );
                 }
+            } else if (match === "REGION") {
+                if (!isValidRegionId(value)) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Invalid region ID provided"
+                        )
+                    );
+                }
             }
         }
 
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
index d10a38d65..c00f9e0df 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
@@ -6,7 +6,9 @@ import { Input } from "@/components/ui/input";
 import {
     Select,
     SelectContent,
+    SelectGroup,
     SelectItem,
+    SelectLabel,
     SelectTrigger,
     SelectValue
 } from "@/components/ui/select";
@@ -75,6 +77,7 @@ import { useRouter } from "next/navigation";
 import { useTranslations } from "next-intl";
 import { COUNTRIES } from "@server/db/countries";
 import { MAJOR_ASNS } from "@server/db/asns";
+import { REGIONS, getRegionNameById, isValidRegionId } from "@server/db/regions";
 import {
     Command,
     CommandEmpty,
@@ -119,6 +122,8 @@ export default function ResourceRules(props: {
         useState(false);
     const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] =
         useState(false);
+    const [openAddRuleRegionSelect, setOpenAddRuleRegionSelect] =
+        useState(false);
     const router = useRouter();
     const t = useTranslations();
     const { env } = useEnvContext();
@@ -138,7 +143,8 @@ export default function ResourceRules(props: {
         IP: "IP",
         CIDR: t("ipAddressRange"),
         COUNTRY: t("country"),
-        ASN: "ASN"
+        ASN: "ASN",
+        REGION: t("region")
     } as const;
 
     const addRuleForm = useForm({
@@ -258,6 +264,20 @@ export default function ResourceRules(props: {
             setLoading(false);
             return;
         }
+        if (
+            data.match === "REGION" &&
+            !isValidRegionId(data.value)
+        ) {
+            toast({
+                variant: "destructive",
+                title: t("rulesErrorInvalidRegion"),
+                description:
+                    t("rulesErrorInvalidRegionDescription") ||
+                    "Invalid region."
+            });
+            setLoading(false);
+            return;
+        }
 
         // find the highest priority and add one
         let priority = data.priority;
@@ -311,6 +331,8 @@ export default function ResourceRules(props: {
                 return t("rulesMatchCountry");
             case "ASN":
                 return "Enter an Autonomous System Number (e.g., AS15169 or 15169)";
+            case "REGION":
+                return t("rulesMatchRegion");
         }
     }
 
@@ -536,12 +558,12 @@ export default function ResourceRules(props: {
                 <Select
                     defaultValue={row.original.match}
                     onValueChange={(
-                        value: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN"
+                        value: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION"
                     ) =>
                         updateRule(row.original.ruleId, {
                             match: value,
                             value:
-                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : row.original.value
+                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : value === "REGION" ? "021" : row.original.value
                         })
                     }
                 >
@@ -557,6 +579,11 @@ export default function ResourceRules(props: {
                                 {RuleMatch.COUNTRY}
                             </SelectItem>
                         )}
+                        {isMaxmindAvailable && (
+                            <SelectItem value="REGION">
+                                {RuleMatch.REGION}
+                            </SelectItem>
+                        )}
                         {isMaxmindAsnAvailable && (
                             <SelectItem value="ASN">
                                 {RuleMatch.ASN}
@@ -638,14 +665,14 @@ export default function ResourceRules(props: {
                             >
                                 {row.original.value
                                     ? (() => {
-                                          const found = MAJOR_ASNS.find(
+                                    const found = MAJOR_ASNS.find(
                                               (asn) =>
                                                   asn.code ===
                                                   row.original.value
-                                          );
-                                          return found
-                                              ? `${found.name} (${row.original.value})`
-                                              : `Custom (${row.original.value})`;
+                                    );
+                                    return found
+                                        ? `${found.name} (${row.original.value})`
+                                        : `Custom (${row.original.value})`;
                                       })()
                                     : "Select ASN"}
                                 <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
@@ -715,6 +742,88 @@ export default function ResourceRules(props: {
                             </div>
                         </PopoverContent>
                     </Popover>
+                ) : row.original.match === "REGION" ? (
+                    <Popover>
+                        <PopoverTrigger asChild>
+                            <Button
+                                variant="outline"
+                                role="combobox"
+                                className="min-w-[200px] justify-between"
+                            >
+                                {(() => {
+                                    const regionName = getRegionNameById(row.original.value);
+                                    if (!regionName) {
+                                        return t("selectRegion");
+                                    }
+                                    return `${t(regionName)} (${row.original.value})`;
+                                })()}
+                                <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                            </Button>
+                        </PopoverTrigger>
+                        <PopoverContent className="min-w-[200px] p-0">
+                            <Command>
+                                <CommandInput
+                                    placeholder={t("searchRegions")}
+                                />
+                                <CommandList>
+                                    <CommandEmpty>
+                                        {t("noRegionFound")}
+                                    </CommandEmpty>
+                                    {REGIONS.map((continent) => (
+                                        <CommandGroup key={continent.id} heading={t(continent.name)}>
+                                            <CommandItem
+                                                value={continent.id}
+                                                keywords={[
+                                                    t(continent.name),
+                                                    continent.id
+                                                ]}
+                                                onSelect={() => {
+                                                    updateRule(
+                                                        row.original.ruleId,
+                                                        { value: continent.id }
+                                                    );
+                                                }}
+                                            >
+                                                <Check
+                                                    className={`mr-2 h-4 w-4 ${
+                                                        row.original.value === continent.id
+                                                            ? "opacity-100"
+                                                            : "opacity-0"
+                                                    }`}
+                                                />
+                                                {t(continent.name)} ({continent.id})
+                                            </CommandItem>
+                                            {continent.includes.map((subregion) => (
+                                                <CommandItem
+                                                    key={subregion.id}
+                                                    value={subregion.id}
+                                                    keywords={[
+                                                        t(subregion.name),
+                                                        subregion.id
+                                                    ]}
+                                                    onSelect={() => {
+                                                        updateRule(
+                                                            row.original.ruleId,
+                                                            { value: subregion.id }
+                                                        );
+                                                    }}
+                                                >
+                                                    <Check
+                                                        className={`mr-2 h-4 w-4 ${
+                                                            row.original.value === subregion.id
+                                                                ? "opacity-100"
+                                                                : "opacity-0"
+                                                        }`}
+                                                    />
+                                                    {t(subregion.name)} ({subregion.id})
+                                                </CommandItem>
+                                            ))}
+                                        </CommandGroup>
+                                    ))}
+                                </CommandList>
+                            </Command>
+                        </PopoverContent>
+                    </Popover>
                 ) : (
                     <Input
                         defaultValue={row.original.value}
@@ -925,6 +1034,13 @@ export default function ResourceRules(props: {
                                                                     }
                                                                 </SelectItem>
                                                             )}
+                                                            {isMaxmindAvailable && (
+                                                                <SelectItem value="REGION">
+                                                                    {
+                                                                        RuleMatch.REGION
+                                                                    }
+                                                                </SelectItem>
+                                                            )}
                                                             {isMaxmindAsnAvailable && (
                                                                 <SelectItem value="ASN">
                                                                     {
@@ -1163,6 +1279,112 @@ export default function ResourceRules(props: {
                                                                 </div>
                                                             </PopoverContent>
                                                         </Popover>
+                                                    ) : addRuleForm.watch(
+                                                        "match"
+                                                    ) === "REGION" ? (
+                                                        <Popover
+                                                            open={
+                                                                openAddRuleRegionSelect
+                                                            }
+                                                            onOpenChange={
+                                                                setOpenAddRuleRegionSelect
+                                                            }
+                                                        >
+                                                            <PopoverTrigger
+                                                                asChild
+                                                            >
+                                                                <Button
+                                                                    variant="outline"
+                                                                    role="combobox"
+                                                                    aria-expanded={
+                                                                        openAddRuleRegionSelect
+                                                                    }
+                                                                    className="w-full justify-between"
+                                                                >
+                                                                    {field.value
+                                                                        ? (() => {
+                                                                              const regionName = getRegionNameById(field.value);
+                                                                              const translatedName = regionName ? t(regionName) : field.value;
+                                                                              return `${translatedName} (${field.value})`;
+                                                                          })()
+                                                                        : t(
+                                                                              "selectRegion"
+                                                                          )}
+                                                                    <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                                                                </Button>
+                                                            </PopoverTrigger>
+                                                            <PopoverContent className="w-full p-0">
+                                                                <Command>
+                                                                    <CommandInput
+                                                                        placeholder={t(
+                                                                            "searchRegions"
+                                                                        )}
+                                                                    />
+                                                                    <CommandList>
+                                                                        <CommandEmpty>
+                                                                            {t(
+                                                                                "noRegionFound"
+                                                                            )}
+                                                                        </CommandEmpty>
+                                                                        {REGIONS.map((continent) => (
+                                                                            <CommandGroup key={continent.id} heading={t(continent.name)}>
+                                                                                <CommandItem
+                                                                                    value={continent.id}
+                                                                                    keywords={[
+                                                                                        t(continent.name),
+                                                                                        continent.id
+                                                                                    ]}
+                                                                                    onSelect={() => {
+                                                                                        field.onChange(
+                                                                                            continent.id
+                                                                                        );
+                                                                                        setOpenAddRuleRegionSelect(
+                                                                                            false
+                                                                                        );
+                                                                                    }}
+                                                                                >
+                                                                                    <Check
+                                                                                        className={`mr-2 h-4 w-4 ${
+                                                                                            field.value === continent.id
+                                                                                                ? "opacity-100"
+                                                                                                : "opacity-0"
+                                                                                        }`}
+                                                                                    />
+                                                                                    {t(continent.name)} ({continent.id})
+                                                                                </CommandItem>
+                                                                                {continent.includes.map((subregion) => (
+                                                                                    <CommandItem
+                                                                                        key={subregion.id}
+                                                                                        value={subregion.id}
+                                                                                        keywords={[
+                                                                                            t(subregion.name),
+                                                                                            subregion.id
+                                                                                        ]}
+                                                                                        onSelect={() => {
+                                                                                            field.onChange(
+                                                                                                subregion.id
+                                                                                            );
+                                                                                            setOpenAddRuleRegionSelect(
+                                                                                                false
+                                                                                            );
+                                                                                        }}
+                                                                                    >
+                                                                                        <Check
+                                                                                            className={`mr-2 h-4 w-4 ${
+                                                                                                field.value === subregion.id
+                                                                                                    ? "opacity-100"
+                                                                                                    : "opacity-0"
+                                                                                            }`}
+                                                                                        />
+                                                                                        {t(subregion.name)} ({subregion.id})
+                                                                                    </CommandItem>
+                                                                                ))}
+                                                                            </CommandGroup>
+                                                                        ))}
+                                                                    </CommandList>
+                                                                </Command>
+                                                            </PopoverContent>
+                                                        </Popover>
                                                     ) : (
                                                         <Input {...field} />
                                                     )}

From 3d4df906cfa9edf05ea8f9a645365f8577e3a421 Mon Sep 17 00:00:00 2001
From: Dennis <github@infinite-ways.de>
Date: Mon, 22 Dec 2025 18:43:43 +0100
Subject: [PATCH 002/314] Added missing translations

---
 messages/de-DE.json | 6 ++++++
 messages/ru-RU.json | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 94950748f..ea3647cf7 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1735,6 +1735,12 @@
     "country": "Land",
     "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
     "region": "Region",
+    "selectRegion": "Region wählen...",
+    "searchRegions": "Regionen suchen...",
+    "noRegionFound": "Keine Region gefunden.",
+    "rulesMatchRegion": "Wählen Sie eine Regionalgruppe von Ländern",
+    "rulesErrorInvalidRegion": "Ungültige Region",
+    "rulesErrorInvalidRegionDescription": "Bitte wählen Sie eine gültige Region aus.",
     "regionAfrica": "Afrika",
     "regionNorthernAfrica": "Nordafrika",
     "regionEasternAfrica": "Ostafrika",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 5eb1ee076..95814125d 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1735,6 +1735,12 @@
     "country": "Страна",
     "rulesMatchCountry": "В настоящее время основано на исходном IP",
     "region": "Регион",
+    "selectRegion": "Выберите регион",
+    "searchRegions": "Поиск регионов...",
+    "noRegionFound": "Регион не найден.",
+    "rulesMatchRegion": "Выберите региональную группу стран",
+    "rulesErrorInvalidRegion": "Некорректный регион",
+    "rulesErrorInvalidRegionDescription": "Пожалуйста, выберите корректный регион.",
     "regionAfrica": "Африка",
     "regionNorthernAfrica": "Северная Африка",
     "regionEasternAfrica": "Восточная Африка",

From 20e547a0f602cdc7f212b5f519436d1e6c140a73 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Feb 2026 17:58:11 -0800
Subject: [PATCH 003/314] first pass

---
 server/auth/actions.ts                        |  35 ++--
 server/auth/canUserAccessResource.ts          |  29 +--
 server/auth/canUserAccessSiteResource.ts      |  29 +--
 server/db/pg/schema/schema.ts                 |  21 +-
 server/db/queries/verifySessionQueries.ts     |  48 ++++-
 server/db/sqlite/schema/schema.ts             |  28 ++-
 server/index.ts                               |   2 +-
 server/lib/calculateUserClientsForOrgs.ts     |  33 ++-
 server/lib/rebuildClientAssociations.ts       |  15 +-
 server/lib/userOrg.ts                         |  16 +-
 server/lib/userOrgRoles.ts                    |  22 ++
 server/middlewares/getUserOrgs.ts             |   3 +-
 server/middlewares/verifyAccessTokenAccess.ts |   8 +-
 server/middlewares/verifyAdmin.ts             |  25 ++-
 server/middlewares/verifyApiKeyAccess.ts      |   9 +-
 server/middlewares/verifyClientAccess.ts      |  38 ++--
 server/middlewares/verifyDomainAccess.ts      |   8 +-
 server/middlewares/verifyOrgAccess.ts         |   7 +-
 server/middlewares/verifyResourceAccess.ts    |  35 ++--
 server/middlewares/verifyRoleAccess.ts        |   4 +-
 server/middlewares/verifySiteAccess.ts        |  37 ++--
 .../middlewares/verifySiteResourceAccess.ts   |  38 ++--
 server/middlewares/verifyTargetAccess.ts      |   8 +-
 server/middlewares/verifyUserInRole.ts        |   6 +-
 server/private/middlewares/verifyIdpAccess.ts |   9 +-
 .../middlewares/verifyRemoteExitNodeAccess.ts |  13 +-
 .../routers/org/sendUsageNotifications.ts     |  18 +-
 .../remoteExitNode/createRemoteExitNode.ts    |   2 +-
 server/private/routers/ssh/signSshKey.ts      |  62 ++++--
 .../routers/accessToken/listAccessTokens.ts   |   2 +-
 server/routers/badger/verifySession.ts        |  33 ++-
 server/routers/client/createClient.ts         |   4 +-
 server/routers/client/listClients.ts          |   2 +-
 server/routers/client/listUserDevices.ts      |   2 +-
 server/routers/external.ts                    |  10 +
 server/routers/idp/validateOidcCallback.ts    |  51 +++--
 server/routers/integration.ts                 |  10 +
 server/routers/newt/createNewt.ts             |   2 +-
 server/routers/olm/createOlm.ts               |   2 +-
 server/routers/org/checkOrgUserAccess.ts      |  38 +++-
 server/routers/org/createOrg.ts               |  13 +-
 server/routers/org/getOrgOverview.ts          |  18 +-
 server/routers/org/listUserOrgs.ts            |  30 ++-
 server/routers/resource/createResource.ts     |   6 +-
 server/routers/resource/getUserResources.ts   |  46 ++--
 server/routers/resource/listResources.ts      |   2 +-
 server/routers/role/deleteRole.ts             |   8 +-
 server/routers/site/createSite.ts             |   4 +-
 server/routers/site/listSites.ts              |   2 +-
 server/routers/user/acceptInvite.ts           |   4 +-
 server/routers/user/addUserRole.ts            |  35 ++--
 server/routers/user/createOrgUser.ts          |  32 +--
 server/routers/user/getOrgUser.ts             |  38 +++-
 server/routers/user/index.ts                  |   1 +
 server/routers/user/listUsers.ts              |  37 +++-
 server/routers/user/myDevice.ts               |  23 +-
 server/routers/user/removeUserRole.ts         | 157 ++++++++++++++
 server/types/Auth.ts                          |   2 +-
 .../users/[userId]/access-controls/page.tsx   | 196 ++++++++++++------
 .../[orgId]/settings/access/users/page.tsx    |   4 +-
 60 files changed, 1023 insertions(+), 399 deletions(-)
 create mode 100644 server/lib/userOrgRoles.ts
 create mode 100644 server/routers/user/removeUserRole.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 3f5a145b6..feb91560a 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { userActions, roleActions } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 
@@ -52,6 +52,7 @@ export enum ActionsEnum {
     listRoleResources = "listRoleResources",
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
+    removeUserRole = "removeUserRole",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -153,29 +154,19 @@ export async function checkUserActionPermission(
     }
 
     try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
 
-        // If userOrgRoleId is not available on the request, fetch it
-        if (userOrgRoleId === undefined) {
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, req.userOrgId!)
-                    )
-                )
-                .limit(1);
-
-            if (userOrgRole.length === 0) {
+        if (userOrgRoleIds === undefined) {
+            const { getUserOrgRoleIds } = await import(
+                "@server/lib/userOrgRoles"
+            );
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
+            if (userOrgRoleIds.length === 0) {
                 throw createHttpError(
                     HttpCode.FORBIDDEN,
                     "User does not have access to this organization"
                 );
             }
-
-            userOrgRoleId = userOrgRole[0].roleId;
         }
 
         // Check if the user has direct permission for the action in the current org
@@ -186,7 +177,7 @@ export async function checkUserActionPermission(
                 and(
                     eq(userActions.userId, userId),
                     eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                 )
             )
             .limit(1);
@@ -195,14 +186,14 @@ export async function checkUserActionPermission(
             return true;
         }
 
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
         const roleActionPermission = await db
             .select()
             .from(roleActions)
             .where(
                 and(
                     eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                     eq(roleActions.orgId, req.userOrgId!)
                 )
             )
diff --git a/server/auth/canUserAccessResource.ts b/server/auth/canUserAccessResource.ts
index 161a0bee9..2c8911490 100644
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleResources)
+                  .where(
+                      and(
+                          eq(roleResources.resourceId, resourceId),
+                          inArray(roleResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;
diff --git a/server/auth/canUserAccessSiteResource.ts b/server/auth/canUserAccessSiteResource.ts
index 959b0eff6..7e6ec9bb8 100644
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 
 export async function canUserAccessSiteResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleSiteResources)
-        .where(
-            and(
-                eq(roleSiteResources.siteResourceId, resourceId),
-                eq(roleSiteResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleSiteResources)
+                  .where(
+                      and(
+                          eq(roleSiteResources.siteResourceId, resourceId),
+                          inArray(roleSiteResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index ae90020a0..1d38bfb3e 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -9,6 +9,7 @@ import {
     real,
     serial,
     text,
+    unique,
     varchar
 } from "drizzle-orm/pg-core";
 
@@ -332,9 +333,6 @@ export const userOrgs = pgTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
     autoProvisioned: boolean("autoProvisioned").default(false),
     pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -383,6 +381,22 @@ export const roles = pgTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = pgTable(
+    "userOrgRoles",
+    {
+        userId: varchar("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = pgTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1031,6 +1045,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 280c8a119..469df590d 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -12,6 +12,7 @@ import {
     resources,
     roleResources,
     sessions,
+    userOrgRoles,
     userOrgs,
     userResources,
     users,
@@ -104,24 +105,57 @@ export async function getUserSessionWithUser(
 }
 
 /**
- * Get user organization role
+ * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
+ * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
+    const userOrg = await db
         .select({
             userId: userOrgs.userId,
             orgId: userOrgs.orgId,
-            roleId: userOrgs.roleId,
             isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
-            roleName: roles.name
+            autoProvisioned: userOrgs.autoProvisioned
         })
         .from(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .limit(1);
 
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    if (userOrg.length === 0) return null;
+
+    const [firstRole] = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        )
+        .limit(1);
+
+    return firstRole
+        ? {
+              ...userOrg[0],
+              roleId: firstRole.roleId,
+              roleName: firstRole.roleName
+          }
+        : { ...userOrg[0], roleId: null, roleName: null };
+}
+
+/**
+ * Get role name by role ID (for display).
+ */
+export async function getRoleName(roleId: number): Promise<string | null> {
+    const [row] = await db
+        .select({ name: roles.name })
+        .from(roles)
+        .where(eq(roles.roleId, roleId))
+        .limit(1);
+    return row?.name ?? null;
 }
 
 /**
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 64866e679..2d475808b 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,12 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
+    index,
+    integer,
+    sqliteTable,
+    text,
+    unique
+} from "drizzle-orm/sqlite-core";
 
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
@@ -635,9 +641,6 @@ export const userOrgs = sqliteTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
@@ -692,6 +695,22 @@ export const roles = sqliteTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = sqliteTable(
+    "userOrgRoles",
+    {
+        userId: text("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1126,6 +1145,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
diff --git a/server/index.ts b/server/index.ts
index a61daca7f..0fc44c279 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
             session: Session;
             userOrg?: UserOrg;
             apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
             userOrgId?: string;
             userOrgIds?: string[];
             remoteExitNode?: RemoteExitNode;
diff --git a/server/lib/calculateUserClientsForOrgs.ts b/server/lib/calculateUserClientsForOrgs.ts
index 4be76dddc..02ac0c417 100644
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,6 +10,7 @@ import {
     roles,
     Transaction,
     userClients,
+    userOrgRoles,
     userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
             return;
         }
 
-        // Get all user orgs
-        const allUserOrgs = await transaction
+        // Get all user orgs with all roles (for org list and role-based logic)
+        const userOrgRoleRows = await transaction
             .select()
             .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
+                userOrgRoles,
+                and(
+                    eq(userOrgs.userId, userOrgRoles.userId),
+                    eq(userOrgs.orgId, userOrgRoles.orgId)
+                )
+            )
+            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const orgIdToRoleRows = new Map<
+            string,
+            (typeof userOrgRoleRows)[0][]
+        >();
+        for (const r of userOrgRoleRows) {
+            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
+            list.push(r);
+            orgIdToRoleRows.set(r.userOrgs.orgId, list);
+        }
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
-                const orgId = userOrg.orgId;
+            for (const orgId of orgIdToRoleRows.keys()) {
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
+                const userOrg = roleRowsForOrg[0].userOrgs;
 
                 const [org] = await transaction
                     .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                 const requireApproval =
                     build !== "oss" &&
                     isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
 
                 const newClientData: InferInsertModel<typeof clients> = {
                     userId,
diff --git a/server/lib/rebuildClientAssociations.ts b/server/lib/rebuildClientAssociations.ts
index 625e57935..7ec767492 100644
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,6 +14,7 @@ import {
     siteResources,
     sites,
     Transaction,
+    userOrgRoles,
     userOrgs,
     userSiteResources
 } from "@server/db";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
     // get all of the users in these roles
     const userIdsFromRoles = await trx
         .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
         })
-        .from(userOrgs)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .from(userOrgRoles)
+        .where(inArray(userOrgRoles.roleId, roleIds))
         .then((rows) => rows.map((row) => row.userId));
 
     const newAllUserIds = Array.from(
@@ -811,12 +812,12 @@ export async function rebuildClientAssociationsFromClient(
 
         // Role-based access
         const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
-            .from(userOrgs)
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
             .where(
                 and(
-                    eq(userOrgs.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
                 )
             ) // this needs to be locked onto this org or else cross-org access could happen
             .then((rows) => rows.map((row) => row.roleId));
diff --git a/server/lib/userOrg.ts b/server/lib/userOrg.ts
index 6ed10039b..fb0b88c2b 100644
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
     siteResources,
     sites,
     Transaction,
-    UserOrg,
+    userOrgRoles,
     userOrgs,
     userResources,
     userSiteResources,
@@ -19,9 +19,15 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
+    roleId: number,
     trx: Transaction | typeof db = db
 ) {
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
+    await trx.insert(userOrgRoles).values({
+        userId: userOrg.userId,
+        orgId: userOrg.orgId,
+        roleId
+    });
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
@@ -58,6 +64,14 @@ export async function removeUserFromOrg(
     userId: string,
     trx: Transaction | typeof db = db
 ) {
+    await trx
+        .delete(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, org.orgId)
+            )
+        );
     await trx
         .delete(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
diff --git a/server/lib/userOrgRoles.ts b/server/lib/userOrgRoles.ts
new file mode 100644
index 000000000..5a4d75659
--- /dev/null
+++ b/server/lib/userOrgRoles.ts
@@ -0,0 +1,22 @@
+import { db, userOrgRoles } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+/**
+ * Get all role IDs a user has in an organization.
+ * Returns empty array if the user has no roles in the org (callers must treat as no access).
+ */
+export async function getUserOrgRoleIds(
+    userId: string,
+    orgId: string
+): Promise<number[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId })
+        .from(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+    return rows.map((r) => r.roleId);
+}
diff --git a/server/middlewares/getUserOrgs.ts b/server/middlewares/getUserOrgs.ts
index d7905700e..fa9794fb9 100644
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,8 +21,7 @@ export async function getUserOrgs(
     try {
         const userOrganizations = await db
             .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
+                orgId: userOrgs.orgId
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
diff --git a/server/middlewares/verifyAccessTokenAccess.ts b/server/middlewares/verifyAccessTokenAccess.ts
index 033b326d9..f1f2ca52e 100644
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAccessTokenAccess(
     req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {
diff --git a/server/middlewares/verifyAdmin.ts b/server/middlewares/verifyAdmin.ts
index 253bfc2dd..0dbeac2cb 100644
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAdmin(
     req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
         }
     }
 
-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
+
+    if (req.userOrgRoleIds.length === 0) {
+        return next(
+            createHttpError(
+                HttpCode.FORBIDDEN,
+                "User does not have Admin access"
+            )
+        );
+    }
+
+    const userAdminRoles = await db
         .select()
         .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
+            and(
+                inArray(roles.roleId, req.userOrgRoleIds),
+                eq(roles.isAdmin, true)
+            )
+        )
         .limit(1);
 
-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
         return next(
             createHttpError(
                 HttpCode.FORBIDDEN,
diff --git a/server/middlewares/verifyApiKeyAccess.ts b/server/middlewares/verifyApiKeyAccess.ts
index 6edc5ab8e..b497892c8 100644
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyApiKeyAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/middlewares/verifyClientAccess.ts b/server/middlewares/verifyClientAccess.ts
index d2df38a4b..1d994b53f 100644
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyClientAccess(
     req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            client.orgId
+        );
         req.userOrgId = client.orgId;
 
-        // Check role-based site access first
-        const [roleClientAccess] = await db
-            .select()
-            .from(roleClients)
-            .where(
-                and(
-                    eq(roleClients.clientId, client.clientId),
-                    eq(roleClients.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based client access (any of user's roles)
+        const roleClientAccessList =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleClients)
+                      .where(
+                          and(
+                              eq(roleClients.clientId, client.clientId),
+                              inArray(
+                                  roleClients.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
+        const [roleClientAccess] = roleClientAccessList;
 
         if (roleClientAccess) {
             // User has access to the site through their role
diff --git a/server/middlewares/verifyDomainAccess.ts b/server/middlewares/verifyDomainAccess.ts
index 88ffe678d..c9ecf42e0 100644
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyDomainAccess(
     req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                 .where(
                     and(
                         eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                     )
                 )
                 .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
 
         return next();
     } catch (error) {
diff --git a/server/middlewares/verifyOrgAccess.ts b/server/middlewares/verifyOrgAccess.ts
index 729766abd..cb797afb0 100644
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyOrgAccess(
     req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
             }
         }
 
-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        // User has access, attach the user's role(s) to the request for potential future use
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
         req.userOrgId = orgId;
 
         return next();
diff --git a/server/middlewares/verifyResourceAccess.ts b/server/middlewares/verifyResourceAccess.ts
index 2ae591ee1..ba49f02e3 100644
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourceAccess(
     req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            resource.orgId
+        );
         req.userOrgId = resource.orgId;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleResources)
-            .where(
-                and(
-                    eq(roleResources.resourceId, resource.resourceId),
-                    eq(roleResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleResources)
+                      .where(
+                          and(
+                              eq(roleResources.resourceId, resource.resourceId),
+                              inArray(
+                                  roleResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();
diff --git a/server/middlewares/verifyRoleAccess.ts b/server/middlewares/verifyRoleAccess.ts
index 8858ab53f..380b82048 100644
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRoleAccess(
     req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
         }
 
         if (!req.userOrg) {
-            // get the userORg
             const userOrg = await db
                 .select()
                 .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                 .limit(1);
 
             req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
         }
 
         if (!req.userOrg) {
diff --git a/server/middlewares/verifySiteAccess.ts b/server/middlewares/verifySiteAccess.ts
index 98858cfb9..e630cf0f1 100644
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteAccess(
     req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            site.orgId
+        );
         req.userOrgId = site.orgId;
 
-        // Check role-based site access first
-        const roleSiteAccess = await db
-            .select()
-            .from(roleSites)
-            .where(
-                and(
-                    eq(roleSites.siteId, site.siteId),
-                    eq(roleSites.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based site access first (any of user's roles)
+        const roleSiteAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSites)
+                      .where(
+                          and(
+                              eq(roleSites.siteId, site.siteId),
+                              inArray(
+                                  roleSites.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleSiteAccess.length > 0) {
             // User's role has access to the site
diff --git a/server/middlewares/verifySiteResourceAccess.ts b/server/middlewares/verifySiteResourceAccess.ts
index ca7d37fb3..8d5bd656f 100644
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteResourceAccess(
     req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            siteResource.orgId
+        );
         req.userOrgId = siteResource.orgId;
 
         // Attach the siteResource to the request for use in the next middleware/route
         req.siteResource = siteResource;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleSiteResources)
-            .where(
-                and(
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
-                    eq(roleSiteResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSiteResources)
+                      .where(
+                          and(
+                              eq(
+                                  roleSiteResources.siteResourceId,
+                                  siteResourceIdNum
+                              ),
+                              inArray(
+                                  roleSiteResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();
diff --git a/server/middlewares/verifyTargetAccess.ts b/server/middlewares/verifyTargetAccess.ts
index 7e433fcb8..141a04549 100644
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyTargetAccess(
     req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {
diff --git a/server/middlewares/verifyUserInRole.ts b/server/middlewares/verifyUserInRole.ts
index 2a153114d..18eeb44f3 100644
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
         const roleId = parseInt(
             req.params.roleId || req.body.roleId || req.query.roleId
         );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];
 
         if (isNaN(roleId)) {
             return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
diff --git a/server/private/middlewares/verifyIdpAccess.ts b/server/private/middlewares/verifyIdpAccess.ts
index 410956844..2dbc1b8ff 100644
--- a/server/private/middlewares/verifyIdpAccess.ts
+++ b/server/private/middlewares/verifyIdpAccess.ts
@@ -13,9 +13,10 @@
 
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyIdpAccess(
     req: Request,
@@ -84,8 +85,10 @@ export async function verifyIdpAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            idpRes.idpOrg.orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/private/middlewares/verifyRemoteExitNodeAccess.ts b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
index a2cd2bace..7d6128d8f 100644
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -12,11 +12,12 @@
  */
 
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
-import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
+import { userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRemoteExitNodeAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyRemoteExitNodeAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            exitNodeOrg.orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/private/routers/org/sendUsageNotifications.ts b/server/private/routers/org/sendUsageNotifications.ts
index 4aa421520..72fc00d4c 100644
--- a/server/private/routers/org/sendUsageNotifications.ts
+++ b/server/private/routers/org/sendUsageNotifications.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, users, roles, orgs } from "@server/db";
+import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,7 +95,14 @@ async function getOrgAdmins(orgId: string) {
         })
         .from(userOrgs)
         .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+        .leftJoin(
+            userOrgRoles,
+            and(
+                eq(userOrgs.userId, userOrgRoles.userId),
+                eq(userOrgs.orgId, userOrgRoles.orgId)
+            )
+        )
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
         .where(
             and(
                 eq(userOrgs.orgId, orgId),
@@ -103,8 +110,11 @@ async function getOrgAdmins(orgId: string) {
             )
         );
 
-    // Filter to only include users with verified emails
-    const orgAdmins = admins.filter(
+    // Dedupe by userId (user may have multiple roles)
+    const byUserId = new Map(
+        admins.map((a) => [a.userId, a])
+    );
+    const orgAdmins = Array.from(byUserId.values()).filter(
         (admin) => admin.email && admin.email.length > 0
     );
 
diff --git a/server/private/routers/remoteExitNode/createRemoteExitNode.ts b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
index 6d5b5ea6f..f24afdde1 100644
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
 
         const { remoteExitNodeId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index fbdee72d1..f45db3c85 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -30,7 +30,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
@@ -122,7 +122,7 @@ export async function signSshKey(
             resource: resourceQueryString
         } = parsedBody.data;
         const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
 
         if (!userId) {
             return next(
@@ -130,6 +130,15 @@ export async function signSshKey(
             );
         }
 
+        if (roleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User has no role in organization"
+                )
+            );
+        }
+
         const [userOrg] = await db
             .select()
             .from(userOrgs)
@@ -310,11 +319,11 @@ export async function signSshKey(
             );
         }
 
-        // Check if the user has access to the resource
+        // Check if the user has access to the resource (any of their roles)
         const hasAccess = await canUserAccessSiteResource({
             userId: userId,
             resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
         });
 
         if (!hasAccess) {
@@ -326,28 +335,39 @@ export async function signSshKey(
             );
         }
 
-        const [roleRow] = await db
+        const roleRows = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
+            .where(inArray(roles.roleId, roleIds));
 
-        let parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
-        try {
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
-        } catch {
-            parsedSudoCommands = [];
+        const parsedSudoCommands: string[] = [];
+        const parsedGroupsSet = new Set<string>();
+        let homedir: boolean | null = null;
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
+        let sudoMode: "none" | "commands" | "all" = "none";
+        for (const roleRow of roleRows) {
+            try {
+                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+            } catch {
+                // skip
+            }
+            try {
+                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
+            } catch {
+                // skip
+            }
+            if (roleRow?.sshCreateHomeDir === true) homedir = true;
+            const m = roleRow?.sshSudoMode ?? "none";
+            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
+                sudoMode = m as "none" | "commands" | "all";
+            }
         }
-        try {
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
-        } catch {
-            parsedGroups = [];
+        const parsedGroups = Array.from(parsedGroupsSet);
+        if (homedir === null && roleRows.length > 0) {
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
         }
-        const homedir = roleRow?.sshCreateHomeDir ?? null;
-        const sudoMode = roleRow?.sshSudoMode ?? "none";
 
         // get the site
         const [newt] = await db
diff --git a/server/routers/accessToken/listAccessTokens.ts b/server/routers/accessToken/listAccessTokens.ts
index 2f929fc62..495afeb3c 100644
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -208,7 +208,7 @@ export async function listAccessTokens(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index b5c66c0e9..2f6f7ac12 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,12 +3,13 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
+    getRoleName,
     getRoleResourceAccess,
-    getUserOrgRole,
     getUserResourceAccess,
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -916,9 +917,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
+    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
 
-    if (!userOrgRole) {
+    if (!userOrgRoleIds.length) {
         return null;
     }
 
@@ -934,17 +935,23 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleResourceAccess = await getRoleResourceAccess(
-        resource.resourceId,
-        userOrgRole.roleId
-    );
-
-    if (roleResourceAccess) {
+    const roleNames: string[] = [];
+    for (const roleId of userOrgRoleIds) {
+        const roleResourceAccess = await getRoleResourceAccess(
+            resource.resourceId,
+            roleId
+        );
+        if (roleResourceAccess) {
+            const roleName = await getRoleName(roleId);
+            if (roleName) roleNames.push(roleName);
+        }
+    }
+    if (roleNames.length > 0) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role: roleNames.join(", ")
         };
     }
 
@@ -954,11 +961,15 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
+        const names = await Promise.all(
+            userOrgRoleIds.map((id) => getRoleName(id))
+        );
+        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role
         };
     }
 
diff --git a/server/routers/client/createClient.ts b/server/routers/client/createClient.ts
index 4eafb0616..3e5ba4fa1 100644
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -92,7 +92,7 @@ export async function createClient(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -234,7 +234,7 @@ export async function createClient(
                 clientId: newClient.clientId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole.roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
                 // make sure the user can access the client
                 trx.insert(userClients).values({
                     userId: req.user.userId,
diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts
index 53a66150c..95d6281bf 100644
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -297,7 +297,7 @@ export async function listClients(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/client/listUserDevices.ts b/server/routers/client/listUserDevices.ts
index 54fffe43b..4d37dc440 100644
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -316,7 +316,7 @@ export async function listUserDevices(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..bae7bb4db 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -654,6 +654,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyResourceAccess,
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index e34621856..8714c4d38 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -13,6 +13,7 @@ import {
     orgs,
     Role,
     roles,
+    userOrgRoles,
     userOrgs,
     users
 } from "@server/db";
@@ -570,32 +571,28 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Update roles for existing auto-provisioned orgs where the role has changed
-                const orgsToUpdate = autoProvisionedOrgs.filter(
-                    (currentOrg) => {
-                        const newOrg = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === currentOrg.orgId
-                        );
-                        return newOrg && newOrg.roleId !== currentOrg.roleId;
-                    }
-                );
-
-                if (orgsToUpdate.length > 0) {
-                    for (const org of orgsToUpdate) {
-                        const newRole = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === org.orgId
-                        );
-                        if (newRole) {
-                            await trx
-                                .update(userOrgs)
-                                .set({ roleId: newRole.roleId })
-                                .where(
-                                    and(
-                                        eq(userOrgs.userId, userId!),
-                                        eq(userOrgs.orgId, org.orgId)
-                                    )
-                                );
-                        }
+                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
+                const userRolesInOrgs = await trx
+                    .select()
+                    .from(userOrgRoles)
+                    .where(eq(userOrgRoles.userId, userId!));
+                for (const currentOrg of autoProvisionedOrgs) {
+                    const newRole = userOrgInfo.find(
+                        (newOrg) => newOrg.orgId === currentOrg.orgId
+                    );
+                    if (!newRole) continue;
+                    const currentRolesInOrg = userRolesInOrgs.filter(
+                        (r) => r.orgId === currentOrg.orgId
+                    );
+                    const hasIdpRole = currentRolesInOrg.some(
+                        (r) => r.roleId === newRole.roleId
+                    );
+                    if (!hasIdpRole) {
+                        await trx.insert(userOrgRoles).values({
+                            userId: userId!,
+                            orgId: currentOrg.orgId,
+                            roleId: newRole.roleId
+                        });
                     }
                 }
 
@@ -619,9 +616,9 @@ export async function validateOidcCallback(
                                 {
                                     orgId: org.orgId,
                                     userId: userId!,
-                                    roleId: org.roleId,
                                     autoProvisioned: true,
                                 },
+                                org.roleId,
                                 trx
                             );
                         }
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 6c39fe983..56e44c661 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -532,6 +532,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyApiKeyResourceAccess,
diff --git a/server/routers/newt/createNewt.ts b/server/routers/newt/createNewt.ts
index b5da405e6..68cdcacf8 100644
--- a/server/routers/newt/createNewt.ts
+++ b/server/routers/newt/createNewt.ts
@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/routers/olm/createOlm.ts b/server/routers/olm/createOlm.ts
index b5da405e6..68cdcacf8 100644
--- a/server/routers/olm/createOlm.ts
+++ b/server/routers/olm/createOlm.ts
@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/routers/org/checkOrgUserAccess.ts b/server/routers/org/checkOrgUserAccess.ts
index d9f0364e3..19e39c4fe 100644
--- a/server/routers/org/checkOrgUserAccess.ts
+++ b/server/routers/org/checkOrgUserAccess.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -14,7 +14,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -22,10 +22,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -35,13 +32,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type CheckOrgUserAccessResponse = CheckOrgAccessPolicyResult;
diff --git a/server/routers/org/createOrg.ts b/server/routers/org/createOrg.ts
index 1a5d8799f..22dc742fa 100644
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@@ -9,6 +9,7 @@ import {
     orgs,
     roleActions,
     roles,
+    userOrgRoles,
     userOrgs,
     users,
     actions
@@ -312,9 +313,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: req.user!.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: req.user!.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = req.user!.userId;
             } else {
                 // if org created by root api key, set the server admin as the owner
@@ -332,9 +337,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: serverAdmin.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: serverAdmin.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = serverAdmin.userId;
             }
 
diff --git a/server/routers/org/getOrgOverview.ts b/server/routers/org/getOrgOverview.ts
index d368d1b3c..fcdd7c0ed 100644
--- a/server/routers/org/getOrgOverview.ts
+++ b/server/routers/org/getOrgOverview.ts
@@ -117,20 +117,26 @@ export async function getOrgOverview(
             .from(userOrgs)
             .where(eq(userOrgs.orgId, orgId));
 
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, req.userOrg.roleId));
+        const roleIds = req.userOrgRoleIds ?? [];
+        const roleRows =
+            roleIds.length > 0
+                ? await db
+                      .select({ name: roles.name, isAdmin: roles.isAdmin })
+                      .from(roles)
+                      .where(inArray(roles.roleId, roleIds))
+                : [];
+        const userRoleName = roleRows.map((r) => r.name ?? "").join(", ") ?? "";
+        const isAdmin = roleRows.some((r) => r.isAdmin === true);
 
         return response<GetOrgOverviewResponse>(res, {
             data: {
                 orgName: org[0].name,
                 orgId: org[0].orgId,
-                userRoleName: role.name,
+                userRoleName,
                 numSites,
                 numUsers,
                 numResources,
-                isAdmin: role.isAdmin || false,
+                isAdmin,
                 isOwner: req.userOrg?.isOwner || false
             },
             success: true,
diff --git a/server/routers/org/listUserOrgs.ts b/server/routers/org/listUserOrgs.ts
index 301d0203e..8e6ce649d 100644
--- a/server/routers/org/listUserOrgs.ts
+++ b/server/routers/org/listUserOrgs.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, roles } from "@server/db";
-import { Org, orgs, userOrgs } from "@server/db";
+import { Org, orgs, userOrgRoles, userOrgs } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -82,10 +82,7 @@ export async function listUserOrgs(
         const { userId } = parsedParams.data;
 
         const userOrganizations = await db
-            .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
-            })
+            .select({ orgId: userOrgs.orgId })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
 
@@ -116,10 +113,27 @@ export async function listUserOrgs(
                 userOrgs,
                 and(eq(userOrgs.orgId, orgs.orgId), eq(userOrgs.userId, userId))
             )
-            .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
             .limit(limit)
             .offset(offset);
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                isAdmin: roles.isAdmin
+            })
+            .from(userOrgRoles)
+            .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    inArray(userOrgRoles.orgId, userOrgIds)
+                )
+            );
+
+        const orgHasAdmin = new Set(
+            roleRows.filter((r) => r.isAdmin).map((r) => r.orgId)
+        );
+
         const totalCountResult = await db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(orgs)
@@ -133,8 +147,8 @@ export async function listUserOrgs(
             if (val.userOrgs && val.userOrgs.isOwner) {
                 res.isOwner = val.userOrgs.isOwner;
             }
-            if (val.roles && val.roles.isAdmin) {
-                res.isAdmin = val.roles.isAdmin;
+            if (val.orgs && orgHasAdmin.has(val.orgs.orgId)) {
+                res.isAdmin = true;
             }
             if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
                 res.isPrimaryOrg = val.orgs.isBillingOrg;
diff --git a/server/routers/resource/createResource.ts b/server/routers/resource/createResource.ts
index 232cea266..d2124d22e 100644
--- a/server/routers/resource/createResource.ts
+++ b/server/routers/resource/createResource.ts
@@ -112,7 +112,7 @@ export async function createResource(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -278,7 +278,7 @@ async function createHttpResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
@@ -371,7 +371,7 @@ async function createRawResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
diff --git a/server/routers/resource/getUserResources.ts b/server/routers/resource/getUserResources.ts
index eb5f8a8d9..9afd6b4f3 100644
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -5,6 +5,7 @@ import {
     resources,
     userResources,
     roleResources,
+    userOrgRoles,
     userOrgs,
     resourcePassword,
     resourcePincode,
@@ -32,22 +33,29 @@ export async function getUserResources(
             );
         }
 
-        // First get the user's role in the organization
-        const userOrgResult = await db
-            .select({
-                roleId: userOrgs.roleId
-            })
+        // Check user is in organization and get their role IDs
+        const [userOrg] = await db
+            .select()
             .from(userOrgs)
             .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
             .limit(1);
 
-        if (userOrgResult.length === 0) {
+        if (!userOrg) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User not in organization")
             );
         }
 
-        const userRoleId = userOrgResult[0].roleId;
+        const userRoleIds = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, orgId)
+                )
+            )
+            .then((rows) => rows.map((r) => r.roleId));
 
         // Get resources accessible through direct assignment or role assignment
         const directResourcesQuery = db
@@ -55,20 +63,28 @@ export async function getUserResources(
             .from(userResources)
             .where(eq(userResources.userId, userId));
 
-        const roleResourcesQuery = db
-            .select({ resourceId: roleResources.resourceId })
-            .from(roleResources)
-            .where(eq(roleResources.roleId, userRoleId));
+        const roleResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({ resourceId: roleResources.resourceId })
+                      .from(roleResources)
+                      .where(inArray(roleResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const directSiteResourcesQuery = db
             .select({ siteResourceId: userSiteResources.siteResourceId })
             .from(userSiteResources)
             .where(eq(userSiteResources.userId, userId));
 
-        const roleSiteResourcesQuery = db
-            .select({ siteResourceId: roleSiteResources.siteResourceId })
-            .from(roleSiteResources)
-            .where(eq(roleSiteResources.roleId, userRoleId));
+        const roleSiteResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({
+                          siteResourceId: roleSiteResources.siteResourceId
+                      })
+                      .from(roleSiteResources)
+                      .where(inArray(roleSiteResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const [directResources, roleResourceResults, directSiteResourceResults, roleSiteResourceResults] = await Promise.all([
             directResourcesQuery,
diff --git a/server/routers/resource/listResources.ts b/server/routers/resource/listResources.ts
index a26a5df50..e6524a72e 100644
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -276,7 +276,7 @@ export async function listResources(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/role/deleteRole.ts b/server/routers/role/deleteRole.ts
index 490fe91cc..24c26e654 100644
--- a/server/routers/role/deleteRole.ts
+++ b/server/routers/role/deleteRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roles, userOrgs } from "@server/db";
+import { roles, userOrgRoles } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -114,11 +114,11 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from the userOrgs table with roleId to newRoleId
+            // move all users from userOrgRoles with roleId to newRoleId
             await trx
-                .update(userOrgs)
+                .update(userOrgRoles)
                 .set({ roleId: newRoleId })
-                .where(eq(userOrgs.roleId, roleId));
+                .where(eq(userOrgRoles.roleId, roleId));
 
             // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index ea4bc3e85..57e963e56 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -111,7 +111,7 @@ export async function createSite(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -399,7 +399,7 @@ export async function createSite(
                 siteId: newSite.siteId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
                 // make sure the user can access the site
                 trx.insert(userSites).values({
                     userId: req.user?.userId!,
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index e4881b1ab..f2d460ff7 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -235,7 +235,7 @@ export async function listSites(
                 .where(
                     or(
                         eq(userSites.userId, req.user!.userId),
-                        eq(roleSites.roleId, req.userOrgRoleId!)
+                        inArray(roleSites.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/user/acceptInvite.ts b/server/routers/user/acceptInvite.ts
index 388db4a31..30d3be7b9 100644
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -165,9 +165,9 @@ export async function acceptInvite(
                 org,
                 {
                     userId: existingUser[0].userId,
-                    orgId: existingInvite.orgId,
-                    roleId: existingInvite.roleId
+                    orgId: existingInvite.orgId
                 },
+                existingInvite.roleId,
                 trx
             );
 
diff --git a/server/routers/user/addUserRole.ts b/server/routers/user/addUserRole.ts
index 32eaa19d7..d41ad2051 100644
--- a/server/routers/user/addUserRole.ts
+++ b/server/routers/user/addUserRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db, UserOrg } from "@server/db";
-import { userOrgs, roles } from "@server/db";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -111,20 +111,23 @@ export async function addUserRole(
             );
         }
 
-        let newUserRole: UserOrg | null = null;
+        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
+            null;
         await db.transaction(async (trx) => {
-            [newUserRole] = await trx
-                .update(userOrgs)
-                .set({ roleId })
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, role.orgId)
-                    )
-                )
+            const inserted = await trx
+                .insert(userOrgRoles)
+                .values({
+                    userId,
+                    orgId: role.orgId,
+                    roleId
+                })
+                .onConflictDoNothing()
                 .returning();
 
-            // get the client associated with this user in this org
+            if (inserted.length > 0) {
+                newUserRole = inserted[0];
+            }
+
             const orgClients = await trx
                 .select()
                 .from(clients)
@@ -133,17 +136,15 @@ export async function addUserRole(
                         eq(clients.userId, userId),
                         eq(clients.orgId, role.orgId)
                     )
-                )
-                .limit(1);
+                );
 
             for (const orgClient of orgClients) {
-                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                 await rebuildClientAssociationsFromClient(orgClient, trx);
             }
         });
 
         return response(res, {
-            data: newUserRole,
+            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
             success: true,
             error: false,
             message: "Role added to user successfully",
diff --git a/server/routers/user/createOrgUser.ts b/server/routers/user/createOrgUser.ts
index b39ea22e2..891836651 100644
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -221,12 +221,16 @@ export async function createOrgUser(
                         );
                     }
 
-                    await assignUserToOrg(org, {
-                        orgId,
-                        userId: existingUser.userId,
-                        roleId: role.roleId,
-                        autoProvisioned: false
-                    }, trx);
+                    await assignUserToOrg(
+                        org,
+                        {
+                            orgId,
+                            userId: existingUser.userId,
+                            autoProvisioned: false,
+                        },
+                        role.roleId,
+                        trx
+                    );
                 } else {
                     userId = generateId(15);
 
@@ -244,12 +248,16 @@ export async function createOrgUser(
                         })
                         .returning();
 
-                        await assignUserToOrg(org, {
-                            orgId,
-                            userId: newUser.userId,
-                            roleId: role.roleId,
-                            autoProvisioned: false
-                        }, trx);
+                        await assignUserToOrg(
+                            org,
+                            {
+                                orgId,
+                                userId: newUser.userId,
+                                autoProvisioned: false,
+                            },
+                            role.roleId,
+                            trx
+                        );
                 }
 
                 await calculateUserClientsForOrgs(userId, trx);
diff --git a/server/routers/user/getOrgUser.ts b/server/routers/user/getOrgUser.ts
index f22a29d37..2cced3fc2 100644
--- a/server/routers/user/getOrgUser.ts
+++ b/server/routers/user/getOrgUser.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -12,7 +12,7 @@ import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import { OpenAPITags, registry } from "@server/openApi";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -20,10 +20,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -33,13 +30,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type GetOrgUserResponse = NonNullable<
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index 35c5c4a7c..2de44d8b1 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -2,6 +2,7 @@ export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
+export * from "./removeUserRole";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/listUsers.ts b/server/routers/user/listUsers.ts
index 401dcf58b..aeced75b1 100644
--- a/server/routers/user/listUsers.ts
+++ b/server/routers/user/listUsers.ts
@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idpOidcConfig } from "@server/db";
-import { idp, roles, userOrgs, users } from "@server/db";
+import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { and, sql } from "drizzle-orm";
+import { sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -31,7 +31,7 @@ const listUsersSchema = z.strictObject({
 });
 
 async function queryUsers(orgId: string, limit: number, offset: number) {
-    return await db
+    const rows = await db
         .select({
             id: users.userId,
             email: users.email,
@@ -41,8 +41,6 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
             idpName: idp.name,
             idpId: users.idpId,
@@ -52,12 +50,39 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         })
         .from(users)
         .leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
         .where(eq(userOrgs.orgId, orgId))
         .limit(limit)
         .offset(offset);
+
+    const roleRows = await db
+        .select({
+            userId: userOrgRoles.userId,
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(eq(userOrgRoles.orgId, orgId));
+
+    const rolesByUser = new Map<
+        string,
+        { roleId: number; roleName: string }[]
+    >();
+    for (const r of roleRows) {
+        const list = rolesByUser.get(r.userId) ?? [];
+        list.push({ roleId: r.roleId, roleName: r.roleName ?? "" });
+        rolesByUser.set(r.userId, list);
+    }
+
+    return rows.map((row) => {
+        const userRoles = rolesByUser.get(row.id) ?? [];
+        return {
+            ...row,
+            roles: userRoles
+        };
+    });
 }
 
 export type ListUsersResponse = {
diff --git a/server/routers/user/myDevice.ts b/server/routers/user/myDevice.ts
index 144108e11..3b991ca56 100644
--- a/server/routers/user/myDevice.ts
+++ b/server/routers/user/myDevice.ts
@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { db, Olm, olms, orgs, userOrgs } from "@server/db";
+import { db, Olm, olms, orgs, userOrgRoles, userOrgs } from "@server/db";
 import { idp, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -84,16 +84,31 @@ export async function myDevice(
             .from(olms)
             .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
 
-        const userOrganizations = await db
+        const userOrgRows = await db
             .select({
                 orgId: userOrgs.orgId,
-                orgName: orgs.name,
-                roleId: userOrgs.roleId
+                orgName: orgs.name
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId))
             .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId));
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                roleId: userOrgRoles.roleId
+            })
+            .from(userOrgRoles)
+            .where(eq(userOrgRoles.userId, userId));
+
+        const roleByOrg = new Map(
+            roleRows.map((r) => [r.orgId, r.roleId])
+        );
+        const userOrganizations = userOrgRows.map((row) => ({
+            ...row,
+            roleId: roleByOrg.get(row.orgId) ?? 0
+        }));
+
         return response<MyDeviceResponse>(res, {
             data: {
                 user,
diff --git a/server/routers/user/removeUserRole.ts b/server/routers/user/removeUserRole.ts
new file mode 100644
index 000000000..8d353fea3
--- /dev/null
+++ b/server/routers/user/removeUserRole.ts
@@ -0,0 +1,157 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import stoi from "@server/lib/stoi";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const removeUserRoleParamsSchema = z.strictObject({
+    userId: z.string(),
+    roleId: z.string().transform(stoi).pipe(z.number())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/role/{roleId}/remove/{userId}",
+    description: "Remove a role from a user. User must have at least one role left in the org.",
+    tags: [OpenAPITags.Role, OpenAPITags.User],
+    request: {
+        params: removeUserRoleParamsSchema
+    },
+    responses: {}
+});
+
+export async function removeUserRole(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId, roleId } = parsedParams.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
+            );
+        }
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
+            )
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const remainingRoles = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, role.orgId)
+                )
+            );
+
+        if (remainingRoles.length <= 1) {
+            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
+            if (hasThisRole) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "User must have at least one role in the organization. Remove the last role is not allowed."
+                    )
+                );
+            }
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, role.orgId),
+                        eq(userOrgRoles.roleId, roleId)
+                    )
+                );
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, role.orgId)
+                    )
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId: role.orgId, roleId },
+            success: true,
+            error: false,
+            message: "Role removed from user successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/types/Auth.ts b/server/types/Auth.ts
index 8e222987c..398c02406 100644
--- a/server/types/Auth.ts
+++ b/server/types/Auth.ts
@@ -5,5 +5,5 @@ import { Session } from "@server/db";
 export interface AuthenticatedRequest extends Request {
     user: User;
     session: Session;
-    userOrgRoleId?: number;
+    userOrgRoleIds?: number[];
 }
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 6313d512a..7a1dab309 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -8,7 +8,6 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import { Input } from "@app/components/ui/input";
 import {
     Select,
     SelectContent,
@@ -19,7 +18,6 @@ import {
 import { Checkbox } from "@app/components/ui/checkbox";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -44,6 +42,9 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
+import { Badge } from "@app/components/ui/badge";
+
+type UserRole = { roleId: number; name: string };
 
 export default function AccessControlsPage() {
     const { orgUser: user } = userOrgUserContext();
@@ -54,12 +55,12 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
+    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
 
     const t = useTranslations();
 
     const formSchema = z.object({
         username: z.string(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") }),
         autoProvisioned: z.boolean()
     });
 
@@ -67,11 +68,17 @@ export default function AccessControlsPage() {
         resolver: zodResolver(formSchema),
         defaultValues: {
             username: user.username!,
-            roleId: user.roleId?.toString(),
             autoProvisioned: user.autoProvisioned || false
         }
     });
 
+    const currentRoleIds = user.roleIds ?? [];
+    const currentRoles: UserRole[] = user.roles ?? [];
+
+    useEffect(() => {
+        setUserRoles(currentRoles);
+    }, [user.userId, currentRoleIds.join(",")]);
+
     useEffect(() => {
         async function fetchRoles() {
             const res = await api
@@ -94,32 +101,20 @@ export default function AccessControlsPage() {
         }
 
         fetchRoles();
-
-        form.setValue("roleId", user.roleId.toString());
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function onSubmit(values: z.infer<typeof formSchema>) {
+    async function handleAddRole(roleId: number) {
         setLoading(true);
-
         try {
-            // Execute both API calls simultaneously
-            const [roleRes, userRes] = await Promise.all([
-                api.post<AxiosResponse<InviteUserResponse>>(
-                    `/role/${values.roleId}/add/${user.userId}`
-                ),
-                api.post(`/org/${orgId}/user/${user.userId}`, {
-                    autoProvisioned: values.autoProvisioned
-                })
-            ]);
-
-            if (roleRes.status === 200 && userRes.status === 200) {
-                toast({
-                    variant: "default",
-                    title: t("userSaved"),
-                    description: t("userSavedDescription")
-                });
-            }
+            await api.post(`/role/${roleId}/add/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            const role = roles.find((r) => r.roleId === roleId);
+            if (role) setUserRoles((prev) => [...prev, role]);
         } catch (e) {
             toast({
                 variant: "destructive",
@@ -130,10 +125,61 @@ export default function AccessControlsPage() {
                 )
             });
         }
-
         setLoading(false);
     }
 
+    async function handleRemoveRole(roleId: number) {
+        setLoading(true);
+        try {
+            await api.delete(`/role/${roleId}/remove/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    async function onSubmit(values: z.infer<typeof formSchema>) {
+        setLoading(true);
+        try {
+            await api.post(`/org/${orgId}/user/${user.userId}`, {
+                autoProvisioned: values.autoProvisioned
+            });
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    const availableRolesToAdd = roles.filter(
+        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
+    );
+    const canRemoveRole = userRoles.length > 1;
+
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -154,7 +200,6 @@ export default function AccessControlsPage() {
                                 className="space-y-4"
                                 id="access-controls-form"
                             >
-                                {/* IDP Type Display */}
                                 {user.type !== UserType.Internal &&
                                     user.idpType && (
                                         <div className="flex items-center space-x-2 mb-4">
@@ -171,49 +216,72 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormField
-                                    control={form.control}
-                                    name="roleId"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>{t("role")}</FormLabel>
+                                <FormItem>
+                                    <FormLabel>{t("role")}</FormLabel>
+                                    <div className="flex flex-wrap gap-2 items-center">
+                                        {userRoles.map((r) => (
+                                            <Badge
+                                                key={r.roleId}
+                                                variant="secondary"
+                                                className="flex items-center gap-1"
+                                            >
+                                                {r.name}
+                                                {canRemoveRole && (
+                                                    <button
+                                                        type="button"
+                                                        onClick={() =>
+                                                            handleRemoveRole(
+                                                                r.roleId
+                                                            )
+                                                        }
+                                                        disabled={loading}
+                                                        className="ml-1 rounded hover:bg-muted"
+                                                        aria-label={`Remove ${r.name}`}
+                                                    >
+                                                        ×
+                                                    </button>
+                                                )}
+                                            </Badge>
+                                        ))}
+                                        {availableRolesToAdd.length > 0 && (
                                             <Select
                                                 onValueChange={(value) => {
-                                                    field.onChange(value);
-                                                    // If auto provision is enabled, set it to false when role changes
-                                                    if (user.idpAutoProvision) {
-                                                        form.setValue(
-                                                            "autoProvisioned",
-                                                            false
-                                                        );
-                                                    }
+                                                    handleAddRole(
+                                                        parseInt(value, 10)
+                                                    );
                                                 }}
-                                                value={field.value}
+                                                disabled={loading}
                                             >
-                                                <FormControl>
-                                                    <SelectTrigger>
-                                                        <SelectValue
-                                                            placeholder={t(
-                                                                "accessRoleSelect"
-                                                            )}
-                                                        />
-                                                    </SelectTrigger>
-                                                </FormControl>
+                                                <SelectTrigger className="w-[180px]">
+                                                    <SelectValue
+                                                        placeholder={t(
+                                                            "accessRoleSelect"
+                                                        )}
+                                                    />
+                                                </SelectTrigger>
                                                 <SelectContent>
-                                                    {roles.map((role) => (
-                                                        <SelectItem
-                                                            key={role.roleId}
-                                                            value={role.roleId.toString()}
-                                                        >
-                                                            {role.name}
-                                                        </SelectItem>
-                                                    ))}
+                                                    {availableRolesToAdd.map(
+                                                        (role) => (
+                                                            <SelectItem
+                                                                key={
+                                                                    role.roleId
+                                                                }
+                                                                value={role.roleId.toString()}
+                                                            >
+                                                                {role.name}
+                                                            </SelectItem>
+                                                        )
+                                                    )}
                                                 </SelectContent>
                                             </Select>
-                                            <FormMessage />
-                                        </FormItem>
+                                        )}
+                                    </div>
+                                    {userRoles.length === 0 && (
+                                        <p className="text-sm text-muted-foreground">
+                                            {t("accessRoleSelectPlease")}
+                                        </p>
                                     )}
-                                />
+                                </FormItem>
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -231,7 +299,9 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t("autoProvisioned")}
+                                                        {t(
+                                                            "autoProvisioned"
+                                                        )}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index c10363734..c64ee6396 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -88,7 +88,9 @@ export default async function UsersPage(props: UsersPageProps) {
             status: t("userConfirmed"),
             role: user.isOwner
                 ? t("accessRoleOwner")
-                : user.roleName || t("accessRoleMember"),
+                : user.roles?.length
+                  ? user.roles.map((r) => r.roleName).join(", ")
+                  : t("accessRoleMember"),
             isOwner: user.isOwner || false
         };
     });

From 5c4de03588c79c7cb214f16d69896dd8b623de01 Mon Sep 17 00:00:00 2001
From: Jacky Fong <hello@huzky.dev>
Date: Thu, 26 Feb 2026 03:46:35 +0800
Subject: [PATCH 004/314] add reset bandwidth api for site

Change endpoint

update to reset all site in the organization

move the logic to organization

move the permission to organization
---
 messages/en-US.json                     |  1 +
 server/auth/actions.ts                  |  1 +
 server/routers/integration.ts           |  7 +++
 server/routers/org/index.ts             |  1 +
 server/routers/org/resetOrgBandwidth.ts | 83 +++++++++++++++++++++++++
 src/components/PermissionsSelectBox.tsx |  1 +
 6 files changed, 94 insertions(+)
 create mode 100644 server/routers/org/resetOrgBandwidth.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index 68f9640b2..aa66e9ac1 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1096,6 +1096,7 @@
     "setupTokenDescription": "Enter the setup token from the server console.",
     "setupTokenRequired": "Setup token is required",
     "actionUpdateSite": "Update Site",
+    "actionResetSiteBandwidth": "Reset Organization Bandwidth",
     "actionListSiteRoles": "List Allowed Site Roles",
     "actionCreateResource": "Create Resource",
     "actionDeleteResource": "Delete Resource",
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 094437f43..c3c543a43 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -19,6 +19,7 @@ export enum ActionsEnum {
     getSite = "getSite",
     listSites = "listSites",
     updateSite = "updateSite",
+    resetSiteBandwidth = "resetSiteBandwidth",
     reGenerateSecret = "reGenerateSecret",
     createResource = "createResource",
     deleteResource = "deleteResource",
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 9ece5ddd0..c035a3506 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -134,6 +134,13 @@ authenticated.post(
     logActionAudit(ActionsEnum.updateSite),
     site.updateSite
 );
+authenticated.post(
+    "/org/:orgId/reset-bandwidth",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.resetSiteBandwidth),
+    logActionAudit(ActionsEnum.resetSiteBandwidth),
+    org.resetOrgBandwidth
+);
 
 authenticated.delete(
     "/site/:siteId",
diff --git a/server/routers/org/index.ts b/server/routers/org/index.ts
index b0db28d14..c1aee7b33 100644
--- a/server/routers/org/index.ts
+++ b/server/routers/org/index.ts
@@ -8,3 +8,4 @@ export * from "./getOrgOverview";
 export * from "./listOrgs";
 export * from "./pickOrgDefaults";
 export * from "./checkOrgUserAccess";
+export * from "./resetOrgBandwidth";
diff --git a/server/routers/org/resetOrgBandwidth.ts b/server/routers/org/resetOrgBandwidth.ts
new file mode 100644
index 000000000..b98e2e406
--- /dev/null
+++ b/server/routers/org/resetOrgBandwidth.ts
@@ -0,0 +1,83 @@
+import { NextFunction, Request, Response } from "express";
+import { z } from "zod";
+import { db, sites } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const resetOrgBandwidthParamsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/reset-bandwidth",
+    description: "Reset all sites in selected organization bandwidth counters.",
+    tags: [OpenAPITags.Org, OpenAPITags.Site],
+    request: {
+        params: resetOrgBandwidthParamsSchema
+    },
+    responses: {}
+});
+
+export async function resetOrgBandwidth(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = resetOrgBandwidthParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+
+        const [site] = await db
+            .select({ siteId: sites.siteId })
+            .from(sites)
+            .where(eq(sites.orgId, orgId))
+            .limit(1);
+
+        if (!site) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `No sites found in org ${orgId}`
+                )
+            );
+        }
+
+        await db
+            .update(sites)
+            .set({
+                megabytesIn: 0,
+                megabytesOut: 0
+            })
+            .where(eq(sites.orgId, orgId));
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Sites bandwidth reset successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index b11c635a6..4e3b61ab0 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -26,6 +26,7 @@ function getActionsCategories(root: boolean) {
             [t("actionGetOrg")]: "getOrg",
             [t("actionUpdateOrg")]: "updateOrg",
             [t("actionGetOrgUser")]: "getOrgUser",
+            [t("actionResetSiteBandwidth")]: "resetSiteBandwidth",
             [t("actionInviteUser")]: "inviteUser",
             [t("actionRemoveInvitation")]: "removeInvitation",
             [t("actionListInvitations")]: "listInvitations",

From aca9d1e07028c8c8c0765c0f863f36763b2c3378 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 01:36:05 +0000
Subject: [PATCH 005/314] Bump actions/setup-go from 6.2.0 to 6.3.0

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5...4b73464bb391d4059bd26b0524d20df3927bd417)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cicd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 25bc7ce8d..f099c78fd 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -264,7 +264,7 @@ jobs:
               shell: bash
 
             - name: Install Go
-              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
               with:
                   go-version: 1.24
 

From a060c8029fc7e2ab35cbb62fbdea470f39bbe8f0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 01:36:11 +0000
Subject: [PATCH 006/314] Bump actions/upload-artifact from 6.0.0 to 7.0.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cicd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 25bc7ce8d..f1793720c 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -299,7 +299,7 @@ jobs:
               shell: bash
 
             - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
               with:
                   name: install-bin
                   path: install/bin/

From dae169540bd3430f698725f9d8c830f441e5be96 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 2 Mar 2026 16:49:17 -0800
Subject: [PATCH 007/314] Fix defaults for orgs

---
 server/lib/readConfigFile.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index cca0aa6aa..f6c8592e9 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -302,8 +302,8 @@ export const configSchema = z
             .optional()
             .default({
                 block_size: 24,
-                subnet_group: "100.90.128.0/24",
-                utility_subnet_group: "100.96.128.0/24"
+                subnet_group: "100.90.128.0/20",
+                utility_subnet_group: "100.96.128.0/20"
             }),
         rate_limits: z
             .object({

From 6cf1b9b0108d5f4eda8e22f716f91e8874a4c558 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 2 Mar 2026 18:51:48 -0800
Subject: [PATCH 008/314] Support improved targets msg v2

---
 server/lib/ip.ts                              | 123 +++++++++++
 server/lib/rebuildClientAssociations.ts       |  32 ++-
 server/routers/client/targets.ts              | 209 ++++++++++++++----
 server/routers/newt/buildConfiguration.ts     |  26 ++-
 server/routers/newt/handleGetConfigMessage.ts |   5 +-
 .../siteResource/updateSiteResource.ts        |  10 +-
 6 files changed, 326 insertions(+), 79 deletions(-)

diff --git a/server/lib/ip.ts b/server/lib/ip.ts
index 21ec78c1b..3a29b8661 100644
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -571,6 +571,129 @@ export function generateSubnetProxyTargets(
     return targets;
 }
 
+export type SubnetProxyTargetV2 = {
+    sourcePrefixes: string[]; // must be cidrs
+    destPrefix: string; // must be a cidr
+    disableIcmp?: boolean;
+    rewriteTo?: string; // must be a cidr
+    portRange?: {
+        min: number;
+        max: number;
+        protocol: "tcp" | "udp";
+    }[];
+};
+
+export function generateSubnetProxyTargetV2(
+    siteResource: SiteResource,
+    clients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[]
+): SubnetProxyTargetV2 | undefined {
+    if (clients.length === 0) {
+        logger.debug(
+            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
+        );
+        return;
+    }
+
+    let target: SubnetProxyTargetV2 | null = null;
+
+    const portRange = [
+        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
+        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
+    ];
+    const disableIcmp = siteResource.disableIcmp ?? false;
+
+    if (siteResource.mode == "host") {
+        let destination = siteResource.destination;
+        // check if this is a valid ip
+        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+        if (ipSchema.safeParse(destination).success) {
+            destination = `${destination}/32`;
+
+            target = {
+                sourcePrefixes: [],
+                destPrefix: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+
+        if (siteResource.alias && siteResource.aliasAddress) {
+            // also push a match for the alias address
+            target = {
+                sourcePrefixes: [],
+                destPrefix: `${siteResource.aliasAddress}/32`,
+                rewriteTo: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+    } else if (siteResource.mode == "cidr") {
+        target = {
+            sourcePrefixes: [],
+            destPrefix: siteResource.destination,
+            portRange,
+            disableIcmp
+        };
+    }
+
+    if (!target) {
+        return;
+    }
+
+    for (const clientSite of clients) {
+        if (!clientSite.subnet) {
+            logger.debug(
+                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
+            );
+            continue;
+        }
+
+        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
+
+        // add client prefix to source prefixes
+        target.sourcePrefixes.push(clientPrefix);
+    }
+
+    // print a nice representation of the targets
+    // logger.debug(
+    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
+    // );
+
+    return target;
+}
+
+
+/**
+ * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
+ * by expanding each source prefix into its own target entry.
+ * @param targetV2 - The v2 target to convert
+ * @returns Array of v1 SubnetProxyTarget objects
+ */
+ export function convertSubnetProxyTargetsV2ToV1(
+     targetsV2: SubnetProxyTargetV2[]
+ ): SubnetProxyTarget[] {
+     return targetsV2.flatMap((targetV2) =>
+         targetV2.sourcePrefixes.map((sourcePrefix) => ({
+             sourcePrefix,
+             destPrefix: targetV2.destPrefix,
+             ...(targetV2.disableIcmp !== undefined && {
+                 disableIcmp: targetV2.disableIcmp
+             }),
+             ...(targetV2.rewriteTo !== undefined && {
+                 rewriteTo: targetV2.rewriteTo
+             }),
+             ...(targetV2.portRange !== undefined && {
+                 portRange: targetV2.portRange
+             })
+         }))
+     );
+ }
+
+
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z
diff --git a/server/lib/rebuildClientAssociations.ts b/server/lib/rebuildClientAssociations.ts
index 625e57935..915c3648d 100644
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -32,7 +32,7 @@ import logger from "@server/logger";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     parseEndpoint,
     formatEndpoint
 } from "@server/lib/ip";
@@ -659,17 +659,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (addedClients.length > 0) {
-            const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                 siteResource,
                 addedClients
             );
 
-            if (targetsToAdd.length > 0) {
-                logger.info(
-                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToAdd) {
                 proxyJobs.push(
-                    addSubnetProxyTargets(newt.newtId, targetsToAdd)
+                    addSubnetProxyTargets(newt.newtId, [targetToAdd])
                 );
             }
 
@@ -695,17 +692,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (removedClients.length > 0) {
-            const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                 siteResource,
                 removedClients
             );
 
-            if (targetsToRemove.length > 0) {
-                logger.info(
-                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToRemove) {
                 proxyJobs.push(
-                    removeSubnetProxyTargets(newt.newtId, targetsToRemove)
+                    removeSubnetProxyTargets(newt.newtId, [targetToRemove])
                 );
             }
 
@@ -1159,7 +1153,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1167,8 +1161,8 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
-                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, targets));
+                if (target) {
+                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, [target]));
                 }
 
                 try {
@@ -1230,7 +1224,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1238,9 +1232,9 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
+                if (target) {
                     proxyJobs.push(
-                        removeSubnetProxyTargets(newt.newtId, targets)
+                        removeSubnetProxyTargets(newt.newtId, [target])
                     );
                 }
 
diff --git a/server/routers/client/targets.ts b/server/routers/client/targets.ts
index bf612d352..48b7e216d 100644
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -1,8 +1,15 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms, Transaction } from "@server/db";
-import { Alias, SubnetProxyTarget } from "@server/lib/ip";
+import { S } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
+import { db, newts, olms, Transaction } from "@server/db";
+import {
+    Alias,
+    convertSubnetProxyTargetsV2ToV1,
+    SubnetProxyTarget,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";
+import semver from "semver";
 
 const BATCH_SIZE = 50;
 const BATCH_DELAY_MS = 50;
@@ -19,57 +26,149 @@ function chunkArray<T>(array: T[], size: number): T[][] {
     return chunks;
 }
 
-export async function addTargets(newtId: string, targets: SubnetProxyTarget[]) {
-    const batches = chunkArray(targets, BATCH_SIZE);
+const NEWT_V2_TARGETS_VERSION = ">=1.11.0";
+
+export async function convertTargetsIfNessicary(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    // get the newt
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        throw new Error(`No newt found for id: ${newtId}`);
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = convertSubnetProxyTargetsV2ToV1(
+            targets as SubnetProxyTargetV2[]
+        );
+    }
+
+    return targets;
+}
+
+export async function addTargets(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
+
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/add`,
-            data: batches[i]
-        }, { incrementConfigVersion: true });
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/add`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function removeTargets(
     newtId: string,
-    targets: SubnetProxyTarget[]
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
 ) {
-    const batches = chunkArray(targets, BATCH_SIZE);
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/remove`,
-            data: batches[i]
-        },{ incrementConfigVersion: true });
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/remove`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function updateTargets(
     newtId: string,
     targets: {
-        oldTargets: SubnetProxyTarget[];
-        newTargets: SubnetProxyTarget[];
+        oldTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
+        newTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
     }
 ) {
-    const oldBatches = chunkArray(targets.oldTargets, BATCH_SIZE);
-    const newBatches = chunkArray(targets.newTargets, BATCH_SIZE);
+    // get the newt
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        logger.error(`addTargetsL No newt found for id: ${newtId}`);
+        return;
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = {
+            oldTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.oldTargets as SubnetProxyTargetV2[]
+            ),
+            newTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.newTargets as SubnetProxyTargetV2[]
+            )
+        };
+    }
+
+    const oldBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.oldTargets,
+        BATCH_SIZE
+    );
+    const newBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.newTargets,
+        BATCH_SIZE
+    );
+
     const maxBatches = Math.max(oldBatches.length, newBatches.length);
 
     for (let i = 0; i < maxBatches; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/update`,
-            data: {
-                oldTargets: oldBatches[i] || [],
-                newTargets: newBatches[i] || []
-            }
-        }, { incrementConfigVersion: true }).catch((error) => {
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/update`,
+                data: {
+                    oldTargets: oldBatches[i] || [],
+                    newTargets: newBatches[i] || []
+                }
+            },
+            { incrementConfigVersion: true }
+        ).catch((error) => {
             logger.warn(`Error sending message:`, error);
         });
     }
@@ -94,14 +193,18 @@ export async function addPeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/add`,
-        data: {
-            siteId: siteId,
-            remoteSubnets: remoteSubnets,
-            aliases: aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/add`,
+            data: {
+                siteId: siteId,
+                remoteSubnets: remoteSubnets,
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -125,14 +228,18 @@ export async function removePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/remove`,
-        data: {
-            siteId: siteId,
-            remoteSubnets: remoteSubnets,
-            aliases: aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/remove`,
+            data: {
+                siteId: siteId,
+                remoteSubnets: remoteSubnets,
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -166,14 +273,18 @@ export async function updatePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/update`,
-        data: {
-            siteId: siteId,
-            ...remoteSubnets,
-            ...aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/update`,
+            data: {
+                siteId: siteId,
+                ...remoteSubnets,
+                ...aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
diff --git a/server/routers/newt/buildConfiguration.ts b/server/routers/newt/buildConfiguration.ts
index e349f24e8..c20e713f6 100644
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -1,9 +1,23 @@
-import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import {
+    clients,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    ExitNode,
+    resources,
+    Site,
+    siteResources,
+    targetHealthCheck,
+    targets
+} from "@server/db";
 import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
-import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
+import {
+    generateSubnetProxyTargetV2,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 
 export async function buildClientConfigurationForNewtClient(
     site: Site,
@@ -126,7 +140,7 @@ export async function buildClientConfigurationForNewtClient(
         .from(siteResources)
         .where(eq(siteResources.siteId, siteId));
 
-    const targetsToSend: SubnetProxyTarget[] = [];
+    const targetsToSend: SubnetProxyTargetV2[] = [];
 
     for (const resource of allSiteResources) {
         // Get clients associated with this specific resource
@@ -151,12 +165,14 @@ export async function buildClientConfigurationForNewtClient(
                 )
             );
 
-        const resourceTargets = generateSubnetProxyTargets(
+        const resourceTarget = generateSubnetProxyTargetV2(
             resource,
             resourceClients
         );
 
-        targetsToSend.push(...resourceTargets);
+        if (resourceTarget) {
+            targetsToSend.push(resourceTarget);
+        }
     }
 
     return {
diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 801c8b65a..d17a37e48 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -6,6 +6,7 @@ import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
+import { convertTargetsIfNessicary } from "../client/targets";
 
 const inputSchema = z.object({
     publicKey: z.string(),
@@ -126,13 +127,15 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         exitNode
     );
 
+    const targetsToSend = await convertTargetsIfNessicary(newt.newtId, targets);
+
     return {
         message: {
             type: "newt/wg/receive-config",
             data: {
                 ipAddress: site.address,
                 peers,
-                targets
+                targets: targetsToSend
             }
         },
         broadcast: false,
diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index 242b92265..c8119840f 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -24,7 +24,7 @@ import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
@@ -608,18 +608,18 @@ export async function handleMessagingForUpdatedSiteResource(
 
         // Only update targets on newt if destination changed
         if (destinationChanged || portRangesChanged) {
-            const oldTargets = generateSubnetProxyTargets(
+            const oldTarget = generateSubnetProxyTargetV2(
                 existingSiteResource,
                 mergedAllClients
             );
-            const newTargets = generateSubnetProxyTargets(
+            const newTarget = generateSubnetProxyTargetV2(
                 updatedSiteResource,
                 mergedAllClients
             );
 
             await updateTargets(newt.newtId, {
-                oldTargets: oldTargets,
-                newTargets: newTargets
+                oldTargets: [oldTarget],
+                newTargets: [newTarget]
             });
         }
 

From b01fcc70feab3d86939c5ae6fd43e8bcb4ee50db Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 3 Mar 2026 14:45:18 -0800
Subject: [PATCH 009/314] Fix ts and add note about ipv4

---
 server/routers/siteResource/createSiteResource.ts | 2 +-
 server/routers/siteResource/updateSiteResource.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/routers/siteResource/createSiteResource.ts b/server/routers/siteResource/createSiteResource.ts
index bbdc3638d..b12b8d100 100644
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -88,7 +88,7 @@ const createSiteResourceSchema = z
         },
         {
             message:
-                "Destination must be a valid IP address or valid domain AND alias is required"
+                "Destination must be a valid IPV4 address or valid domain AND alias is required"
         }
     )
     .refine(
diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index c8119840f..bc5daa55f 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -618,8 +618,8 @@ export async function handleMessagingForUpdatedSiteResource(
             );
 
             await updateTargets(newt.newtId, {
-                oldTargets: [oldTarget],
-                newTargets: [newTarget]
+                oldTargets: oldTarget ? [oldTarget] : [],
+                newTargets: newTarget ? [newTarget] : []
             });
         }
 

From 7e2fd8f49d36897128411320a87b91648123b4f2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 01:36:02 +0000
Subject: [PATCH 010/314] Bump actions/setup-node from 6.2.0 to 6.3.0

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/linting.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 3b5060a52..cf574dd3c 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Set up Node.js
-              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                 node-version: '24'
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 582548fe1..30567f0f7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '24'
 

From 2e2684c695e9bb4da45624b80e1f29e95577091d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 01:36:08 +0000
Subject: [PATCH 011/314] Bump docker/login-action from 3.7.0 to 4.0.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/c94ce9fb468520275223c153574b00df6fe4bcc9...b45d80f862d83dbcd57f89517bcf500b2ab88fb2)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cicd.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 25bc7ce8d..e54112318 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -77,7 +77,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -407,7 +407,7 @@ jobs:
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                 registry: ghcr.io
                 username: ${{ github.actor }}

From 27d20eb1bcda61ccb6662a67bf74709385b1dcc2 Mon Sep 17 00:00:00 2001
From: Rodney Osodo <socials@rodneyosodo.com>
Date: Mon, 9 Mar 2026 11:17:36 +0300
Subject: [PATCH 012/314] refactor(install): improve resource cleanup and
 remove unused funcs

Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
---
 install/config.go | 14 ++++++-------
 install/input.go  | 27 ------------------------
 install/main.go   | 53 +++++++++++++++++------------------------------
 3 files changed, 26 insertions(+), 68 deletions(-)

diff --git a/install/config.go b/install/config.go
index 548e2ab33..d03415e30 100644
--- a/install/config.go
+++ b/install/config.go
@@ -99,11 +99,6 @@ func ReadAppConfig(configPath string) (*AppConfigValues, error) {
 	return values, nil
 }
 
-// findPattern finds the start of a pattern in a string
-func findPattern(s, pattern string) int {
-	return bytes.Index([]byte(s), []byte(pattern))
-}
-
 func copyDockerService(sourceFile, destFile, serviceName string) error {
 	// Read source file
 	sourceData, err := os.ReadFile(sourceFile)
@@ -187,7 +182,7 @@ func backupConfig() error {
 	return nil
 }
 
-func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
+func MarshalYAMLWithIndent(data any, indent int) (resp []byte, err error) {
 	buffer := new(bytes.Buffer)
 	encoder := yaml.NewEncoder(buffer)
 	encoder.SetIndent(indent)
@@ -196,7 +191,12 @@ func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
 		return nil, err
 	}
 
-	defer encoder.Close()
+	defer func() {
+		if cerr := encoder.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+
 	return buffer.Bytes(), nil
 }
 
diff --git a/install/input.go b/install/input.go
index 8b444ecb9..93739e0d0 100644
--- a/install/input.go
+++ b/install/input.go
@@ -85,33 +85,6 @@ func readString(prompt string, defaultValue string) string {
 	return value
 }
 
-func readStringNoDefault(prompt string) string {
-	var value string
-
-	for {
-		input := huh.NewInput().
-			Title(prompt).
-			Value(&value).
-			Validate(func(s string) error {
-				if s == "" {
-					return fmt.Errorf("this field is required")
-				}
-				return nil
-			})
-
-		err := runField(input)
-		handleAbort(err)
-
-		if value != "" {
-			// Print the answer so it remains visible in terminal history
-			if !isAccessibleMode() {
-				fmt.Printf("%s: %s\n", prompt, value)
-			}
-			return value
-		}
-	}
-}
-
 func readPassword(prompt string) string {
 	var value string
 
diff --git a/install/main.go b/install/main.go
index 9de332b60..2bb73b1dd 100644
--- a/install/main.go
+++ b/install/main.go
@@ -8,7 +8,6 @@ import (
 	"io"
 	"io/fs"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
@@ -430,9 +429,9 @@ func createConfigFiles(config Config) error {
 	}
 
 	// Walk through all embedded files
-	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
+	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, walkErr error) (err error) {
+		if walkErr != nil {
+			return walkErr
 		}
 
 		// Skip the root fs directory itself
@@ -483,7 +482,11 @@ func createConfigFiles(config Config) error {
 		if err != nil {
 			return fmt.Errorf("failed to create %s: %v", path, err)
 		}
-		defer outFile.Close()
+		defer func() {
+			if cerr := outFile.Close(); cerr != nil && err == nil {
+				err = cerr
+			}
+		}()
 
 		// Execute template
 		if err := tmpl.Execute(outFile, config); err != nil {
@@ -499,18 +502,26 @@ func createConfigFiles(config Config) error {
 	return nil
 }
 
-func copyFile(src, dst string) error {
+func copyFile(src, dst string) (err error) {
 	source, err := os.Open(src)
 	if err != nil {
 		return err
 	}
-	defer source.Close()
+	defer func() {
+		if cerr := source.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
 
 	destination, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
-	defer destination.Close()
+	defer func() {
+		if cerr := destination.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
 
 	_, err = io.Copy(destination, source)
 	return err
@@ -622,32 +633,6 @@ func generateRandomSecretKey() string {
 	return base64.StdEncoding.EncodeToString(secret)
 }
 
-func getPublicIP() string {
-	client := &http.Client{
-		Timeout: 10 * time.Second,
-	}
-
-	resp, err := client.Get("https://ifconfig.io/ip")
-	if err != nil {
-		return ""
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return ""
-	}
-
-	ip := strings.TrimSpace(string(body))
-
-	// Validate that it's a valid IP address
-	if net.ParseIP(ip) != nil {
-		return ip
-	}
-
-	return ""
-}
-
 // Run external commands with stdio/stderr attached.
 func run(name string, args ...string) error {
 	cmd := exec.Command(name, args...)

From ae39084a75564738efa059f40152f6725d83fc81 Mon Sep 17 00:00:00 2001
From: Shreyas Papinwar <spapinwar@gmail.com>
Date: Tue, 10 Mar 2026 12:21:06 +0530
Subject: [PATCH 013/314] fix: persist user locale preference to database
 (#1547)

---
 server/db/pg/schema/schema.ts           |  3 +-
 server/db/sqlite/schema/schema.ts       |  3 +-
 server/routers/external.ts              |  5 +++
 server/routers/user/getUser.ts          |  3 +-
 server/routers/user/index.ts            |  1 +
 server/routers/user/updateUserLocale.ts | 57 +++++++++++++++++++++++++
 src/components/LocaleSwitcherSelect.tsx |  7 +++
 src/services/locale.ts                  | 26 ++++++++++-
 8 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 server/routers/user/updateUserLocale.ts

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index 504ea761f..7171fa36b 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -285,7 +285,8 @@ export const users = pgTable("user", {
     termsVersion: varchar("termsVersion"),
     marketingEmailConsent: boolean("marketingEmailConsent").default(false),
     serverAdmin: boolean("serverAdmin").notNull().default(false),
-    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" }),
+    locale: varchar("locale")
 });
 
 export const newts = pgTable("newt", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 2bd11ee0c..47c7f04ae 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -320,7 +320,8 @@ export const users = sqliteTable("user", {
     serverAdmin: integer("serverAdmin", { mode: "boolean" })
         .notNull()
         .default(false),
-    lastPasswordChange: integer("lastPasswordChange")
+    lastPasswordChange: integer("lastPasswordChange"),
+    locale: text("locale")
 });
 
 export const securityKeys = sqliteTable("webauthnCredentials", {
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..334678944 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -793,6 +793,11 @@ unauthenticated.get(
 // );
 
 unauthenticated.get("/user", verifySessionMiddleware, user.getUser);
+unauthenticated.post(
+    "/user/locale",
+    verifySessionMiddleware,
+    user.updateUserLocale
+);
 unauthenticated.get("/my-device", verifySessionMiddleware, user.myDevice);
 
 authenticated.get("/users", verifyUserIsServerAdmin, user.adminListUsers);
diff --git a/server/routers/user/getUser.ts b/server/routers/user/getUser.ts
index e33daab60..c2e43e16e 100644
--- a/server/routers/user/getUser.ts
+++ b/server/routers/user/getUser.ts
@@ -20,7 +20,8 @@ async function queryUser(userId: string) {
             emailVerified: users.emailVerified,
             serverAdmin: users.serverAdmin,
             idpName: idp.name,
-            idpId: users.idpId
+            idpId: users.idpId,
+            locale: users.locale
         })
         .from(users)
         .leftJoin(idp, eq(users.idpId, idp.idpId))
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index b6fb05d92..6aa2bf792 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -16,4 +16,5 @@ export * from "./createOrgUser";
 export * from "./adminUpdateUser2FA";
 export * from "./adminGetUser";
 export * from "./updateOrgUser";
+export * from "./updateUserLocale";
 export * from "./myDevice";
diff --git a/server/routers/user/updateUserLocale.ts b/server/routers/user/updateUserLocale.ts
new file mode 100644
index 000000000..6c28ce067
--- /dev/null
+++ b/server/routers/user/updateUserLocale.ts
@@ -0,0 +1,57 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { users } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+
+const bodySchema = z.strictObject({
+    locale: z.string().min(2).max(10)
+});
+
+export async function updateUserLocale(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const userId = req.user?.userId;
+
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not found")
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { locale } = parsedBody.data;
+
+        await db.update(users).set({ locale }).where(eq(users.userId, userId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "User locale updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/src/components/LocaleSwitcherSelect.tsx b/src/components/LocaleSwitcherSelect.tsx
index 201aeb18a..e647f7dd1 100644
--- a/src/components/LocaleSwitcherSelect.tsx
+++ b/src/components/LocaleSwitcherSelect.tsx
@@ -12,6 +12,8 @@ import clsx from "clsx";
 import { useTransition } from "react";
 import { Locale } from "@/i18n/config";
 import { setUserLocale } from "@/services/locale";
+import { createApiClient } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 
 type Props = {
     defaultValue: string;
@@ -25,12 +27,17 @@ export default function LocaleSwitcherSelect({
     label
 }: Props) {
     const [isPending, startTransition] = useTransition();
+    const api = createApiClient(useEnvContext());
 
     function onChange(value: string) {
         const locale = value as Locale;
         startTransition(() => {
             setUserLocale(locale);
         });
+        // Persist locale to the database (fire-and-forget)
+        api.post("/user/locale", { locale }).catch(() => {
+            // Silently ignore errors — cookie is already set as fallback
+        });
     }
 
     const selected = items.find((item) => item.value === defaultValue);
diff --git a/src/services/locale.ts b/src/services/locale.ts
index 034f4c988..3bdf688bf 100644
--- a/src/services/locale.ts
+++ b/src/services/locale.ts
@@ -2,10 +2,13 @@
 
 import { cookies, headers } from "next/headers";
 import { Locale, defaultLocale, locales } from "@/i18n/config";
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
 
 // In this example the locale is read from a cookie. You could alternatively
 // also read it from a database, backend service, or any other source.
 const COOKIE_NAME = "NEXT_LOCALE";
+const COOKIE_MAX_AGE = 365 * 24 * 60 * 60; // 1 year in seconds
 
 export async function getUserLocale(): Promise<Locale> {
     const cookieLocale = (await cookies()).get(COOKIE_NAME)?.value;
@@ -14,6 +17,23 @@ export async function getUserLocale(): Promise<Locale> {
         return cookieLocale as Locale;
     }
 
+    // No cookie found — try to restore from user's saved locale in DB
+    try {
+        const res = await internal.get("/user", await authCookieHeader());
+        const userLocale = res.data?.data?.locale;
+        if (userLocale && locales.includes(userLocale as Locale)) {
+            // Set the cookie so subsequent requests don't need the API call
+            (await cookies()).set(COOKIE_NAME, userLocale, {
+                maxAge: COOKIE_MAX_AGE,
+                path: "/",
+                sameSite: "lax"
+            });
+            return userLocale as Locale;
+        }
+    } catch {
+        // User not logged in or API unavailable — fall through
+    }
+
     const headerList = await headers();
     const acceptLang = headerList.get("accept-language");
 
@@ -33,5 +53,9 @@ export async function getUserLocale(): Promise<Locale> {
 }
 
 export async function setUserLocale(locale: Locale) {
-    (await cookies()).set(COOKIE_NAME, locale);
+    (await cookies()).set(COOKIE_NAME, locale, {
+        maxAge: COOKIE_MAX_AGE,
+        path: "/",
+        sameSite: "lax"
+    });
 }

From 5455d1c118f65ec9e9bfc869c0e5748166085e20 Mon Sep 17 00:00:00 2001
From: Shreyas Papinwar <spapinwar@gmail.com>
Date: Tue, 10 Mar 2026 12:33:05 +0530
Subject: [PATCH 014/314] fix: add locale to myDevice user query to fix type
 error

---
 server/routers/user/myDevice.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/routers/user/myDevice.ts b/server/routers/user/myDevice.ts
index 144108e11..3d656fc7a 100644
--- a/server/routers/user/myDevice.ts
+++ b/server/routers/user/myDevice.ts
@@ -63,7 +63,8 @@ export async function myDevice(
                 emailVerified: users.emailVerified,
                 serverAdmin: users.serverAdmin,
                 idpName: idp.name,
-                idpId: users.idpId
+                idpId: users.idpId,
+                locale: users.locale
             })
             .from(users)
             .leftJoin(idp, eq(users.idpId, idp.idpId))

From 84b082e1941b243f4aca9e193abc81a083c013a9 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 12 Mar 2026 23:36:35 +0100
Subject: [PATCH 015/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20show=20actual=20va?=
 =?UTF-8?q?lues=20for=20wireguard=20site=20credentials=20whenever=20possib?=
 =?UTF-8?q?le?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../sites/[niceId]/credentials/page.tsx       | 22 +++++++++----------
 src/lib/wireguard.ts                          |  4 +---
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx b/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
index ecf3b105a..d4463cb7c 100644
--- a/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
+++ b/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
@@ -39,6 +39,7 @@ import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { NewtSiteInstallCommands } from "@app/components/newt-install-commands";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import type { AxiosResponse } from "axios";
 
 export default function CredentialsPage() {
     const { env } = useEnvContext();
@@ -100,7 +101,9 @@ export default function CredentialsPage() {
                 generatedPublicKey = generatedKeypair.publicKey;
                 setPublicKey(generatedPublicKey);
 
-                const res = await api.get(`/org/${orgId}/pick-site-defaults`);
+                const res = await api.get<
+                    AxiosResponse<PickSiteDefaultsResponse>
+                >(`/org/${orgId}/pick-site-defaults`);
                 if (res && res.status === 200) {
                     const data = res.data.data;
                     setSiteDefaults(data);
@@ -108,7 +111,7 @@ export default function CredentialsPage() {
                     // generate config with the fetched data
                     generatedWgConfig = generateWireGuardConfig(
                         generatedKeypair.privateKey,
-                        data.publicKey,
+                        generatedKeypair.publicKey,
                         data.subnet,
                         data.address,
                         data.endpoint,
@@ -322,7 +325,7 @@ export default function CredentialsPage() {
                             {!loadingDefaults && (
                                 <>
                                     {wgConfig ? (
-                                        <div className="flex flex-col sm:flex-row items-center gap-4">
+                                        <div className="flex flex-col lg:flex-row items-center gap-4">
                                             <CopyTextBox
                                                 text={wgConfig}
                                                 outline={true}
@@ -342,25 +345,20 @@ export default function CredentialsPage() {
                                             text={generateObfuscatedWireGuardConfig(
                                                 {
                                                     subnet:
-                                                        siteDefaults?.subnet ||
                                                         site?.subnet ||
+                                                        siteDefaults?.subnet ||
                                                         null,
                                                     address:
-                                                        siteDefaults?.address ||
                                                         site?.address ||
+                                                        siteDefaults?.address ||
                                                         null,
                                                     endpoint:
-                                                        siteDefaults?.endpoint ||
                                                         site?.endpoint ||
+                                                        siteDefaults?.endpoint ||
                                                         null,
                                                     listenPort:
-                                                        siteDefaults?.listenPort ||
                                                         site?.listenPort ||
-                                                        null,
-                                                    publicKey:
-                                                        siteDefaults?.publicKey ||
-                                                        site?.publicKey ||
-                                                        site?.pubKey ||
+                                                        siteDefaults?.listenPort ||
                                                         null
                                                 }
                                             )}
diff --git a/src/lib/wireguard.ts b/src/lib/wireguard.ts
index bc8100eca..656e4240b 100644
--- a/src/lib/wireguard.ts
+++ b/src/lib/wireguard.ts
@@ -26,7 +26,6 @@ export function generateObfuscatedWireGuardConfig(options?: {
     address?: string | null;
     endpoint?: string | null;
     listenPort?: number | string | null;
-    publicKey?: string | null;
 }): string {
     const obfuscate = (
         value: string | null | undefined,
@@ -54,7 +53,6 @@ export function generateObfuscatedWireGuardConfig(options?: {
             ? options.listenPort
             : options.listenPort
         : 51820;
-    const publicKey = obfuscateKey(options?.publicKey);
 
     return `[Interface]
 Address = ${subnetWithCidr}
@@ -62,7 +60,7 @@ ListenPort = 51820
 PrivateKey = ${obfuscateKey(null)}
 
 [Peer]
-PublicKey = ${publicKey}
+PublicKey = ${obfuscateKey(null)}
 AllowedIPs = ${address}/32
 Endpoint = ${endpoint}:${listenPort}
 PersistentKeepalive = 5`;

From 47a99e35ee2ecd82fb1ab2da655d36fd3301715a Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Fri, 13 Mar 2026 11:38:00 +0000
Subject: [PATCH 016/314] feat(installer): add default install directory with
 existing install detection

  - Default to /opt/pangolin for new installations
  - Check current directory and /opt/pangolin for existing installs
  - Prompt to use existing install if found at default location
  - Offer to change directory ownership when running via sudo
  - Create installation directory if it doesn't exist
---
 install/main.go | 119 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)

diff --git a/install/main.go b/install/main.go
index 9de332b60..dddcb89b8 100644
--- a/install/main.go
+++ b/install/main.go
@@ -14,6 +14,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"text/template"
 	"time"
@@ -90,6 +91,13 @@ func main() {
 	var config Config
 	var alreadyInstalled = false
 
+	// Determine installation directory
+	installDir := findOrSelectInstallDirectory()
+	if err := os.Chdir(installDir); err != nil {
+		fmt.Printf("Error changing to installation directory: %v\n", err)
+		os.Exit(1)
+	}
+
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
 		config = collectUserInput()
@@ -287,6 +295,117 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
 
+func hasExistingInstall(dir string) bool {
+	configPath := filepath.Join(dir, "config", "config.yml")
+	_, err := os.Stat(configPath)
+	return err == nil
+}
+
+func findOrSelectInstallDirectory() string {
+	const defaultInstallDir = "/opt/pangolin"
+
+	// Get current working directory
+	cwd, err := os.Getwd()
+	if err != nil {
+		fmt.Printf("Error getting current directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// 1. Check current directory for existing install
+	if hasExistingInstall(cwd) {
+		fmt.Printf("Found existing Pangolin installation in current directory: %s\n", cwd)
+		return cwd
+	}
+
+	// 2. Check default location (/opt/pangolin) for existing install
+	if cwd != defaultInstallDir && hasExistingInstall(defaultInstallDir) {
+		fmt.Printf("\nFound existing Pangolin installation at: %s\n", defaultInstallDir)
+		if readBool(fmt.Sprintf("Would you like to use the existing installation at %s?", defaultInstallDir), true) {
+			return defaultInstallDir
+		}
+	}
+
+	// 3. No existing install found, prompt for installation directory
+	fmt.Println("\n=== Installation Directory ===")
+	fmt.Println("No existing Pangolin installation detected.")
+
+	installDir := readString("Enter the installation directory", defaultInstallDir)
+
+	// Expand ~ to home directory if present
+	if strings.HasPrefix(installDir, "~") {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			fmt.Printf("Error getting home directory: %v\n", err)
+			os.Exit(1)
+		}
+		installDir = filepath.Join(home, installDir[1:])
+	}
+
+	// Convert to absolute path
+	absPath, err := filepath.Abs(installDir)
+	if err != nil {
+		fmt.Printf("Error resolving path: %v\n", err)
+		os.Exit(1)
+	}
+	installDir = absPath
+
+	// Check if directory exists
+	if _, err := os.Stat(installDir); os.IsNotExist(err) {
+		// Directory doesn't exist, create it
+		if readBool(fmt.Sprintf("Directory %s does not exist. Create it?", installDir), true) {
+			if err := os.MkdirAll(installDir, 0755); err != nil {
+				fmt.Printf("Error creating directory: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Printf("Created directory: %s\n", installDir)
+
+			// Offer to change ownership if running via sudo
+			changeDirectoryOwnership(installDir)
+		} else {
+			fmt.Println("Installation cancelled.")
+			os.Exit(0)
+		}
+	}
+
+	fmt.Printf("Installation directory: %s\n", installDir)
+	return installDir
+}
+
+func changeDirectoryOwnership(dir string) {
+	// Check if we're running via sudo by looking for SUDO_USER
+	sudoUser := os.Getenv("SUDO_USER")
+	if sudoUser == "" || os.Geteuid() != 0 {
+		return
+	}
+
+	sudoUID := os.Getenv("SUDO_UID")
+	sudoGID := os.Getenv("SUDO_GID")
+
+	if sudoUID == "" || sudoGID == "" {
+		return
+	}
+
+	fmt.Printf("\nRunning as root via sudo (original user: %s)\n", sudoUser)
+	if readBool(fmt.Sprintf("Would you like to change ownership of %s to user '%s'? This makes it easier to manage config files without sudo.", dir, sudoUser), true) {
+		uid, err := strconv.Atoi(sudoUID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_UID: %v\n", err)
+			return
+		}
+		gid, err := strconv.Atoi(sudoGID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_GID: %v\n", err)
+			return
+		}
+
+		if err := os.Chown(dir, uid, gid); err != nil {
+			fmt.Printf("Warning: Could not change ownership: %v\n", err)
+		} else {
+			fmt.Printf("Changed ownership of %s to %s\n", dir, sudoUser)
+		}
+	}
+}
+
 func podmanOrDocker() SupportedContainer {
 	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")
 

From 863eb8efe999d46dd3c0322b1e6157f141e36cde Mon Sep 17 00:00:00 2001
From: Shlee <github@shl.ee>
Date: Sun, 15 Mar 2026 19:37:15 +1030
Subject: [PATCH 017/314] Update docker-compose.yml

---
 install/config/docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/config/docker-compose.yml b/install/config/docker-compose.yml
index c0206e5bf..fd8fdd9a3 100644
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -38,6 +38,7 @@ services:
       - 51820:51820/udp
       - 21820:21820/udp
       - 443:443
+      - 443:443/udp
       - 80:80
 {{end}}
   traefik:

From ad3fe2fa768a3a38a90b89af645f10b08b632394 Mon Sep 17 00:00:00 2001
From: Shlee <github@shl.ee>
Date: Sun, 15 Mar 2026 19:39:36 +1030
Subject: [PATCH 018/314] Update traefik_config.yml

---
 install/config/traefik/traefik_config.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/config/traefik/traefik_config.yml b/install/config/traefik/traefik_config.yml
index 0709b4611..45f5ebb07 100644
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -40,6 +40,8 @@ entryPoints:
     transport:
       respondingTimeouts:
         readTimeout: "30m"
+    http3:
+      advertisedPort: 443
     http:
       tls:
         certResolver: "letsencrypt"

From 10349932f44e0fe5e070cc3a38aa3446ae58436f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 16 Mar 2026 01:35:18 +0000
Subject: [PATCH 019/314] Bump sigstore/cosign-installer from 4.0.0 to 4.1.0

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/faadad0cce49287aee09b3a48701e75088a2c6ad...ba7bc0a3fef59531c69a25acd34668d6d3fe6f22)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cicd.yml    | 2 +-
 .github/workflows/mirror.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 25bc7ce8d..d7f53fbfd 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -415,7 +415,7 @@ jobs:
 
             - name: Install cosign
               # cosign is used to sign and verify container images (key and keyless)
-              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
             - name: Dual-sign and verify (GHCR & Docker Hub)
               # Sign each image by digest using keyless (OIDC) and key-based signing,
diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml
index c9154c447..d6dfdb8fb 100644
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
           skopeo --version
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Input check
         run: |

From 18ed38889fa19ad32009043b48652458a959e669 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 17 Mar 2026 04:07:02 +0100
Subject: [PATCH 020/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20filter=20sites=20s?=
 =?UTF-8?q?erver=20side=20in=20resource=20target?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/routers/resource/getResource.ts        | 17 ++--
 server/routers/target/listTargets.ts          |  1 +
 .../resources/proxy/[niceId]/proxy/page.tsx   | 26 ++---
 .../settings/resources/proxy/create/page.tsx  | 16 ++--
 .../resource-target-address-item.tsx          | 94 ++++++++++++-------
 src/lib/queries.ts                            | 18 +++-
 6 files changed, 107 insertions(+), 65 deletions(-)

diff --git a/server/routers/resource/getResource.ts b/server/routers/resource/getResource.ts
index cd870dcbf..7a52c0a85 100644
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -1,15 +1,14 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { Resource, resources, sites } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { db, resources } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { fromError } from "zod-validation-error";
-import logger from "@server/logger";
 import stoi from "@server/lib/stoi";
+import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
 
 const getResourceSchema = z.strictObject({
     resourceId: z
diff --git a/server/routers/target/listTargets.ts b/server/routers/target/listTargets.ts
index e4ef45f3b..18e932afa 100644
--- a/server/routers/target/listTargets.ts
+++ b/server/routers/target/listTargets.ts
@@ -40,6 +40,7 @@ function queryTargets(resourceId: number) {
             resourceId: targets.resourceId,
             siteId: targets.siteId,
             siteType: sites.type,
+            siteName: sites.name,
             hcEnabled: targetHealthCheck.hcEnabled,
             hcPath: targetHealthCheck.hcPath,
             hcScheme: targetHealthCheck.hcScheme,
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 51f11a2c3..aff10dc52 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -124,20 +124,15 @@ export default function ReverseProxyTargetsPage(props: {
             resourceId: resource.resourceId
         })
     );
-    const { data: sites = [], isLoading: isLoadingSites } = useQuery(
-        orgQueries.sites({
-            orgId: params.orgId
-        })
-    );
 
-    if (isLoadingSites || isLoadingTargets) {
+    if (isLoadingTargets) {
         return null;
     }
 
     return (
         <SettingsContainer>
             <ProxyResourceTargetsForm
-                sites={sites}
+                orgId={params.orgId}
                 initialTargets={remoteTargets}
                 resource={resource}
             />
@@ -160,12 +155,12 @@ export default function ReverseProxyTargetsPage(props: {
 }
 
 function ProxyResourceTargetsForm({
-    sites,
+    orgId,
     initialTargets,
     resource
 }: {
     initialTargets: LocalTarget[];
-    sites: ListSitesResponse["sites"];
+    orgId: string;
     resource: GetResourceResponse;
 }) {
     const t = useTranslations();
@@ -243,17 +238,21 @@ function ProxyResourceTargetsForm({
         });
     }, []);
 
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId
+        })
+    );
+
     const updateTarget = useCallback(
         (targetId: number, data: Partial<LocalTarget>) => {
             setTargets((prevTargets) => {
-                const site = sites.find((site) => site.siteId === data.siteId);
                 return prevTargets.map((target) =>
                     target.targetId === targetId
                         ? {
                               ...target,
                               ...data,
-                              updated: true,
-                              siteType: site ? site.type : target.siteType
+                              updated: true
                           }
                         : target
                 );
@@ -453,7 +452,7 @@ function ProxyResourceTargetsForm({
                 return (
                     <ResourceTargetAddressItem
                         isHttp={isHttp}
-                        sites={sites}
+                        orgId={orgId}
                         getDockerStateForSite={getDockerStateForSite}
                         proxyTarget={row.original}
                         refreshContainersForSite={refreshContainersForSite}
@@ -619,6 +618,7 @@ function ProxyResourceTargetsForm({
             method: isHttp ? "http" : null,
             port: 0,
             siteId: sites.length > 0 ? sites[0].siteId : 0,
+            siteName: sites.length > 0 ? sites[0].name : "",
             path: isHttp ? null : null,
             pathMatchType: isHttp ? null : null,
             rewritePath: isHttp ? null : null,
diff --git a/src/app/[orgId]/settings/resources/proxy/create/page.tsx b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
index 4c8cb8443..9a9eb3ba2 100644
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -216,9 +216,7 @@ export default function Page() {
     const [remoteExitNodes, setRemoteExitNodes] = useState<
         ListRemoteExitNodesResponse["remoteExitNodes"]
     >([]);
-    const [loadingExitNodes, setLoadingExitNodes] = useState(
-        build === "saas"
-    );
+    const [loadingExitNodes, setLoadingExitNodes] = useState(build === "saas");
 
     const [createLoading, setCreateLoading] = useState(false);
     const [showSnippets, setShowSnippets] = useState(false);
@@ -282,6 +280,7 @@ export default function Page() {
             method: isHttp ? "http" : null,
             port: 0,
             siteId: sites.length > 0 ? sites[0].siteId : 0,
+            siteName: sites.length > 0 ? sites[0].name : "",
             path: isHttp ? null : null,
             pathMatchType: isHttp ? null : null,
             rewritePath: isHttp ? null : null,
@@ -336,8 +335,7 @@ export default function Page() {
 
     // In saas mode with no exit nodes, force HTTP
     const showTypeSelector =
-        build !== "saas" ||
-        (!loadingExitNodes && remoteExitNodes.length > 0);
+        build !== "saas" || (!loadingExitNodes && remoteExitNodes.length > 0);
 
     const baseForm = useForm({
         resolver: zodResolver(baseResourceFormSchema),
@@ -600,7 +598,10 @@ export default function Page() {
             toast({
                 variant: "destructive",
                 title: t("resourceErrorCreate"),
-                description: formatAxiosError(e, t("resourceErrorCreateMessageDescription"))
+                description: formatAxiosError(
+                    e,
+                    t("resourceErrorCreateMessageDescription")
+                )
             });
         }
 
@@ -826,7 +827,8 @@ export default function Page() {
             cell: ({ row }) => (
                 <ResourceTargetAddressItem
                     isHttp={isHttp}
-                    sites={sites}
+                    orgId={orgId!.toString()}
+                    // sites={sites}
                     getDockerStateForSite={getDockerStateForSite}
                     proxyTarget={row.original}
                     refreshContainersForSite={refreshContainersForSite}
diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index 6479ede76..2e06c99a9 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -1,12 +1,15 @@
 import { cn } from "@app/lib/cn";
 import type { DockerState } from "@app/lib/docker";
 import { parseHostTarget } from "@app/lib/parseHostTarget";
+import { orgQueries } from "@app/lib/queries";
 import { CaretSortIcon } from "@radix-ui/react-icons";
 import type { ListSitesResponse } from "@server/routers/site";
 import { type ListTargetsResponse } from "@server/routers/target";
 import type { ArrayElement } from "@server/types/ArrayElement";
+import { useQuery } from "@tanstack/react-query";
 import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useState } from "react";
 import { ContainersSelector } from "./ContainersSelector";
 import { Button } from "./ui/button";
 import {
@@ -20,7 +23,6 @@ import {
 import { Input } from "./ui/input";
 import { Popover, PopoverContent, PopoverTrigger } from "./ui/popover";
 import { Select, SelectContent, SelectItem, SelectTrigger } from "./ui/select";
-import { useEffect } from "react";
 
 type SiteWithUpdateAvailable = ListSitesResponse["sites"][number];
 
@@ -36,14 +38,14 @@ export type LocalTarget = Omit<
 export type ResourceTargetAddressItemProps = {
     getDockerStateForSite: (siteId: number) => DockerState;
     updateTarget: (targetId: number, data: Partial<LocalTarget>) => void;
-    sites: SiteWithUpdateAvailable[];
+    orgId: string;
     proxyTarget: LocalTarget;
     isHttp: boolean;
     refreshContainersForSite: (siteId: number) => void;
 };
 
 export function ResourceTargetAddressItem({
-    sites,
+    orgId,
     getDockerStateForSite,
     updateTarget,
     proxyTarget,
@@ -52,10 +54,34 @@ export function ResourceTargetAddressItem({
 }: ResourceTargetAddressItemProps) {
     const t = useTranslations();
 
-    const selectedSite = sites.find(
-        (site) => site.siteId === proxyTarget.siteId
+    const [siteSearchQuery, setSiteSearchQuery] = useState("");
+
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId,
+            query: siteSearchQuery,
+            perPage: 10
+        })
     );
 
+    const [selectedSite, setSelectedSite] = useState<Pick<
+        SiteWithUpdateAvailable,
+        "name" | "siteId" | "type"
+    > | null>(() => {
+        if (
+            proxyTarget.siteName &&
+            proxyTarget.siteType &&
+            proxyTarget.siteId
+        ) {
+            return {
+                name: proxyTarget.siteName,
+                siteId: proxyTarget.siteId,
+                type: proxyTarget.siteType
+            };
+        }
+        return null;
+    });
+
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -70,28 +96,23 @@ export function ResourceTargetAddressItem({
     return (
         <div className="flex items-center w-full" key={proxyTarget.targetId}>
             <div className="flex items-center w-full justify-start py-0 space-x-2 px-0 cursor-default border border-input rounded-md">
-                {selectedSite &&
-                    selectedSite.type === "newt" &&
-                    (() => {
-                        const dockerState = getDockerStateForSite(
-                            selectedSite.siteId
-                        );
-                        return (
-                            <ContainersSelector
-                                site={selectedSite}
-                                containers={dockerState.containers}
-                                isAvailable={dockerState.isAvailable}
-                                onContainerSelect={
-                                    handleContainerSelectForTarget
-                                }
-                                onRefresh={() =>
-                                    refreshContainersForSite(
-                                        selectedSite.siteId
-                                    )
-                                }
-                            />
-                        );
-                    })()}
+                {selectedSite && selectedSite.type === "newt" && (
+                    <ContainersSelector
+                        site={selectedSite}
+                        containers={
+                            getDockerStateForSite(selectedSite.siteId)
+                                .containers
+                        }
+                        isAvailable={
+                            getDockerStateForSite(selectedSite.siteId)
+                                .isAvailable
+                        }
+                        onContainerSelect={handleContainerSelectForTarget}
+                        onRefresh={() =>
+                            refreshContainersForSite(selectedSite.siteId)
+                        }
+                    />
+                )}
 
                 <Popover>
                     <PopoverTrigger asChild>
@@ -113,8 +134,11 @@ export function ResourceTargetAddressItem({
                         </Button>
                     </PopoverTrigger>
                     <PopoverContent className="p-0 w-45">
-                        <Command>
-                            <CommandInput placeholder={t("siteSearch")} />
+                        <Command shouldFilter={false}>
+                            <CommandInput
+                                placeholder={t("siteSearch")}
+                                onValueChange={(v) => setSiteSearchQuery(v)}
+                            />
                             <CommandList>
                                 <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
                                 <CommandGroup>
@@ -122,14 +146,18 @@ export function ResourceTargetAddressItem({
                                         <CommandItem
                                             key={site.siteId}
                                             value={`${site.siteId}:${site.name}`}
-                                            onSelect={() =>
+                                            onSelect={() => {
                                                 updateTarget(
                                                     proxyTarget.targetId,
                                                     {
-                                                        siteId: site.siteId
+                                                        siteId: site.siteId,
+                                                        siteType: site.type,
+                                                        siteName: site.name
                                                     }
-                                                )
-                                            }
+                                                );
+
+                                                setSelectedSite(site);
+                                            }}
                                         >
                                             <CheckIcon
                                                 className={cn(
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index d3e962d74..f6de28fc0 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -130,14 +130,26 @@ export const orgQueries = {
             }
         }),
 
-    sites: ({ orgId }: { orgId: string }) =>
+    sites: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "SITES"] as const,
+            queryKey: ["ORG", orgId, "SITES", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListSitesResponse>
                 >(`/org/${orgId}/sites?${sp.toString()}`, { signal });

From 435cae06a2f5472b228496b2cf37c5f9aa2d9579 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 17 Mar 2026 04:16:24 +0100
Subject: [PATCH 021/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../resource-target-address-item.tsx          | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index 2e06c99a9..dfefc3bf2 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -9,7 +9,7 @@ import type { ArrayElement } from "@server/types/ArrayElement";
 import { useQuery } from "@tanstack/react-query";
 import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
-import { useState } from "react";
+import { useMemo, useState } from "react";
 import { ContainersSelector } from "./ContainersSelector";
 import { Button } from "./ui/button";
 import {
@@ -82,6 +82,22 @@ export function ResourceTargetAddressItem({
         return null;
     });
 
+    const sitesShown = useMemo(() => {
+        const allSites: Array<
+            Pick<SiteWithUpdateAvailable, "name" | "siteId" | "type">
+        > = [...sites];
+        if (
+            selectedSite !== null &&
+            !(
+                allSites.find((site) => site.siteId)?.siteId ===
+                selectedSite?.siteId
+            )
+        ) {
+            allSites.unshift(selectedSite);
+        }
+        return allSites;
+    }, [sites, selectedSite]);
+
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -137,12 +153,13 @@ export function ResourceTargetAddressItem({
                         <Command shouldFilter={false}>
                             <CommandInput
                                 placeholder={t("siteSearch")}
+                                value={siteSearchQuery}
                                 onValueChange={(v) => setSiteSearchQuery(v)}
                             />
                             <CommandList>
                                 <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
                                 <CommandGroup>
-                                    {sites.map((site) => (
+                                    {sitesShown.map((site) => (
                                         <CommandItem
                                             key={site.siteId}
                                             value={`${site.siteId}:${site.name}`}

From d2419ba572fa825762afa6d2672b05f11e9381d0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 01:34:08 +0000
Subject: [PATCH 022/314] Bump golang.org/x/term in /install in the
 minor-updates group

Bumps the minor-updates group in /install with 1 update: [golang.org/x/term](https://github.com/golang/term).


Updates `golang.org/x/term` from 0.40.0 to 0.41.0
- [Commits](https://github.com/golang/term/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 install/go.mod | 6 +++---
 install/go.sum | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/install/go.mod b/install/go.mod
index 5259b94ac..da73eec0f 100644
--- a/install/go.mod
+++ b/install/go.mod
@@ -1,11 +1,11 @@
 module installer
 
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/charmbracelet/huh v0.8.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.40.0
+	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
diff --git a/install/go.sum b/install/go.sum
index faf7093bc..e0b2a6c5e 100644
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

From 2785449c7ad131816032b14fd224bea792e37e50 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 01:36:08 +0000
Subject: [PATCH 023/314] Bump the dev-patch-updates group across 1 directory
 with 5 updates

Bumps the dev-patch-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@react-email/preview-server](https://github.com/resend/react-email/tree/HEAD/packages/preview-server) | `5.2.8` | `5.2.10` |
| [drizzle-kit](https://github.com/drizzle-team/drizzle-orm) | `0.31.9` | `0.31.10` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.1.6` | `16.1.7` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [react-email](https://github.com/resend/react-email/tree/HEAD/packages/react-email) | `5.2.8` | `5.2.10` |



Updates `@react-email/preview-server` from 5.2.8 to 5.2.10
- [Release notes](https://github.com/resend/react-email/releases)
- [Changelog](https://github.com/resend/react-email/blob/canary/packages/preview-server/CHANGELOG.md)
- [Commits](https://github.com/resend/react-email/commits/@react-email/preview-server@5.2.10/packages/preview-server)

Updates `drizzle-kit` from 0.31.9 to 0.31.10
- [Release notes](https://github.com/drizzle-team/drizzle-orm/releases)
- [Commits](https://github.com/drizzle-team/drizzle-orm/compare/drizzle-kit@0.31.9...drizzle-kit@0.31.10)

Updates `eslint-config-next` from 16.1.6 to 16.1.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.1.7/packages/eslint-config-next)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `react-email` from 5.2.8 to 5.2.10
- [Release notes](https://github.com/resend/react-email/releases)
- [Changelog](https://github.com/resend/react-email/blob/canary/packages/react-email/CHANGELOG.md)
- [Commits](https://github.com/resend/react-email/commits/react-email@5.2.10/packages/react-email)

---
updated-dependencies:
- dependency-name: "@react-email/preview-server"
  dependency-version: 5.2.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: drizzle-kit
  dependency-version: 0.31.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: eslint-config-next
  dependency-version: 16.1.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: react-email
  dependency-version: 5.2.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 352 +++++++++++-----------------------------------
 package.json      |  10 +-
 2 files changed, 91 insertions(+), 271 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 36cb0429b..f7780d6ba 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -110,7 +110,7 @@
             "devDependencies": {
                 "@dotenvx/dotenvx": "1.54.1",
                 "@esbuild-plugins/tsconfig-paths": "0.1.2",
-                "@react-email/preview-server": "5.2.8",
+                "@react-email/preview-server": "5.2.10",
                 "@tailwindcss/postcss": "4.2.1",
                 "@tanstack/react-query-devtools": "5.91.3",
                 "@types/better-sqlite3": "7.6.13",
@@ -136,14 +136,14 @@
                 "@types/ws": "8.18.1",
                 "@types/yargs": "17.0.35",
                 "babel-plugin-react-compiler": "1.0.0",
-                "drizzle-kit": "0.31.9",
+                "drizzle-kit": "0.31.10",
                 "esbuild": "0.27.3",
                 "esbuild-node-externals": "1.20.1",
                 "eslint": "9.39.2",
-                "eslint-config-next": "16.1.6",
-                "postcss": "8.5.6",
+                "eslint-config-next": "16.1.7",
+                "postcss": "8.5.8",
                 "prettier": "3.8.1",
-                "react-email": "5.2.8",
+                "react-email": "5.2.10",
                 "tailwindcss": "4.2.1",
                 "tsc-alias": "1.8.16",
                 "tsx": "4.21.0",
@@ -1071,7 +1071,6 @@
             "integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@ampproject/remapping": "^2.2.0",
                 "@babel/code-frame": "^7.26.2",
@@ -2382,7 +2381,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2405,7 +2403,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2428,7 +2425,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2445,7 +2441,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2462,7 +2457,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2479,7 +2473,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2496,7 +2489,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2513,7 +2505,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2530,7 +2521,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2547,7 +2537,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2564,7 +2553,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2581,7 +2569,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2604,7 +2591,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2627,7 +2613,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2650,7 +2635,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2673,7 +2657,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2696,7 +2679,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2719,7 +2701,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2742,7 +2723,6 @@
             "cpu": [
                 "wasm32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
             "optional": true,
             "dependencies": {
@@ -2762,7 +2742,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2782,7 +2761,6 @@
             "cpu": [
                 "ia32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2802,7 +2780,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2821,15 +2798,6 @@
             "integrity": "sha512-JH8ZL/ywcJyR9MmJ5BNqZllXNZQqQbnVZOqpPQqE1vHiFgAw4NHbvE0FOduNU8IX9babitBT46571OnPTT0Zcw==",
             "license": "MIT"
         },
-        "node_modules/@isaacs/cliui": {
-            "version": "9.0.0",
-            "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-9.0.0.tgz",
-            "integrity": "sha512-AokJm4tuBHillT+FpMtxQ60n8ObyXBatq7jD2/JA9dxbDDokKQm8KMht5ibGzLVU9IJDIKK4TPKgMHEYMn3lMg==",
-            "dev": true,
-            "engines": {
-                "node": ">=18"
-            }
-        },
         "node_modules/@jridgewell/gen-mapping": {
             "version": "0.3.13",
             "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
@@ -2927,9 +2895,9 @@
             "integrity": "sha512-pUvdJN1on574wQHjaBfNGDt9Mz5utDSZFsIIQkMzPgNS8ZvT4H2mwOrOIClwsQOb6EGx5M76/CZr6G8i6pSpLg=="
         },
         "node_modules/@next/eslint-plugin-next": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-16.1.6.tgz",
-            "integrity": "sha512-/Qq3PTagA6+nYVfryAtQ7/9FEr/6YVyvOtl6rZnGsbReGLf0jZU6gkpr1FuChAQpvV46a78p4cmHOVP8mbfSMQ==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-16.1.7.tgz",
+            "integrity": "sha512-v/bRGOJlfRCO+NDKt0bZlIIWjhMKU8xbgEQBo+rV9C8S6czZvs96LZ/v24/GvpEnovZlL4QDpku/RzWHVbmPpA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -3062,7 +3030,6 @@
             "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^14.21.3 || >=16"
             },
@@ -6659,27 +6626,27 @@
             }
         },
         "node_modules/@react-email/preview-server": {
-            "version": "5.2.8",
-            "resolved": "https://registry.npmjs.org/@react-email/preview-server/-/preview-server-5.2.8.tgz",
-            "integrity": "sha512-drQ0C7vi7P0uE7Ox1Cyiujsx0oqp2RbIscOdSBR5qvzw3EKjlGbW2pWjQ000cjxTq3Si7lqlRKhOIF8MzOnqHw==",
+            "version": "5.2.10",
+            "resolved": "https://registry.npmjs.org/@react-email/preview-server/-/preview-server-5.2.10.tgz",
+            "integrity": "sha512-cYi21KF+Z/HGXT8RpkQMNFFubBafxyoB9Hn/wrslfDNtdoews2MdsDo6XXKkZvDTRG9SxQN3HGk4v4aoQZc20g==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "esbuild": "0.25.10",
-                "next": "16.1.6"
+                "esbuild": "0.27.3",
+                "next": "16.1.7"
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/env": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/env/-/env-16.1.6.tgz",
-            "integrity": "sha512-N1ySLuZjnAtN3kFnwhAwPvZah8RJxKasD7x1f8shFqhncnWZn4JMfg37diLNuoHsLAlrDfM3g4mawVdtAG8XLQ==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/env/-/env-16.1.7.tgz",
+            "integrity": "sha512-rJJbIdJB/RQr2F1nylZr/PJzamvNNhfr3brdKP6s/GW850jbtR70QlSfFselvIBbcPUOlQwBakexjFzqLzF6pg==",
             "dev": true,
             "license": "MIT"
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-darwin-arm64": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-16.1.6.tgz",
-            "integrity": "sha512-wTzYulosJr/6nFnqGW7FrG3jfUUlEf8UjGA0/pyypJl42ExdVgC6xJgcXQ+V8QFn6niSG2Pb8+MIG1mZr2vczw==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-16.1.7.tgz",
+            "integrity": "sha512-b2wWIE8sABdyafc4IM8r5Y/dS6kD80JRtOGrUiKTsACFQfWWgUQ2NwoUX1yjFMXVsAwcQeNpnucF2ZrujsBBPg==",
             "cpu": [
                 "arm64"
             ],
@@ -6694,9 +6661,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-darwin-x64": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-16.1.6.tgz",
-            "integrity": "sha512-BLFPYPDO+MNJsiDWbeVzqvYd4NyuRrEYVB5k2N3JfWncuHAy2IVwMAOlVQDFjj+krkWzhY2apvmekMkfQR0CUQ==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-16.1.7.tgz",
+            "integrity": "sha512-zcnVaaZulS1WL0Ss38R5Q6D2gz7MtBu8GZLPfK+73D/hp4GFMrC2sudLky1QibfV7h6RJBJs/gOFvYP0X7UVlQ==",
             "cpu": [
                 "x64"
             ],
@@ -6711,9 +6678,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-linux-arm64-gnu": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-16.1.6.tgz",
-            "integrity": "sha512-OJYkCd5pj/QloBvoEcJ2XiMnlJkRv9idWA/j0ugSuA34gMT6f5b7vOiCQHVRpvStoZUknhl6/UxOXL4OwtdaBw==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-16.1.7.tgz",
+            "integrity": "sha512-2ant89Lux/Q3VyC8vNVg7uBaFVP9SwoK2jJOOR0L8TQnX8CAYnh4uctAScy2Hwj2dgjVHqHLORQZJ2wH6VxhSQ==",
             "cpu": [
                 "arm64"
             ],
@@ -6728,9 +6695,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-linux-arm64-musl": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-16.1.6.tgz",
-            "integrity": "sha512-S4J2v+8tT3NIO9u2q+S0G5KdvNDjXfAv06OhfOzNDaBn5rw84DGXWndOEB7d5/x852A20sW1M56vhC/tRVbccQ==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-16.1.7.tgz",
+            "integrity": "sha512-uufcze7LYv0FQg9GnNeZ3/whYfo+1Q3HnQpm16o6Uyi0OVzLlk2ZWoY7j07KADZFY8qwDbsmFnMQP3p3+Ftprw==",
             "cpu": [
                 "arm64"
             ],
@@ -6745,9 +6712,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-linux-x64-gnu": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-16.1.6.tgz",
-            "integrity": "sha512-2eEBDkFlMMNQnkTyPBhQOAyn2qMxyG2eE7GPH2WIDGEpEILcBPI/jdSv4t6xupSP+ot/jkfrCShLAa7+ZUPcJQ==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-16.1.7.tgz",
+            "integrity": "sha512-KWVf2gxYvHtvuT+c4MBOGxuse5TD7DsMFYSxVxRBnOzok/xryNeQSjXgxSv9QpIVlaGzEn/pIuI6Koosx8CGWA==",
             "cpu": [
                 "x64"
             ],
@@ -6762,9 +6729,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-linux-x64-musl": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-16.1.6.tgz",
-            "integrity": "sha512-oicJwRlyOoZXVlxmIMaTq7f8pN9QNbdes0q2FXfRsPhfCi8n8JmOZJm5oo1pwDaFbnnD421rVU409M3evFbIqg==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-16.1.7.tgz",
+            "integrity": "sha512-HguhaGwsGr1YAGs68uRKc4aGWxLET+NevJskOcCAwXbwj0fYX0RgZW2gsOCzr9S11CSQPIkxmoSbuVaBp4Z3dA==",
             "cpu": [
                 "x64"
             ],
@@ -6779,9 +6746,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-win32-arm64-msvc": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-16.1.6.tgz",
-            "integrity": "sha512-gQmm8izDTPgs+DCWH22kcDmuUp7NyiJgEl18bcr8irXA5N2m2O+JQIr6f3ct42GOs9c0h8QF3L5SzIxcYAAXXw==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-16.1.7.tgz",
+            "integrity": "sha512-S0n3KrDJokKTeFyM/vGGGR8+pCmXYrjNTk2ZozOL1C/JFdfUIL9O1ATaJOl5r2POe56iRChbsszrjMAdWSv7kQ==",
             "cpu": [
                 "arm64"
             ],
@@ -6796,9 +6763,9 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/@next/swc-win32-x64-msvc": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-16.1.6.tgz",
-            "integrity": "sha512-NRfO39AIrzBnixKbjuo2YiYhB6o9d8v/ymU9m/Xk8cyVk+k7XylniXkHwjs4s70wedVffc6bQNbufk5v0xEm0A==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-16.1.7.tgz",
+            "integrity": "sha512-mwgtg8CNZGYm06LeEd+bNnOUfwOyNem/rOiP14Lsz+AnUY92Zq/LXwtebtUiaeVkhbroRCQ0c8GlR4UT1U+0yg==",
             "cpu": [
                 "x64"
             ],
@@ -6823,15 +6790,15 @@
             }
         },
         "node_modules/@react-email/preview-server/node_modules/next": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/next/-/next-16.1.6.tgz",
-            "integrity": "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/next/-/next-16.1.7.tgz",
+            "integrity": "sha512-WM0L7WrSvKwoLegLYr6V+mz+RIofqQgVAfHhMp9a88ms0cFX8iX9ew+snpWlSBwpkURJOUdvCEt3uLl3NNzvWg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@next/env": "16.1.6",
+                "@next/env": "16.1.7",
                 "@swc/helpers": "0.5.15",
-                "baseline-browser-mapping": "^2.8.3",
+                "baseline-browser-mapping": "^2.9.19",
                 "caniuse-lite": "^1.0.30001579",
                 "postcss": "8.4.31",
                 "styled-jsx": "5.1.6"
@@ -6843,14 +6810,14 @@
                 "node": ">=20.9.0"
             },
             "optionalDependencies": {
-                "@next/swc-darwin-arm64": "16.1.6",
-                "@next/swc-darwin-x64": "16.1.6",
-                "@next/swc-linux-arm64-gnu": "16.1.6",
-                "@next/swc-linux-arm64-musl": "16.1.6",
-                "@next/swc-linux-x64-gnu": "16.1.6",
-                "@next/swc-linux-x64-musl": "16.1.6",
-                "@next/swc-win32-arm64-msvc": "16.1.6",
-                "@next/swc-win32-x64-msvc": "16.1.6",
+                "@next/swc-darwin-arm64": "16.1.7",
+                "@next/swc-darwin-x64": "16.1.7",
+                "@next/swc-linux-arm64-gnu": "16.1.7",
+                "@next/swc-linux-arm64-musl": "16.1.7",
+                "@next/swc-linux-x64-gnu": "16.1.7",
+                "@next/swc-linux-x64-musl": "16.1.7",
+                "@next/swc-win32-arm64-msvc": "16.1.7",
+                "@next/swc-win32-x64-msvc": "16.1.7",
                 "sharp": "^0.34.4"
             },
             "peerDependencies": {
@@ -7009,7 +6976,6 @@
             "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
             "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=20.0.0"
             },
@@ -8469,7 +8435,6 @@
             "version": "5.90.21",
             "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
             "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
             "dependencies": {
                 "@tanstack/query-core": "5.90.20"
             },
@@ -8585,7 +8550,6 @@
             "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*"
             }
@@ -8926,7 +8890,6 @@
             "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/body-parser": "*",
                 "@types/express-serve-static-core": "^5.0.0",
@@ -9022,7 +8985,6 @@
             "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "undici-types": "~7.18.0"
             }
@@ -9050,7 +9012,6 @@
             "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*",
                 "pg-protocol": "*",
@@ -9076,7 +9037,6 @@
             "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
             "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
             "devOptional": true,
-            "peer": true,
             "dependencies": {
                 "csstype": "^3.2.2"
             }
@@ -9087,7 +9047,6 @@
             "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "peerDependencies": {
                 "@types/react": "^19.2.0"
             }
@@ -9174,7 +9133,8 @@
             "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
             "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
             "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
         },
         "node_modules/@types/ws": {
             "version": "8.18.1",
@@ -9248,7 +9208,6 @@
             "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@typescript-eslint/scope-manager": "8.56.1",
                 "@typescript-eslint/types": "8.56.1",
@@ -9774,7 +9733,6 @@
             "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "acorn": "bin/acorn"
             },
@@ -10239,7 +10197,6 @@
             "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/types": "^7.26.0"
             }
@@ -10282,13 +10239,16 @@
             }
         },
         "node_modules/baseline-browser-mapping": {
-            "version": "2.9.4",
-            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.9.4.tgz",
-            "integrity": "sha512-ZCQ9GEWl73BVm8bu5Fts8nt7MHdbt5vY9bP6WGnUh+r3l8M7CgfyTlwsgCbMC66BNxPr6Xoce3j66Ms5YUQTNA==",
+            "version": "2.10.8",
+            "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.8.tgz",
+            "integrity": "sha512-PCLz/LXGBsNTErbtB6i5u4eLpHeMfi93aUv5duMmj6caNu6IphS4q6UevDnL36sZQv9lrP11dbPKGMaXPwMKfQ==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
-                "baseline-browser-mapping": "dist/cli.js"
+                "baseline-browser-mapping": "dist/cli.cjs"
+            },
+            "engines": {
+                "node": ">=6.0.0"
             }
         },
         "node_modules/bcrypt-pbkdf": {
@@ -10306,7 +10266,6 @@
             "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "bindings": "^1.5.0",
                 "prebuild-install": "^7.1.1"
@@ -10434,7 +10393,6 @@
                 }
             ],
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "baseline-browser-mapping": "^2.9.0",
                 "caniuse-lite": "^1.0.30001759",
@@ -11388,7 +11346,6 @@
             "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
             "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
             "license": "ISC",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             }
@@ -11829,6 +11786,7 @@
             "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
             "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
             "engines": {
                 "node": ">=20"
             },
@@ -11880,15 +11838,16 @@
             }
         },
         "node_modules/drizzle-kit": {
-            "version": "0.31.9",
-            "resolved": "https://registry.npmjs.org/drizzle-kit/-/drizzle-kit-0.31.9.tgz",
-            "integrity": "sha512-GViD3IgsXn7trFyBUUHyTFBpH/FsHTxYJ66qdbVggxef4UBPHRYxQaRzYLTuekYnk9i5FIEL9pbBIwMqX/Uwrg==",
+            "version": "0.31.10",
+            "resolved": "https://registry.npmjs.org/drizzle-kit/-/drizzle-kit-0.31.10.tgz",
+            "integrity": "sha512-7OZcmQUrdGI+DUNNsKBn1aW8qSoKuTH7d0mYgSP8bAzdFzKoovxEFnoGQp2dVs82EOJeYycqRtciopszwUf8bw==",
             "dev": true,
+            "license": "MIT",
             "dependencies": {
                 "@drizzle-team/brocli": "^0.10.2",
                 "@esbuild-kit/esm-loader": "^2.5.5",
                 "esbuild": "^0.25.4",
-                "esbuild-register": "^3.5.0"
+                "tsx": "^4.21.0"
             },
             "bin": {
                 "drizzle-kit": "bin.cjs"
@@ -12461,7 +12420,6 @@
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "esbuild": "bin/esbuild"
             },
@@ -12513,19 +12471,6 @@
                 "esbuild": "0.12 - 0.27"
             }
         },
-        "node_modules/esbuild-register": {
-            "version": "3.6.0",
-            "resolved": "https://registry.npmjs.org/esbuild-register/-/esbuild-register-3.6.0.tgz",
-            "integrity": "sha512-H2/S7Pm8a9CL1uhp9OvjwrBh5Pvx0H8qVOxNu8Wed9Y7qv56MPtq+GGM8RJpq6glYJn9Wspr8uw7l55uyinNeg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "debug": "^4.3.4"
-            },
-            "peerDependencies": {
-                "esbuild": ">=0.12 <1"
-            }
-        },
         "node_modules/escalade": {
             "version": "3.2.0",
             "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
@@ -12560,7 +12505,6 @@
             "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.1",
@@ -12616,13 +12560,13 @@
             }
         },
         "node_modules/eslint-config-next": {
-            "version": "16.1.6",
-            "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-16.1.6.tgz",
-            "integrity": "sha512-vKq40io2B0XtkkNDYyleATwblNt8xuh3FWp8SpSz3pt7P01OkBFlKsJZ2mWt5WsCySlDQLckb1zMY9yE9Qy0LA==",
+            "version": "16.1.7",
+            "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-16.1.7.tgz",
+            "integrity": "sha512-FTq1i/QDltzq+zf9aB/cKWAiZ77baG0V7h8dRQh3thVx7I4dwr6ZXQrWKAaTB7x5VwVXlzoUTyMLIVQPLj2gJg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@next/eslint-plugin-next": "16.1.6",
+                "@next/eslint-plugin-next": "16.1.7",
                 "eslint-import-resolver-node": "^0.3.6",
                 "eslint-import-resolver-typescript": "^3.5.2",
                 "eslint-plugin-import": "^2.32.0",
@@ -12746,7 +12690,6 @@
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@rtsao/scc": "^1.1.0",
                 "array-includes": "^3.1.9",
@@ -13066,7 +13009,6 @@
             "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
             "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "accepts": "^2.0.0",
                 "body-parser": "^2.2.1",
@@ -13437,36 +13379,6 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
-        "node_modules/foreground-child": {
-            "version": "3.3.1",
-            "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz",
-            "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==",
-            "dev": true,
-            "license": "ISC",
-            "dependencies": {
-                "cross-spawn": "^7.0.6",
-                "signal-exit": "^4.0.1"
-            },
-            "engines": {
-                "node": ">=14"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
-        "node_modules/foreground-child/node_modules/signal-exit": {
-            "version": "4.1.0",
-            "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
-            "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
-            "dev": true,
-            "license": "ISC",
-            "engines": {
-                "node": ">=14"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/form-data": {
             "version": "4.0.5",
             "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
@@ -14700,21 +14612,6 @@
                 "node": ">= 0.4"
             }
         },
-        "node_modules/jackspeak": {
-            "version": "4.2.3",
-            "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.2.3.tgz",
-            "integrity": "sha512-ykkVRwrYvFm1nb2AJfKKYPr0emF6IiXDYUaFx4Zn9ZuIH7MrzEZ3sD5RlqGXNRpHtvUHJyOnCEFxOlNDtGo7wg==",
-            "dev": true,
-            "dependencies": {
-                "@isaacs/cliui": "^9.0.0"
-            },
-            "engines": {
-                "node": "20 || >=22"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/jiti": {
             "version": "2.6.1",
             "resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -15593,6 +15490,7 @@
             "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
             "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "dompurify": "3.2.7",
                 "marked": "14.0.0"
@@ -15603,6 +15501,7 @@
             "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
             "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
             "license": "MIT",
+            "peer": true,
             "bin": {
                 "marked": "bin/marked.js"
             },
@@ -15690,7 +15589,6 @@
             "version": "15.5.12",
             "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz",
             "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==",
-            "peer": true,
             "dependencies": {
                 "@next/env": "15.5.12",
                 "@swc/helpers": "0.5.15",
@@ -16491,13 +16389,6 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
-        "node_modules/package-json-from-dist": {
-            "version": "1.0.1",
-            "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
-            "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
-            "dev": true,
-            "license": "BlueOak-1.0.0"
-        },
         "node_modules/parent-module": {
             "version": "1.0.1",
             "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@@ -16625,7 +16516,6 @@
             "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
             "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "pg-connection-string": "^2.12.0",
                 "pg-pool": "^3.13.0",
@@ -16777,9 +16667,9 @@
             "license": "MIT-0"
         },
         "node_modules/postcss": {
-            "version": "8.5.6",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-            "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+            "version": "8.5.8",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+            "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
             "dev": true,
             "funding": [
                 {
@@ -17130,7 +17020,6 @@
             "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
             "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=0.10.0"
             }
@@ -17162,7 +17051,6 @@
             "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
             "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
@@ -17187,20 +17075,20 @@
             }
         },
         "node_modules/react-email": {
-            "version": "5.2.8",
-            "resolved": "https://registry.npmjs.org/react-email/-/react-email-5.2.8.tgz",
-            "integrity": "sha512-noPcnpl78vsyBnhiKCzxK9Mdsv7ncAYI80osS5kbMgaKH2IgPtPab5BzLJX6INXuiNk5ju+9YRnCjPoPTOHZjA==",
+            "version": "5.2.10",
+            "resolved": "https://registry.npmjs.org/react-email/-/react-email-5.2.10.tgz",
+            "integrity": "sha512-Ys8yR5/a0nXf5u2GlT2UV93PJHC3ZnuMnNebEn7I5UE9XfMFPtlpgDs02mPJOJn49fhJjDTWIUlZD1vmQPDgJg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/parser": "^7.27.0",
-                "@babel/traverse": "^7.27.0",
+                "@babel/parser": "7.27.0",
+                "@babel/traverse": "7.27.0",
                 "chokidar": "^4.0.3",
                 "commander": "^13.0.0",
                 "conf": "^15.0.2",
                 "debounce": "^2.0.0",
-                "esbuild": "^0.25.0",
-                "glob": "^11.0.0",
+                "esbuild": "0.27.3",
+                "glob": "^13.0.6",
                 "jiti": "2.4.2",
                 "log-symbols": "^7.0.0",
                 "mime-types": "^3.0.0",
@@ -17212,35 +17100,12 @@
                 "tsconfig-paths": "4.2.0"
             },
             "bin": {
-                "email": "dist/index.js"
+                "email": "dist/index.mjs"
             },
             "engines": {
                 "node": ">=20.0.0"
             }
         },
-        "node_modules/react-email/node_modules/balanced-match": {
-            "version": "4.0.4",
-            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-            "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
-        "node_modules/react-email/node_modules/brace-expansion": {
-            "version": "5.0.3",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
-            "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "balanced-match": "^4.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
         "node_modules/react-email/node_modules/chalk": {
             "version": "5.6.2",
             "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
@@ -17287,30 +17152,6 @@
             "dev": true,
             "license": "MIT"
         },
-        "node_modules/react-email/node_modules/glob": {
-            "version": "11.1.0",
-            "resolved": "https://registry.npmjs.org/glob/-/glob-11.1.0.tgz",
-            "integrity": "sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw==",
-            "dev": true,
-            "license": "BlueOak-1.0.0",
-            "dependencies": {
-                "foreground-child": "^3.3.1",
-                "jackspeak": "^4.1.1",
-                "minimatch": "^10.1.1",
-                "minipass": "^7.1.2",
-                "package-json-from-dist": "^1.0.0",
-                "path-scurry": "^2.0.0"
-            },
-            "bin": {
-                "glob": "dist/esm/bin.mjs"
-            },
-            "engines": {
-                "node": "20 || >=22"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/react-email/node_modules/is-interactive": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/is-interactive/-/is-interactive-2.0.0.tgz",
@@ -17364,22 +17205,6 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
-        "node_modules/react-email/node_modules/minimatch": {
-            "version": "10.2.3",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.3.tgz",
-            "integrity": "sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==",
-            "dev": true,
-            "license": "BlueOak-1.0.0",
-            "dependencies": {
-                "brace-expansion": "^5.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/react-email/node_modules/onetime": {
             "version": "7.0.0",
             "resolved": "https://registry.npmjs.org/onetime/-/onetime-7.0.0.tgz",
@@ -17518,7 +17343,6 @@
             "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
             "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=18.0.0"
             },
@@ -19003,8 +18827,7 @@
             "version": "4.2.1",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
             "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.0",
@@ -19479,7 +19302,6 @@
             "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
             "devOptional": true,
             "license": "Apache-2.0",
-            "peer": true,
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -19907,7 +19729,6 @@
             "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
             "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@colors/colors": "^1.6.0",
                 "@dabh/diagnostics": "^2.0.8",
@@ -20114,7 +19935,6 @@
             "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
             "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/sponsors/colinhacks"
             }
diff --git a/package.json b/package.json
index 3529de66a..754d917d6 100644
--- a/package.json
+++ b/package.json
@@ -133,7 +133,7 @@
     "devDependencies": {
         "@dotenvx/dotenvx": "1.54.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.8",
+        "@react-email/preview-server": "5.2.10",
         "@tailwindcss/postcss": "4.2.1",
         "@tanstack/react-query-devtools": "5.91.3",
         "@types/better-sqlite3": "7.6.13",
@@ -159,14 +159,14 @@
         "@types/ws": "8.18.1",
         "@types/yargs": "17.0.35",
         "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.9",
+        "drizzle-kit": "0.31.10",
         "esbuild": "0.27.3",
         "esbuild-node-externals": "1.20.1",
         "eslint": "9.39.2",
-        "eslint-config-next": "16.1.6",
-        "postcss": "8.5.6",
+        "eslint-config-next": "16.1.7",
+        "postcss": "8.5.8",
         "prettier": "3.8.1",
-        "react-email": "5.2.8",
+        "react-email": "5.2.10",
         "tailwindcss": "4.2.1",
         "tsc-alias": "1.8.16",
         "tsx": "4.21.0",

From 0908f0f057760afe922a7d6cc403f4b40c8113d4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 01:37:21 +0000
Subject: [PATCH 024/314] Bump the prod-minor-updates group across 1 directory
 with 3 updates

Bumps the prod-minor-updates group with 3 updates in the / directory: [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3), [@simplewebauthn/browser](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/browser) and [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server).


Updates `@aws-sdk/client-s3` from 3.1004.0 to 3.1006.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1006.0/clients/client-s3)

Updates `@simplewebauthn/browser` from 13.2.2 to 13.3.0
- [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases)
- [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md)
- [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.3.0/packages/browser)

Updates `@simplewebauthn/server` from 13.2.3 to 13.3.0
- [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases)
- [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md)
- [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.3.0/packages/server)

---
updated-dependencies:
- dependency-name: "@aws-sdk/client-s3"
  dependency-version: 3.1006.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
- dependency-name: "@simplewebauthn/browser"
  dependency-version: 13.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
- dependency-name: "@simplewebauthn/server"
  dependency-version: 13.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 1153 ++++++++++++++++++++++-----------------------
 package.json      |    6 +-
 2 files changed, 566 insertions(+), 593 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 36cb0429b..d0419f5d2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,7 +10,7 @@
             "license": "SEE LICENSE IN LICENSE AND README.md",
             "dependencies": {
                 "@asteasolutions/zod-to-openapi": "8.4.1",
-                "@aws-sdk/client-s3": "3.1004.0",
+                "@aws-sdk/client-s3": "3.1011.0",
                 "@faker-js/faker": "10.3.0",
                 "@headlessui/react": "2.2.9",
                 "@hookform/resolvers": "5.2.2",
@@ -39,8 +39,8 @@
                 "@react-email/components": "1.0.8",
                 "@react-email/render": "2.0.4",
                 "@react-email/tailwind": "2.0.5",
-                "@simplewebauthn/browser": "13.2.2",
-                "@simplewebauthn/server": "13.2.3",
+                "@simplewebauthn/browser": "13.3.0",
+                "@simplewebauthn/server": "13.3.0",
                 "@tailwindcss/forms": "0.5.11",
                 "@tanstack/react-query": "5.90.21",
                 "@tanstack/react-table": "8.21.3",
@@ -393,65 +393,65 @@
             }
         },
         "node_modules/@aws-sdk/client-s3": {
-            "version": "3.1004.0",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.1004.0.tgz",
-            "integrity": "sha512-m0zNfpsona9jQdX1cHtHArOiuvSGZPsgp/KRZS2YjJhKah96G2UN3UNGZQ6aVjXIQjCY6UanCJo0uW9Xf2U41w==",
+            "version": "3.1011.0",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.1011.0.tgz",
+            "integrity": "sha512-jY7CGX+vfM/DSi4K8UwaZKoXnhqchmAbKFB1kIuHMfPPqW7l3jC/fUVDb95/njMsB2ymYOTusZEzoCTeUB/4qA==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@aws-crypto/sha1-browser": "5.2.0",
                 "@aws-crypto/sha256-browser": "5.2.0",
                 "@aws-crypto/sha256-js": "5.2.0",
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/credential-provider-node": "^3.972.18",
-                "@aws-sdk/middleware-bucket-endpoint": "^3.972.7",
-                "@aws-sdk/middleware-expect-continue": "^3.972.7",
-                "@aws-sdk/middleware-flexible-checksums": "^3.973.4",
-                "@aws-sdk/middleware-host-header": "^3.972.7",
-                "@aws-sdk/middleware-location-constraint": "^3.972.7",
-                "@aws-sdk/middleware-logger": "^3.972.7",
-                "@aws-sdk/middleware-recursion-detection": "^3.972.7",
-                "@aws-sdk/middleware-sdk-s3": "^3.972.18",
-                "@aws-sdk/middleware-ssec": "^3.972.7",
-                "@aws-sdk/middleware-user-agent": "^3.972.19",
-                "@aws-sdk/region-config-resolver": "^3.972.7",
-                "@aws-sdk/signature-v4-multi-region": "^3.996.6",
-                "@aws-sdk/types": "^3.973.5",
-                "@aws-sdk/util-endpoints": "^3.996.4",
-                "@aws-sdk/util-user-agent-browser": "^3.972.7",
-                "@aws-sdk/util-user-agent-node": "^3.973.4",
-                "@smithy/config-resolver": "^4.4.10",
-                "@smithy/core": "^3.23.8",
-                "@smithy/eventstream-serde-browser": "^4.2.11",
-                "@smithy/eventstream-serde-config-resolver": "^4.3.11",
-                "@smithy/eventstream-serde-node": "^4.2.11",
-                "@smithy/fetch-http-handler": "^5.3.13",
-                "@smithy/hash-blob-browser": "^4.2.12",
-                "@smithy/hash-node": "^4.2.11",
-                "@smithy/hash-stream-node": "^4.2.11",
-                "@smithy/invalid-dependency": "^4.2.11",
-                "@smithy/md5-js": "^4.2.11",
-                "@smithy/middleware-content-length": "^4.2.11",
-                "@smithy/middleware-endpoint": "^4.4.22",
-                "@smithy/middleware-retry": "^4.4.39",
-                "@smithy/middleware-serde": "^4.2.12",
-                "@smithy/middleware-stack": "^4.2.11",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/node-http-handler": "^4.4.14",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/smithy-client": "^4.12.2",
-                "@smithy/types": "^4.13.0",
-                "@smithy/url-parser": "^4.2.11",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/credential-provider-node": "^3.972.21",
+                "@aws-sdk/middleware-bucket-endpoint": "^3.972.8",
+                "@aws-sdk/middleware-expect-continue": "^3.972.8",
+                "@aws-sdk/middleware-flexible-checksums": "^3.974.0",
+                "@aws-sdk/middleware-host-header": "^3.972.8",
+                "@aws-sdk/middleware-location-constraint": "^3.972.8",
+                "@aws-sdk/middleware-logger": "^3.972.8",
+                "@aws-sdk/middleware-recursion-detection": "^3.972.8",
+                "@aws-sdk/middleware-sdk-s3": "^3.972.20",
+                "@aws-sdk/middleware-ssec": "^3.972.8",
+                "@aws-sdk/middleware-user-agent": "^3.972.21",
+                "@aws-sdk/region-config-resolver": "^3.972.8",
+                "@aws-sdk/signature-v4-multi-region": "^3.996.8",
+                "@aws-sdk/types": "^3.973.6",
+                "@aws-sdk/util-endpoints": "^3.996.5",
+                "@aws-sdk/util-user-agent-browser": "^3.972.8",
+                "@aws-sdk/util-user-agent-node": "^3.973.7",
+                "@smithy/config-resolver": "^4.4.11",
+                "@smithy/core": "^3.23.11",
+                "@smithy/eventstream-serde-browser": "^4.2.12",
+                "@smithy/eventstream-serde-config-resolver": "^4.3.12",
+                "@smithy/eventstream-serde-node": "^4.2.12",
+                "@smithy/fetch-http-handler": "^5.3.15",
+                "@smithy/hash-blob-browser": "^4.2.13",
+                "@smithy/hash-node": "^4.2.12",
+                "@smithy/hash-stream-node": "^4.2.12",
+                "@smithy/invalid-dependency": "^4.2.12",
+                "@smithy/md5-js": "^4.2.12",
+                "@smithy/middleware-content-length": "^4.2.12",
+                "@smithy/middleware-endpoint": "^4.4.25",
+                "@smithy/middleware-retry": "^4.4.42",
+                "@smithy/middleware-serde": "^4.2.14",
+                "@smithy/middleware-stack": "^4.2.12",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/node-http-handler": "^4.4.16",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/smithy-client": "^4.12.5",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
                 "@smithy/util-base64": "^4.3.2",
                 "@smithy/util-body-length-browser": "^4.2.2",
                 "@smithy/util-body-length-node": "^4.2.3",
-                "@smithy/util-defaults-mode-browser": "^4.3.38",
-                "@smithy/util-defaults-mode-node": "^4.2.41",
-                "@smithy/util-endpoints": "^3.3.2",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-retry": "^4.2.11",
-                "@smithy/util-stream": "^4.5.17",
+                "@smithy/util-defaults-mode-browser": "^4.3.41",
+                "@smithy/util-defaults-mode-node": "^4.2.44",
+                "@smithy/util-endpoints": "^3.3.3",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-retry": "^4.2.12",
+                "@smithy/util-stream": "^4.5.19",
                 "@smithy/util-utf8": "^4.2.2",
-                "@smithy/util-waiter": "^4.2.11",
+                "@smithy/util-waiter": "^4.2.13",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -459,22 +459,22 @@
             }
         },
         "node_modules/@aws-sdk/core": {
-            "version": "3.973.18",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.18.tgz",
-            "integrity": "sha512-GUIlegfcK2LO1J2Y98sCJy63rQSiLiDOgVw7HiHPRqfI2vb3XozTVqemwO0VSGXp54ngCnAQz0Lf0YPCBINNxA==",
+            "version": "3.973.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.20.tgz",
+            "integrity": "sha512-i3GuX+lowD892F3IuJf8o6AbyDupMTdyTxQrCJGcn71ni5hTZ82L4nQhcdumxZ7XPJRJJVHS/CR3uYOIIs0PVA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@aws-sdk/xml-builder": "^3.972.10",
-                "@smithy/core": "^3.23.8",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/signature-v4": "^5.3.11",
-                "@smithy/smithy-client": "^4.12.2",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@aws-sdk/xml-builder": "^3.972.11",
+                "@smithy/core": "^3.23.11",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/signature-v4": "^5.3.12",
+                "@smithy/smithy-client": "^4.12.5",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-base64": "^4.3.2",
-                "@smithy/util-middleware": "^4.2.11",
+                "@smithy/util-middleware": "^4.2.12",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -483,12 +483,12 @@
             }
         },
         "node_modules/@aws-sdk/crc64-nvme": {
-            "version": "3.972.4",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/crc64-nvme/-/crc64-nvme-3.972.4.tgz",
-            "integrity": "sha512-HKZIZLbRyvzo/bXZU7Zmk6XqU+1C9DjI56xd02vwuDIxedxBEqP17t9ExhbP9QFeNq/a3l9GOcyirFXxmbDhmw==",
+            "version": "3.972.5",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/crc64-nvme/-/crc64-nvme-3.972.5.tgz",
+            "integrity": "sha512-2VbTstbjKdT+yKi8m7b3a9CiVac+pL/IY2PHJwsaGkkHmuuqkJZIErPck1h6P3T9ghQMLSdMPyW6Qp7Di5swFg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -496,15 +496,15 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-env": {
-            "version": "3.972.16",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.16.tgz",
-            "integrity": "sha512-HrdtnadvTGAQUr18sPzGlE5El3ICphnH6SU7UQOMOWFgRKbTRNN8msTxM4emzguUso9CzaHU2xy5ctSrmK5YNA==",
+            "version": "3.972.18",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.18.tgz",
+            "integrity": "sha512-X0B8AlQY507i5DwjLByeU2Af4ARsl9Vr84koDcXCbAkplmU+1xBFWxEPrWRAoh56waBne/yJqEloSwvRf4x6XA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -512,20 +512,20 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-http": {
-            "version": "3.972.18",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.18.tgz",
-            "integrity": "sha512-NyB6smuZAixND5jZumkpkunQ0voc4Mwgkd+SZ6cvAzIB7gK8HV8Zd4rS8Kn5MmoGgusyNfVGG+RLoYc4yFiw+A==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.20.tgz",
+            "integrity": "sha512-ey9Lelj001+oOfrbKmS6R2CJAiXX7QKY4Vj9VJv6L2eE6/VjD8DocHIoYqztTm70xDLR4E1jYPTKfIui+eRNDA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/fetch-http-handler": "^5.3.13",
-                "@smithy/node-http-handler": "^4.4.14",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/smithy-client": "^4.12.2",
-                "@smithy/types": "^4.13.0",
-                "@smithy/util-stream": "^4.5.17",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/fetch-http-handler": "^5.3.15",
+                "@smithy/node-http-handler": "^4.4.16",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/smithy-client": "^4.12.5",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-stream": "^4.5.19",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -533,24 +533,24 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-ini": {
-            "version": "3.972.17",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.17.tgz",
-            "integrity": "sha512-dFqh7nfX43B8dO1aPQHOcjC0SnCJ83H3F+1LoCh3X1P7E7N09I+0/taID0asU6GCddfDExqnEvQtDdkuMe5tKQ==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.20.tgz",
+            "integrity": "sha512-5flXSnKHMloObNF+9N0cupKegnH1Z37cdVlpETVgx8/rAhCe+VNlkcZH3HDg2SDn9bI765S+rhNPXGDJJPfbtA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/credential-provider-env": "^3.972.16",
-                "@aws-sdk/credential-provider-http": "^3.972.18",
-                "@aws-sdk/credential-provider-login": "^3.972.17",
-                "@aws-sdk/credential-provider-process": "^3.972.16",
-                "@aws-sdk/credential-provider-sso": "^3.972.17",
-                "@aws-sdk/credential-provider-web-identity": "^3.972.17",
-                "@aws-sdk/nested-clients": "^3.996.7",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/credential-provider-imds": "^4.2.11",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/credential-provider-env": "^3.972.18",
+                "@aws-sdk/credential-provider-http": "^3.972.20",
+                "@aws-sdk/credential-provider-login": "^3.972.20",
+                "@aws-sdk/credential-provider-process": "^3.972.18",
+                "@aws-sdk/credential-provider-sso": "^3.972.20",
+                "@aws-sdk/credential-provider-web-identity": "^3.972.20",
+                "@aws-sdk/nested-clients": "^3.996.10",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/credential-provider-imds": "^4.2.12",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -558,18 +558,18 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-login": {
-            "version": "3.972.17",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.17.tgz",
-            "integrity": "sha512-gf2E5b7LpKb+JX2oQsRIDxdRZjBFZt2olCGlWCdb3vBERbXIPgm2t1R5mEnwd4j0UEO/Tbg5zN2KJbHXttJqwA==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.20.tgz",
+            "integrity": "sha512-gEWo54nfqp2jABMu6HNsjVC4hDLpg9HC8IKSJnp0kqWtxIJYHTmiLSsIfI4ScQjxEwpB+jOOH8dOLax1+hy/Hw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/nested-clients": "^3.996.7",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/nested-clients": "^3.996.10",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -577,22 +577,22 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-node": {
-            "version": "3.972.18",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.18.tgz",
-            "integrity": "sha512-ZDJa2gd1xiPg/nBDGhUlat02O8obaDEnICBAVS8qieZ0+nDfaB0Z3ec6gjZj27OqFTjnB/Q5a0GwQwb7rMVViw==",
+            "version": "3.972.21",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.21.tgz",
+            "integrity": "sha512-hah8if3/B/Q+LBYN5FukyQ1Mym6PLPDsBOBsIgNEYD6wLyZg0UmUF/OKIVC3nX9XH8TfTPuITK+7N/jenVACWA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/credential-provider-env": "^3.972.16",
-                "@aws-sdk/credential-provider-http": "^3.972.18",
-                "@aws-sdk/credential-provider-ini": "^3.972.17",
-                "@aws-sdk/credential-provider-process": "^3.972.16",
-                "@aws-sdk/credential-provider-sso": "^3.972.17",
-                "@aws-sdk/credential-provider-web-identity": "^3.972.17",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/credential-provider-imds": "^4.2.11",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/credential-provider-env": "^3.972.18",
+                "@aws-sdk/credential-provider-http": "^3.972.20",
+                "@aws-sdk/credential-provider-ini": "^3.972.20",
+                "@aws-sdk/credential-provider-process": "^3.972.18",
+                "@aws-sdk/credential-provider-sso": "^3.972.20",
+                "@aws-sdk/credential-provider-web-identity": "^3.972.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/credential-provider-imds": "^4.2.12",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -600,16 +600,16 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-process": {
-            "version": "3.972.16",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.16.tgz",
-            "integrity": "sha512-n89ibATwnLEg0ZdZmUds5bq8AfBAdoYEDpqP3uzPLaRuGelsKlIvCYSNNvfgGLi8NaHPNNhs1HjJZYbqkW9b+g==",
+            "version": "3.972.18",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.18.tgz",
+            "integrity": "sha512-Tpl7SRaPoOLT32jbTWchPsn52hYYgJ0kpiFgnwk8pxTANQdUymVSZkzFvv1+oOgZm1CrbQUP9MBeoMZ9IzLZjA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -617,18 +617,18 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-sso": {
-            "version": "3.972.17",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.17.tgz",
-            "integrity": "sha512-wGtte+48xnhnhHMl/MsxzacBPs5A+7JJedjiP452IkHY7vsbYKcvQBqFye8LwdTJVeHtBHv+JFeTscnwepoWGg==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.20.tgz",
+            "integrity": "sha512-p+R+PYR5Z7Gjqf/6pvbCnzEHcqPCpLzR7Yf127HjJ6EAb4hUcD+qsNRnuww1sB/RmSeCLxyay8FMyqREw4p1RA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/nested-clients": "^3.996.7",
-                "@aws-sdk/token-providers": "3.1004.0",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/nested-clients": "^3.996.10",
+                "@aws-sdk/token-providers": "3.1009.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -636,17 +636,17 @@
             }
         },
         "node_modules/@aws-sdk/credential-provider-web-identity": {
-            "version": "3.972.17",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.17.tgz",
-            "integrity": "sha512-8aiVJh6fTdl8gcyL+sVNcNwTtWpmoFa1Sh7xlj6Z7L/cZ/tYMEBHq44wTYG8Kt0z/PpGNopD89nbj3FHl9QmTA==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.20.tgz",
+            "integrity": "sha512-rWCmh8o7QY4CsUj63qopzMzkDq/yPpkrpb+CnjBEFSOg/02T/we7sSTVg4QsDiVS9uwZ8VyONhq98qt+pIh3KA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/nested-clients": "^3.996.7",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/nested-clients": "^3.996.10",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -654,16 +654,16 @@
             }
         },
         "node_modules/@aws-sdk/middleware-bucket-endpoint": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-bucket-endpoint/-/middleware-bucket-endpoint-3.972.7.tgz",
-            "integrity": "sha512-goX+axlJ6PQlRnzE2bQisZ8wVrlm6dXJfBzMJhd8LhAIBan/w1Kl73fJnalM/S+18VnpzIHumyV6DtgmvqG5IA==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-bucket-endpoint/-/middleware-bucket-endpoint-3.972.8.tgz",
+            "integrity": "sha512-WR525Rr2QJSETa9a050isktyWi/4yIGcmY3BQ1kpHqb0LqUglQHCS8R27dTJxxWNZvQ0RVGtEZjTCbZJpyF3Aw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
+                "@aws-sdk/types": "^3.973.6",
                 "@aws-sdk/util-arn-parser": "^3.972.3",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-config-provider": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -672,14 +672,14 @@
             }
         },
         "node_modules/@aws-sdk/middleware-expect-continue": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-expect-continue/-/middleware-expect-continue-3.972.7.tgz",
-            "integrity": "sha512-mvWqvm61bmZUKmmrtl2uWbokqpenY3Mc3Jf4nXB/Hse6gWxLPaCQThmhPBDzsPSV8/Odn8V6ovWt3pZ7vy4BFQ==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-expect-continue/-/middleware-expect-continue-3.972.8.tgz",
+            "integrity": "sha512-5DTBTiotEES1e2jOHAq//zyzCjeMB78lEHd35u15qnrid4Nxm7diqIf9fQQ3Ov0ChH1V3Vvt13thOnrACmfGVQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -687,23 +687,23 @@
             }
         },
         "node_modules/@aws-sdk/middleware-flexible-checksums": {
-            "version": "3.973.4",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-flexible-checksums/-/middleware-flexible-checksums-3.973.4.tgz",
-            "integrity": "sha512-7CH2jcGmkvkHc5Buz9IGbdjq1729AAlgYJiAvGq7qhCHqYleCsriWdSnmsqWTwdAfXHMT+pkxX3w6v5tJNcSug==",
+            "version": "3.974.0",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-flexible-checksums/-/middleware-flexible-checksums-3.974.0.tgz",
+            "integrity": "sha512-BmdDjqvnuYaC4SY7ypHLXfCSsGYGUZkjCLSZyUAAYn1YT28vbNMJNDwhlfkvvE+hQHG5RJDlEmYuvBxcB9jX1g==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@aws-crypto/crc32": "5.2.0",
                 "@aws-crypto/crc32c": "5.2.0",
                 "@aws-crypto/util": "5.2.0",
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/crc64-nvme": "^3.972.4",
-                "@aws-sdk/types": "^3.973.5",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/crc64-nvme": "^3.972.5",
+                "@aws-sdk/types": "^3.973.6",
                 "@smithy/is-array-buffer": "^4.2.2",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-stream": "^4.5.17",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-stream": "^4.5.19",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -712,14 +712,14 @@
             }
         },
         "node_modules/@aws-sdk/middleware-host-header": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.972.7.tgz",
-            "integrity": "sha512-aHQZgztBFEpDU1BB00VWCIIm85JjGjQW1OG9+98BdmaOpguJvzmXBGbnAiYcciCd+IS4e9BEq664lhzGnWJHgQ==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.972.8.tgz",
+            "integrity": "sha512-wAr2REfKsqoKQ+OkNqvOShnBoh+nkPurDKW7uAeVSu6kUECnWlSJiPvnoqxGlfousEY/v9LfS9sNc46hjSYDIQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -727,13 +727,13 @@
             }
         },
         "node_modules/@aws-sdk/middleware-location-constraint": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-location-constraint/-/middleware-location-constraint-3.972.7.tgz",
-            "integrity": "sha512-vdK1LJfffBp87Lj0Bw3WdK1rJk9OLDYdQpqoKgmpIZPe+4+HawZ6THTbvjhJt4C4MNnRrHTKHQjkwBiIpDBoig==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-location-constraint/-/middleware-location-constraint-3.972.8.tgz",
+            "integrity": "sha512-KaUoFuoFPziIa98DSQsTPeke1gvGXlc5ZGMhy+b+nLxZ4A7jmJgLzjEF95l8aOQN2T/qlPP3MrAyELm8ExXucw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -741,13 +741,13 @@
             }
         },
         "node_modules/@aws-sdk/middleware-logger": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.972.7.tgz",
-            "integrity": "sha512-LXhiWlWb26txCU1vcI9PneESSeRp/RYY/McuM4SpdrimQR5NgwaPb4VJCadVeuGWgh6QmqZ6rAKSoL1ob16W6w==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.972.8.tgz",
+            "integrity": "sha512-CWl5UCM57WUFaFi5kB7IBY1UmOeLvNZAZ2/OZ5l20ldiJ3TiIz1pC65gYj8X0BCPWkeR1E32mpsCk1L1I4n+lA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -755,15 +755,15 @@
             }
         },
         "node_modules/@aws-sdk/middleware-recursion-detection": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.7.tgz",
-            "integrity": "sha512-l2VQdcBcYLzIzykCHtXlbpiVCZ94/xniLIkAj0jpnpjY4xlgZx7f56Ypn+uV1y3gG0tNVytJqo3K9bfMFee7SQ==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.8.tgz",
+            "integrity": "sha512-BnnvYs2ZEpdlmZ2PNlV2ZyQ8j8AEkMTjN79y/YA475ER1ByFYrkVR85qmhni8oeTaJcDqbx364wDpitDAA/wCA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
+                "@aws-sdk/types": "^3.973.6",
                 "@aws/lambda-invoke-store": "^0.2.2",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -771,23 +771,23 @@
             }
         },
         "node_modules/@aws-sdk/middleware-sdk-s3": {
-            "version": "3.972.18",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-s3/-/middleware-sdk-s3-3.972.18.tgz",
-            "integrity": "sha512-5E3XxaElrdyk6ZJ0TjH7Qm6ios4b/qQCiLr6oQ8NK7e4Kn6JBTJCaYioQCQ65BpZ1+l1mK5wTAac2+pEz0Smpw==",
+            "version": "3.972.20",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-s3/-/middleware-sdk-s3-3.972.20.tgz",
+            "integrity": "sha512-yhva/xL5H4tWQgsBjwV+RRD0ByCzg0TcByDCLp3GXdn/wlyRNfy8zsswDtCvr1WSKQkSQYlyEzPuWkJG0f5HvQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/types": "^3.973.5",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/types": "^3.973.6",
                 "@aws-sdk/util-arn-parser": "^3.972.3",
-                "@smithy/core": "^3.23.8",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/signature-v4": "^5.3.11",
-                "@smithy/smithy-client": "^4.12.2",
-                "@smithy/types": "^4.13.0",
+                "@smithy/core": "^3.23.11",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/signature-v4": "^5.3.12",
+                "@smithy/smithy-client": "^4.12.5",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-config-provider": "^4.2.2",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-stream": "^4.5.17",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-stream": "^4.5.19",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -796,13 +796,13 @@
             }
         },
         "node_modules/@aws-sdk/middleware-ssec": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-ssec/-/middleware-ssec-3.972.7.tgz",
-            "integrity": "sha512-G9clGVuAml7d8DYzY6DnRi7TIIDRvZ3YpqJPz/8wnWS5fYx/FNWNmkO6iJVlVkQg9BfeMzd+bVPtPJOvC4B+nQ==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-ssec/-/middleware-ssec-3.972.8.tgz",
+            "integrity": "sha512-wqlK0yO/TxEC2UsY9wIlqeeutF6jjLe0f96Pbm40XscTo57nImUk9lBcw0dPgsm0sppFtAkSlDrfpK+pC30Wqw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -810,18 +810,18 @@
             }
         },
         "node_modules/@aws-sdk/middleware-user-agent": {
-            "version": "3.972.19",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.19.tgz",
-            "integrity": "sha512-Km90fcXt3W/iqujHzuM6IaDkYCj73gsYufcuWXApWdzoTy6KGk8fnchAjePMARU0xegIR3K4N3yIo1vy7OVe8A==",
+            "version": "3.972.21",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.21.tgz",
+            "integrity": "sha512-62XRl1GDYPpkt7cx1AX1SPy9wgNE9Iw/NPuurJu4lmhCWS7sGKO+kS53TQ8eRmIxy3skmvNInnk0ZbWrU5Dpyg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/types": "^3.973.5",
-                "@aws-sdk/util-endpoints": "^3.996.4",
-                "@smithy/core": "^3.23.8",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
-                "@smithy/util-retry": "^4.2.11",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@aws-sdk/util-endpoints": "^3.996.5",
+                "@smithy/core": "^3.23.11",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-retry": "^4.2.12",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -829,47 +829,47 @@
             }
         },
         "node_modules/@aws-sdk/nested-clients": {
-            "version": "3.996.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.7.tgz",
-            "integrity": "sha512-MlGWA8uPaOs5AiTZ5JLM4uuWDm9EEAnm9cqwvqQIc6kEgel/8s1BaOWm9QgUcfc9K8qd7KkC3n43yDbeXOA2tg==",
+            "version": "3.996.10",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.10.tgz",
+            "integrity": "sha512-SlDol5Z+C7Ivnc2rKGqiqfSUmUZzY1qHfVs9myt/nxVwswgfpjdKahyTzLTx802Zfq0NFRs7AejwKzzzl5Co2w==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@aws-crypto/sha256-browser": "5.2.0",
                 "@aws-crypto/sha256-js": "5.2.0",
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/middleware-host-header": "^3.972.7",
-                "@aws-sdk/middleware-logger": "^3.972.7",
-                "@aws-sdk/middleware-recursion-detection": "^3.972.7",
-                "@aws-sdk/middleware-user-agent": "^3.972.19",
-                "@aws-sdk/region-config-resolver": "^3.972.7",
-                "@aws-sdk/types": "^3.973.5",
-                "@aws-sdk/util-endpoints": "^3.996.4",
-                "@aws-sdk/util-user-agent-browser": "^3.972.7",
-                "@aws-sdk/util-user-agent-node": "^3.973.4",
-                "@smithy/config-resolver": "^4.4.10",
-                "@smithy/core": "^3.23.8",
-                "@smithy/fetch-http-handler": "^5.3.13",
-                "@smithy/hash-node": "^4.2.11",
-                "@smithy/invalid-dependency": "^4.2.11",
-                "@smithy/middleware-content-length": "^4.2.11",
-                "@smithy/middleware-endpoint": "^4.4.22",
-                "@smithy/middleware-retry": "^4.4.39",
-                "@smithy/middleware-serde": "^4.2.12",
-                "@smithy/middleware-stack": "^4.2.11",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/node-http-handler": "^4.4.14",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/smithy-client": "^4.12.2",
-                "@smithy/types": "^4.13.0",
-                "@smithy/url-parser": "^4.2.11",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/middleware-host-header": "^3.972.8",
+                "@aws-sdk/middleware-logger": "^3.972.8",
+                "@aws-sdk/middleware-recursion-detection": "^3.972.8",
+                "@aws-sdk/middleware-user-agent": "^3.972.21",
+                "@aws-sdk/region-config-resolver": "^3.972.8",
+                "@aws-sdk/types": "^3.973.6",
+                "@aws-sdk/util-endpoints": "^3.996.5",
+                "@aws-sdk/util-user-agent-browser": "^3.972.8",
+                "@aws-sdk/util-user-agent-node": "^3.973.7",
+                "@smithy/config-resolver": "^4.4.11",
+                "@smithy/core": "^3.23.11",
+                "@smithy/fetch-http-handler": "^5.3.15",
+                "@smithy/hash-node": "^4.2.12",
+                "@smithy/invalid-dependency": "^4.2.12",
+                "@smithy/middleware-content-length": "^4.2.12",
+                "@smithy/middleware-endpoint": "^4.4.25",
+                "@smithy/middleware-retry": "^4.4.42",
+                "@smithy/middleware-serde": "^4.2.14",
+                "@smithy/middleware-stack": "^4.2.12",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/node-http-handler": "^4.4.16",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/smithy-client": "^4.12.5",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
                 "@smithy/util-base64": "^4.3.2",
                 "@smithy/util-body-length-browser": "^4.2.2",
                 "@smithy/util-body-length-node": "^4.2.3",
-                "@smithy/util-defaults-mode-browser": "^4.3.38",
-                "@smithy/util-defaults-mode-node": "^4.2.41",
-                "@smithy/util-endpoints": "^3.3.2",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-retry": "^4.2.11",
+                "@smithy/util-defaults-mode-browser": "^4.3.41",
+                "@smithy/util-defaults-mode-node": "^4.2.44",
+                "@smithy/util-endpoints": "^3.3.3",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-retry": "^4.2.12",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -878,15 +878,15 @@
             }
         },
         "node_modules/@aws-sdk/region-config-resolver": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.7.tgz",
-            "integrity": "sha512-/Ev/6AI8bvt4HAAptzSjThGUMjcWaX3GX8oERkB0F0F9x2dLSBdgFDiyrRz3i0u0ZFZFQ1b28is4QhyqXTUsVA==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.8.tgz",
+            "integrity": "sha512-1eD4uhTDeambO/PNIDVG19A6+v4NdD7xzwLHDutHsUqz0B+i661MwQB2eYO4/crcCvCiQG4SRm1k81k54FEIvw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/config-resolver": "^4.4.10",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/config-resolver": "^4.4.11",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -894,16 +894,16 @@
             }
         },
         "node_modules/@aws-sdk/signature-v4-multi-region": {
-            "version": "3.996.6",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.6.tgz",
-            "integrity": "sha512-NnsOQsVmJXy4+IdPFUjRCWPn9qNH1TzS/f7MiWgXeoHs903tJpAWQWQtoFvLccyPoBgomKP9L89RRr2YsT/L0g==",
+            "version": "3.996.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.8.tgz",
+            "integrity": "sha512-n1qYFD+tbqZuyskVaxUE+t10AUz9g3qzDw3Tp6QZDKmqsjfDmZBd4GIk2EKJJNtcCBtE5YiUjDYA+3djFAFBBg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/middleware-sdk-s3": "^3.972.18",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/signature-v4": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/middleware-sdk-s3": "^3.972.20",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/signature-v4": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -911,17 +911,17 @@
             }
         },
         "node_modules/@aws-sdk/token-providers": {
-            "version": "3.1004.0",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1004.0.tgz",
-            "integrity": "sha512-j9BwZZId9sFp+4GPhf6KrwO8Tben2sXibZA8D1vv2I1zBdvkUHcBA2g4pkqIpTRalMTLC0NPkBPX0gERxfy/iA==",
+            "version": "3.1009.0",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1009.0.tgz",
+            "integrity": "sha512-KCPLuTqN9u0Rr38Arln78fRG9KXpzsPWmof+PZzfAHMMQq2QED6YjQrkrfiH7PDefLWEposY1o4/eGwrmKA4JA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/core": "^3.973.18",
-                "@aws-sdk/nested-clients": "^3.996.7",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/core": "^3.973.20",
+                "@aws-sdk/nested-clients": "^3.996.10",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -929,12 +929,12 @@
             }
         },
         "node_modules/@aws-sdk/types": {
-            "version": "3.973.5",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.5.tgz",
-            "integrity": "sha512-hl7BGwDCWsjH8NkZfx+HgS7H2LyM2lTMAI7ba9c8O0KqdBLTdNJivsHpqjg9rNlAlPyREb6DeDRXUl0s8uFdmQ==",
+            "version": "3.973.6",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.6.tgz",
+            "integrity": "sha512-Atfcy4E++beKtwJHiDln2Nby8W/mam64opFPTiHEqgsthqeydFS1pY+OUlN1ouNOmf8ArPU/6cDS65anOP3KQw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -954,15 +954,15 @@
             }
         },
         "node_modules/@aws-sdk/util-endpoints": {
-            "version": "3.996.4",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.996.4.tgz",
-            "integrity": "sha512-Hek90FBmd4joCFj+Vc98KLJh73Zqj3s2W56gjAcTkrNLMDI5nIFkG9YpfcJiVI1YlE2Ne1uOQNe+IgQ/Vz2XRA==",
+            "version": "3.996.5",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.996.5.tgz",
+            "integrity": "sha512-Uh93L5sXFNbyR5sEPMzUU8tJ++Ku97EY4udmC01nB8Zu+xfBPwpIwJ6F7snqQeq8h2pf+8SGN5/NoytfKgYPIw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/types": "^4.13.0",
-                "@smithy/url-parser": "^4.2.11",
-                "@smithy/util-endpoints": "^3.3.2",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
+                "@smithy/util-endpoints": "^3.3.3",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -982,27 +982,28 @@
             }
         },
         "node_modules/@aws-sdk/util-user-agent-browser": {
-            "version": "3.972.7",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.972.7.tgz",
-            "integrity": "sha512-7SJVuvhKhMF/BkNS1n0QAJYgvEwYbK2QLKBrzDiwQGiTRU6Yf1f3nehTzm/l21xdAOtWSfp2uWSddPnP2ZtsVw==",
+            "version": "3.972.8",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.972.8.tgz",
+            "integrity": "sha512-B3KGXJviV2u6Cdw2SDY2aDhoJkVfY/Q/Trwk2CMSkikE1Oi6gRzxhvhIfiRpHfmIsAhV4EA54TVEX8K6CbHbkA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/types": "^4.13.1",
                 "bowser": "^2.11.0",
                 "tslib": "^2.6.2"
             }
         },
         "node_modules/@aws-sdk/util-user-agent-node": {
-            "version": "3.973.4",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.4.tgz",
-            "integrity": "sha512-uqKeLqZ9D3nQjH7HGIERNXK9qnSpUK08l4MlJ5/NZqSSdeJsVANYp437EM9sEzwU28c2xfj2V6qlkqzsgtKs6Q==",
+            "version": "3.973.7",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.7.tgz",
+            "integrity": "sha512-Hz6EZMUAEzqUd7e+vZ9LE7mn+5gMbxltXy18v+YSFY+9LBJz15wkNZvw5JqfX3z0FS9n3bgUtz3L5rAsfh4YlA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@aws-sdk/middleware-user-agent": "^3.972.19",
-                "@aws-sdk/types": "^3.973.5",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/types": "^4.13.0",
+                "@aws-sdk/middleware-user-agent": "^3.972.21",
+                "@aws-sdk/types": "^3.973.6",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-config-provider": "^4.2.2",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -1018,12 +1019,12 @@
             }
         },
         "node_modules/@aws-sdk/xml-builder": {
-            "version": "3.972.10",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.10.tgz",
-            "integrity": "sha512-OnejAIVD+CxzyAUrVic7lG+3QRltyja9LoNqCE/1YVs8ichoTbJlVSaZ9iSMcnHLyzrSNtvaOGjSDRP+d/ouFA==",
+            "version": "3.972.11",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.11.tgz",
+            "integrity": "sha512-iitV/gZKQMvY9d7ovmyFnFuTHbBAtrmLnvaSb/3X8vOKyevwtpmEtyc8AdhVWZe0pI/1GsHxlEvQeOePFzy7KQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "fast-xml-parser": "5.4.1",
                 "tslib": "^2.6.2"
             },
@@ -1032,9 +1033,9 @@
             }
         },
         "node_modules/@aws/lambda-invoke-store": {
-            "version": "0.2.3",
-            "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.3.tgz",
-            "integrity": "sha512-oLvsaPMTBejkkmHhjf09xTgk71mOqyr/409NKhRIL08If7AhVfUsJhVsx386uJaqNd42v9kWamQ9lFbkoC2dYw==",
+            "version": "0.2.4",
+            "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.4.tgz",
+            "integrity": "sha512-iY8yvjE0y651BixKNPgmv1WrQc+GZ142sb0z4gYnChDDY2YqI4P/jsSopBWrKfAt7LOJAkOXt7rC/hms+WclQQ==",
             "license": "Apache-2.0",
             "engines": {
                 "node": ">=18.0.0"
@@ -1071,7 +1072,6 @@
             "integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@ampproject/remapping": "^2.2.0",
                 "@babel/code-frame": "^7.26.2",
@@ -2382,7 +2382,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2405,7 +2404,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2428,7 +2426,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2445,7 +2442,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2462,7 +2458,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2479,7 +2474,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2496,7 +2490,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2513,7 +2506,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2530,7 +2522,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2547,7 +2538,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2564,7 +2554,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2581,7 +2570,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2604,7 +2592,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2627,7 +2614,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2650,7 +2636,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2673,7 +2658,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2696,7 +2680,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2719,7 +2702,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2742,7 +2724,6 @@
             "cpu": [
                 "wasm32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
             "optional": true,
             "dependencies": {
@@ -2762,7 +2743,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2782,7 +2762,6 @@
             "cpu": [
                 "ia32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2802,7 +2781,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -3062,7 +3040,6 @@
             "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^14.21.3 || >=16"
             },
@@ -7009,7 +6986,6 @@
             "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
             "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=20.0.0"
             },
@@ -7081,15 +7057,15 @@
             }
         },
         "node_modules/@simplewebauthn/browser": {
-            "version": "13.2.2",
-            "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-13.2.2.tgz",
-            "integrity": "sha512-FNW1oLQpTJyqG5kkDg5ZsotvWgmBaC6jCHR7Ej0qUNep36Wl9tj2eZu7J5rP+uhXgHaLk+QQ3lqcw2vS5MX1IA==",
+            "version": "13.3.0",
+            "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-13.3.0.tgz",
+            "integrity": "sha512-BE/UWv6FOToAdVk0EokzkqQQDOWtNydYlY6+OrmiZ5SCNmb41VehttboTetUM3T/fr6EAFYVXjz4My2wg230rQ==",
             "license": "MIT"
         },
         "node_modules/@simplewebauthn/server": {
-            "version": "13.2.3",
-            "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.2.3.tgz",
-            "integrity": "sha512-ZhcVBOw63birYx9jVfbhK6rTehckVes8PeWV324zpmdxr0BUfylospwMzcrxrdMcOi48MHWj2LCA+S528LnGvg==",
+            "version": "13.3.0",
+            "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.3.0.tgz",
+            "integrity": "sha512-MLHYFrYG8/wK2i+86XMhiecK72nMaHKKt4bo+7Q1TbuG9iGjlSdfkPWKO5ZFE/BX+ygCJ7pr8H/AJeyAj1EaTQ==",
             "license": "MIT",
             "dependencies": {
                 "@hexagon/base64": "^1.1.27",
@@ -7106,12 +7082,12 @@
             }
         },
         "node_modules/@smithy/abort-controller": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.11.tgz",
-            "integrity": "sha512-Hj4WoYWMJnSpM6/kchsm4bUNTL9XiSyhvoMb2KIq4VJzyDt7JpGHUZHkVNPZVC7YE1tf8tPeVauxpFBKGW4/KQ==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.12.tgz",
+            "integrity": "sha512-xolrFw6b+2iYGl6EcOL7IJY71vvyZ0DJ3mcKtpykqPe2uscwtzDZJa1uVQXyP7w9Dd+kGwYnPbMsJrGISKiY/Q==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7144,16 +7120,16 @@
             }
         },
         "node_modules/@smithy/config-resolver": {
-            "version": "4.4.10",
-            "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.10.tgz",
-            "integrity": "sha512-IRTkd6ps0ru+lTWnfnsbXzW80A8Od8p3pYiZnW98K2Hb20rqfsX7VTlfUwhrcOeSSy68Gn9WBofwPuw3e5CCsg==",
+            "version": "4.4.11",
+            "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.11.tgz",
+            "integrity": "sha512-YxFiiG4YDAtX7WMN7RuhHZLeTmRRAOyCbr+zB8e3AQzHPnUhS8zXjB1+cniPVQI3xbWsQPM0X2aaIkO/ME0ymw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-config-provider": "^4.2.2",
-                "@smithy/util-endpoints": "^3.3.2",
-                "@smithy/util-middleware": "^4.2.11",
+                "@smithy/util-endpoints": "^3.3.3",
+                "@smithy/util-middleware": "^4.2.12",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7161,18 +7137,18 @@
             }
         },
         "node_modules/@smithy/core": {
-            "version": "3.23.9",
-            "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.23.9.tgz",
-            "integrity": "sha512-1Vcut4LEL9HZsdpI0vFiRYIsaoPwZLjAxnVQDUMQK8beMS+EYPLDQCXtbzfxmM5GzSgjfe2Q9M7WaXwIMQllyQ==",
+            "version": "3.23.12",
+            "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.23.12.tgz",
+            "integrity": "sha512-o9VycsYNtgC+Dy3I0yrwCqv9CWicDnke0L7EVOrZtJpjb2t0EjaEofmMrYc0T1Kn3yk32zm6cspxF9u9Bj7e5w==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/middleware-serde": "^4.2.12",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
                 "@smithy/util-base64": "^4.3.2",
                 "@smithy/util-body-length-browser": "^4.2.2",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-stream": "^4.5.17",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-stream": "^4.5.20",
                 "@smithy/util-utf8": "^4.2.2",
                 "@smithy/uuid": "^1.1.2",
                 "tslib": "^2.6.2"
@@ -7182,15 +7158,15 @@
             }
         },
         "node_modules/@smithy/credential-provider-imds": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.11.tgz",
-            "integrity": "sha512-lBXrS6ku0kTj3xLmsJW0WwqWbGQ6ueooYyp/1L9lkyT0M02C+DWwYwc5aTyXFbRaK38ojALxNixg+LxKSHZc0g==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.12.tgz",
+            "integrity": "sha512-cr2lR792vNZcYMriSIj+Um3x9KWrjcu98kn234xA6reOAFMmbRpQMOv8KPgEmLLtx3eldU6c5wALKFqNOhugmg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/types": "^4.13.0",
-                "@smithy/url-parser": "^4.2.11",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7198,13 +7174,13 @@
             }
         },
         "node_modules/@smithy/eventstream-codec": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.11.tgz",
-            "integrity": "sha512-Sf39Ml0iVX+ba/bgMPxaXWAAFmHqYLTmbjAPfLPLY8CrYkRDEqZdUsKC1OwVMCdJXfAt0v4j49GIJ8DoSYAe6w==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.12.tgz",
+            "integrity": "sha512-FE3bZdEl62ojmy8x4FHqxq2+BuOHlcxiH5vaZ6aqHJr3AIZzwF5jfx8dEiU/X0a8RboyNDjmXjlbr8AdEyLgiA==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@aws-crypto/crc32": "5.2.0",
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-hex-encoding": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -7213,13 +7189,13 @@
             }
         },
         "node_modules/@smithy/eventstream-serde-browser": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.11.tgz",
-            "integrity": "sha512-3rEpo3G6f/nRS7fQDsZmxw/ius6rnlIpz4UX6FlALEzz8JoSxFmdBt0SZnthis+km7sQo6q5/3e+UJcuQivoXA==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.12.tgz",
+            "integrity": "sha512-XUSuMxlTxV5pp4VpqZf6Sa3vT/Q75FVkLSpSSE3KkWBvAQWeuWt1msTv8fJfgA4/jcJhrbrbMzN1AC/hvPmm5A==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/eventstream-serde-universal": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/eventstream-serde-universal": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7227,12 +7203,12 @@
             }
         },
         "node_modules/@smithy/eventstream-serde-config-resolver": {
-            "version": "4.3.11",
-            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.11.tgz",
-            "integrity": "sha512-XeNIA8tcP/GDWnnKkO7qEm/bg0B/bP9lvIXZBXcGZwZ+VYM8h8k9wuDvUODtdQ2Wcp2RcBkPTCSMmaniVHrMlA==",
+            "version": "4.3.12",
+            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.12.tgz",
+            "integrity": "sha512-7epsAZ3QvfHkngz6RXQYseyZYHlmWXSTPOfPmXkiS+zA6TBNo1awUaMFL9vxyXlGdoELmCZyZe1nQE+imbmV+Q==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7240,13 +7216,13 @@
             }
         },
         "node_modules/@smithy/eventstream-serde-node": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.11.tgz",
-            "integrity": "sha512-fzbCh18rscBDTQSCrsp1fGcclLNF//nJyhjldsEl/5wCYmgpHblv5JSppQAyQI24lClsFT0wV06N1Porn0IsEw==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.12.tgz",
+            "integrity": "sha512-D1pFuExo31854eAvg89KMn9Oab/wEeJR6Buy32B49A9Ogdtx5fwZPqBHUlDzaCDpycTFk2+fSQgX689Qsk7UGA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/eventstream-serde-universal": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/eventstream-serde-universal": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7254,13 +7230,13 @@
             }
         },
         "node_modules/@smithy/eventstream-serde-universal": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.11.tgz",
-            "integrity": "sha512-MJ7HcI+jEkqoWT5vp+uoVaAjBrmxBtKhZTeynDRG/seEjJfqyg3SiqMMqyPnAMzmIfLaeJ/uiuSDP/l9AnMy/Q==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.12.tgz",
+            "integrity": "sha512-+yNuTiyBACxOJUTvbsNsSOfH9G9oKbaJE1lNL3YHpGcuucl6rPZMi3nrpehpVOVR2E07YqFFmtwpImtpzlouHQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/eventstream-codec": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/eventstream-codec": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7268,14 +7244,14 @@
             }
         },
         "node_modules/@smithy/fetch-http-handler": {
-            "version": "5.3.13",
-            "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.13.tgz",
-            "integrity": "sha512-U2Hcfl2s3XaYjikN9cT4mPu8ybDbImV3baXR0PkVlC0TTx808bRP3FaPGAzPtB8OByI+JqJ1kyS+7GEgae7+qQ==",
+            "version": "5.3.15",
+            "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.15.tgz",
+            "integrity": "sha512-T4jFU5N/yiIfrtrsb9uOQn7RdELdM/7HbyLNr6uO/mpkj1ctiVs7CihVr51w4LyQlXWDpXFn4BElf1WmQvZu/A==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/querystring-builder": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/querystring-builder": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-base64": "^4.3.2",
                 "tslib": "^2.6.2"
             },
@@ -7284,14 +7260,14 @@
             }
         },
         "node_modules/@smithy/hash-blob-browser": {
-            "version": "4.2.12",
-            "resolved": "https://registry.npmjs.org/@smithy/hash-blob-browser/-/hash-blob-browser-4.2.12.tgz",
-            "integrity": "sha512-1wQE33DsxkM/waftAhCH9VtJbUGyt1PJ9YRDpOu+q9FUi73LLFUZ2fD8A61g2mT1UY9k7b99+V1xZ41Rz4SHRQ==",
+            "version": "4.2.13",
+            "resolved": "https://registry.npmjs.org/@smithy/hash-blob-browser/-/hash-blob-browser-4.2.13.tgz",
+            "integrity": "sha512-YrF4zWKh+ghLuquldj6e/RzE3xZYL8wIPfkt0MqCRphVICjyyjH8OwKD7LLlKpVEbk4FLizFfC1+gwK6XQdR3g==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@smithy/chunked-blob-reader": "^5.2.2",
                 "@smithy/chunked-blob-reader-native": "^4.2.3",
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7299,12 +7275,12 @@
             }
         },
         "node_modules/@smithy/hash-node": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.11.tgz",
-            "integrity": "sha512-T+p1pNynRkydpdL015ruIoyPSRw9e/SQOWmSAMmmprfswMrd5Ow5igOWNVlvyVFZlxXqGmyH3NQwfwy8r5Jx0A==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.12.tgz",
+            "integrity": "sha512-QhBYbGrbxTkZ43QoTPrK72DoYviDeg6YKDrHTMJbbC+A0sml3kSjzFtXP7BtbyJnXojLfTQldGdUR0RGD8dA3w==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-buffer-from": "^4.2.2",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
@@ -7314,12 +7290,12 @@
             }
         },
         "node_modules/@smithy/hash-stream-node": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/hash-stream-node/-/hash-stream-node-4.2.11.tgz",
-            "integrity": "sha512-hQsTjwPCRY8w9GK07w1RqJi3e+myh0UaOWBBhZ1UMSDgofH/Q1fEYzU1teaX6HkpX/eWDdm7tAGR0jBPlz9QEQ==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/hash-stream-node/-/hash-stream-node-4.2.12.tgz",
+            "integrity": "sha512-O3YbmGExeafuM/kP7Y8r6+1y0hIh3/zn6GROx0uNlB54K9oihAL75Qtc+jFfLNliTi6pxOAYZrRKD9A7iA6UFw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -7328,12 +7304,12 @@
             }
         },
         "node_modules/@smithy/invalid-dependency": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.11.tgz",
-            "integrity": "sha512-cGNMrgykRmddrNhYy1yBdrp5GwIgEkniS7k9O1VLB38yxQtlvrxpZtUVvo6T4cKpeZsriukBuuxfJcdZQc/f/g==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.12.tgz",
+            "integrity": "sha512-/4F1zb7Z8LOu1PalTdESFHR0RbPwHd3FcaG1sI3UEIriQTWakysgJr65lc1jj6QY5ye7aFsisajotH6UhWfm/g==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7353,12 +7329,12 @@
             }
         },
         "node_modules/@smithy/md5-js": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/md5-js/-/md5-js-4.2.11.tgz",
-            "integrity": "sha512-350X4kGIrty0Snx2OWv7rPM6p6vM7RzryvFs6B/56Cux3w3sChOb3bymo5oidXJlPcP9fIRxGUCk7GqpiSOtng==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/md5-js/-/md5-js-4.2.12.tgz",
+            "integrity": "sha512-W/oIpHCpWU2+iAkfZYyGWE+qkpuf3vEXHLxQQDx9FPNZTTdnul0dZ2d/gUFrtQ5je1G2kp4cjG0/24YueG2LbQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -7367,13 +7343,13 @@
             }
         },
         "node_modules/@smithy/middleware-content-length": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.11.tgz",
-            "integrity": "sha512-UvIfKYAKhCzr4p6jFevPlKhQwyQwlJ6IeKLDhmV1PlYfcW3RL4ROjNEDtSik4NYMi9kDkH7eSwyTP3vNJ/u/Dw==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.12.tgz",
+            "integrity": "sha512-YE58Yz+cvFInWI/wOTrB+DbvUVz/pLn5mC5MvOV4fdRUc6qGwygyngcucRQjAhiCEbmfLOXX0gntSIcgMvAjmA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7381,18 +7357,18 @@
             }
         },
         "node_modules/@smithy/middleware-endpoint": {
-            "version": "4.4.23",
-            "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.23.tgz",
-            "integrity": "sha512-UEFIejZy54T1EJn2aWJ45voB7RP2T+IRzUqocIdM6GFFa5ClZncakYJfcYnoXt3UsQrZZ9ZRauGm77l9UCbBLw==",
+            "version": "4.4.26",
+            "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.26.tgz",
+            "integrity": "sha512-8Qfikvd2GVKSm8S6IbjfwFlRY9VlMrj0Dp4vTwAuhqbX7NhJKE5DQc2bnfJIcY0B+2YKMDBWfvexbSZeejDgeg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/core": "^3.23.9",
-                "@smithy/middleware-serde": "^4.2.12",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
-                "@smithy/url-parser": "^4.2.11",
-                "@smithy/util-middleware": "^4.2.11",
+                "@smithy/core": "^3.23.12",
+                "@smithy/middleware-serde": "^4.2.15",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
+                "@smithy/url-parser": "^4.2.12",
+                "@smithy/util-middleware": "^4.2.12",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7400,18 +7376,18 @@
             }
         },
         "node_modules/@smithy/middleware-retry": {
-            "version": "4.4.40",
-            "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.40.tgz",
-            "integrity": "sha512-YhEMakG1Ae57FajERdHNZ4ShOPIY7DsgV+ZoAxo/5BT0KIe+f6DDU2rtIymNNFIj22NJfeeI6LWIifrwM0f+rA==",
+            "version": "4.4.43",
+            "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.43.tgz",
+            "integrity": "sha512-ZwsifBdyuNHrFGmbc7bAfP2b54+kt9J2rhFd18ilQGAB+GDiP4SrawqyExbB7v455QVR7Psyhb2kjULvBPIhvA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/service-error-classification": "^4.2.11",
-                "@smithy/smithy-client": "^4.12.3",
-                "@smithy/types": "^4.13.0",
-                "@smithy/util-middleware": "^4.2.11",
-                "@smithy/util-retry": "^4.2.11",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/service-error-classification": "^4.2.12",
+                "@smithy/smithy-client": "^4.12.6",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-middleware": "^4.2.12",
+                "@smithy/util-retry": "^4.2.12",
                 "@smithy/uuid": "^1.1.2",
                 "tslib": "^2.6.2"
             },
@@ -7420,13 +7396,14 @@
             }
         },
         "node_modules/@smithy/middleware-serde": {
-            "version": "4.2.12",
-            "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.12.tgz",
-            "integrity": "sha512-W9g1bOLui7Xn5FABRVS0o3rXL0gfN37d/8I/W7i0N7oxjx9QecUmXEMSUMADTODwdtka9cN43t5BI2CodLJpng==",
+            "version": "4.2.15",
+            "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.15.tgz",
+            "integrity": "sha512-ExYhcltZSli0pgAKOpQQe1DLFBLryeZ22605y/YS+mQpdNWekum9Ujb/jMKfJKgjtz1AZldtwA/wCYuKJgjjlg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/core": "^3.23.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7434,12 +7411,12 @@
             }
         },
         "node_modules/@smithy/middleware-stack": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.11.tgz",
-            "integrity": "sha512-s+eenEPW6RgliDk2IhjD2hWOxIx1NKrOHxEwNUaUXxYBxIyCcDfNULZ2Mu15E3kwcJWBedTET/kEASPV1A1Akg==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.12.tgz",
+            "integrity": "sha512-kruC5gRHwsCOuyCd4ouQxYjgRAym2uDlCvQ5acuMtRrcdfg7mFBg6blaxcJ09STpt3ziEkis6bhg1uwrWU7txw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7447,14 +7424,14 @@
             }
         },
         "node_modules/@smithy/node-config-provider": {
-            "version": "4.3.11",
-            "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.11.tgz",
-            "integrity": "sha512-xD17eE7kaLgBBGf5CZQ58hh2YmwK1Z0O8YhffwB/De2jsL0U3JklmhVYJ9Uf37OtUDLF2gsW40Xwwag9U869Gg==",
+            "version": "4.3.12",
+            "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.12.tgz",
+            "integrity": "sha512-tr2oKX2xMcO+rBOjobSwVAkV05SIfUKz8iI53rzxEmgW3GOOPOv0UioSDk+J8OpRQnpnhsO3Af6IEBabQBVmiw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/shared-ini-file-loader": "^4.4.6",
-                "@smithy/types": "^4.13.0",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/shared-ini-file-loader": "^4.4.7",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7462,15 +7439,15 @@
             }
         },
         "node_modules/@smithy/node-http-handler": {
-            "version": "4.4.14",
-            "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.4.14.tgz",
-            "integrity": "sha512-DamSqaU8nuk0xTJDrYnRzZndHwwRnyj/n/+RqGGCcBKB4qrQem0mSDiWdupaNWdwxzyMU91qxDmHOCazfhtO3A==",
+            "version": "4.5.0",
+            "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.5.0.tgz",
+            "integrity": "sha512-Rnq9vQWiR1+/I6NZZMNzJHV6pZYyEHt2ZnuV3MG8z2NNenC4i/8Kzttz7CjZiHSmsN5frhXhg17z3Zqjjhmz1A==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/abort-controller": "^4.2.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/querystring-builder": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/abort-controller": "^4.2.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/querystring-builder": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7478,12 +7455,12 @@
             }
         },
         "node_modules/@smithy/property-provider": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.11.tgz",
-            "integrity": "sha512-14T1V64o6/ndyrnl1ze1ZhyLzIeYNN47oF/QU6P5m82AEtyOkMJTb0gO1dPubYjyyKuPD6OSVMPDKe+zioOnCg==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.12.tgz",
+            "integrity": "sha512-jqve46eYU1v7pZ5BM+fmkbq3DerkSluPr5EhvOcHxygxzD05ByDRppRwRPPpFrsFo5yDtCYLKu+kreHKVrvc7A==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7491,12 +7468,12 @@
             }
         },
         "node_modules/@smithy/protocol-http": {
-            "version": "5.3.11",
-            "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.11.tgz",
-            "integrity": "sha512-hI+barOVDJBkNt4y0L2mu3Ugc0w7+BpJ2CZuLwXtSltGAAwCb3IvnalGlbDV/UCS6a9ZuT3+exd1WxNdLb5IlQ==",
+            "version": "5.3.12",
+            "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.12.tgz",
+            "integrity": "sha512-fit0GZK9I1xoRlR4jXmbLhoN0OdEpa96ul8M65XdmXnxXkuMxM0Y8HDT0Fh0Xb4I85MBvBClOzgSrV1X2s1Hxw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7504,12 +7481,12 @@
             }
         },
         "node_modules/@smithy/querystring-builder": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.11.tgz",
-            "integrity": "sha512-7spdikrYiljpket6u0up2Ck2mxhy7dZ0+TDd+S53Dg2DHd6wg+YNJrTCHiLdgZmEXZKI7LJZcwL3721ZRDFiqA==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.12.tgz",
+            "integrity": "sha512-6wTZjGABQufekycfDGMEB84BgtdOE/rCVTov+EDXQ8NHKTUNIp/j27IliwP7tjIU9LR+sSzyGBOXjeEtVgzCHg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-uri-escape": "^4.2.2",
                 "tslib": "^2.6.2"
             },
@@ -7518,12 +7495,12 @@
             }
         },
         "node_modules/@smithy/querystring-parser": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.11.tgz",
-            "integrity": "sha512-nE3IRNjDltvGcoThD2abTozI1dkSy8aX+a2N1Rs55en5UsdyyIXgGEmevUL3okZFoJC77JgRGe99xYohhsjivQ==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.12.tgz",
+            "integrity": "sha512-P2OdvrgiAKpkPNKlKUtWbNZKB1XjPxM086NeVhK+W+wI46pIKdWBe5QyXvhUm3MEcyS/rkLvY8rZzyUdmyDZBw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7531,24 +7508,24 @@
             }
         },
         "node_modules/@smithy/service-error-classification": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.11.tgz",
-            "integrity": "sha512-HkMFJZJUhzU3HvND1+Yw/kYWXp4RPDLBWLcK1n+Vqw8xn4y2YiBhdww8IxhkQjP/QlZun5bwm3vcHc8AqIU3zw==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.12.tgz",
+            "integrity": "sha512-LlP29oSQN0Tw0b6D0Xo6BIikBswuIiGYbRACy5ujw/JgWSzTdYj46U83ssf6Ux0GyNJVivs2uReU8pt7Eu9okQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0"
+                "@smithy/types": "^4.13.1"
             },
             "engines": {
                 "node": ">=18.0.0"
             }
         },
         "node_modules/@smithy/shared-ini-file-loader": {
-            "version": "4.4.6",
-            "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.6.tgz",
-            "integrity": "sha512-IB/M5I8G0EeXZTHsAxpx51tMQ5R719F3aq+fjEB6VtNcCHDc0ajFDIGDZw+FW9GxtEkgTduiPpjveJdA/CX7sw==",
+            "version": "4.4.7",
+            "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.7.tgz",
+            "integrity": "sha512-HrOKWsUb+otTeo1HxVWeEb99t5ER1XrBi/xka2Wv6NVmTbuCUC1dvlrksdvxFtODLBjsC+PHK+fuy2x/7Ynyiw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7556,16 +7533,16 @@
             }
         },
         "node_modules/@smithy/signature-v4": {
-            "version": "5.3.11",
-            "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.11.tgz",
-            "integrity": "sha512-V1L6N9aKOBAN4wEHLyqjLBnAz13mtILU0SeDrjOaIZEeN6IFa6DxwRt1NNpOdmSpQUfkBj0qeD3m6P77uzMhgQ==",
+            "version": "5.3.12",
+            "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.12.tgz",
+            "integrity": "sha512-B/FBwO3MVOL00DaRSXfXfa/TRXRheagt/q5A2NM13u7q+sHS59EOVGQNfG7DkmVtdQm5m3vOosoKAXSqn/OEgw==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@smithy/is-array-buffer": "^4.2.2",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-hex-encoding": "^4.2.2",
-                "@smithy/util-middleware": "^4.2.11",
+                "@smithy/util-middleware": "^4.2.12",
                 "@smithy/util-uri-escape": "^4.2.2",
                 "@smithy/util-utf8": "^4.2.2",
                 "tslib": "^2.6.2"
@@ -7575,17 +7552,17 @@
             }
         },
         "node_modules/@smithy/smithy-client": {
-            "version": "4.12.3",
-            "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.3.tgz",
-            "integrity": "sha512-7k4UxjSpHmPN2AxVhvIazRSzFQjWnud3sOsXcFStzagww17j1cFQYqTSiQ8xuYK3vKLR1Ni8FzuT3VlKr3xCNw==",
+            "version": "4.12.6",
+            "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.6.tgz",
+            "integrity": "sha512-aib3f0jiMsJ6+cvDnXipBsGDL7ztknYSVqJs1FdN9P+u9tr/VzOR7iygSh6EUOdaBeMCMSh3N0VdyYsG4o91DQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/core": "^3.23.9",
-                "@smithy/middleware-endpoint": "^4.4.23",
-                "@smithy/middleware-stack": "^4.2.11",
-                "@smithy/protocol-http": "^5.3.11",
-                "@smithy/types": "^4.13.0",
-                "@smithy/util-stream": "^4.5.17",
+                "@smithy/core": "^3.23.12",
+                "@smithy/middleware-endpoint": "^4.4.26",
+                "@smithy/middleware-stack": "^4.2.12",
+                "@smithy/protocol-http": "^5.3.12",
+                "@smithy/types": "^4.13.1",
+                "@smithy/util-stream": "^4.5.20",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7593,9 +7570,9 @@
             }
         },
         "node_modules/@smithy/types": {
-            "version": "4.13.0",
-            "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.13.0.tgz",
-            "integrity": "sha512-COuLsZILbbQsdrwKQpkkpyep7lCsByxwj7m0Mg5v66/ZTyenlfBc40/QFQ5chO0YN/PNEH1Bi3fGtfXPnYNeDw==",
+            "version": "4.13.1",
+            "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.13.1.tgz",
+            "integrity": "sha512-787F3yzE2UiJIQ+wYW1CVg2odHjmaWLGksnKQHUrK/lYZSEcy1msuLVvxaR/sI2/aDe9U+TBuLsXnr3vod1g0g==",
             "license": "Apache-2.0",
             "dependencies": {
                 "tslib": "^2.6.2"
@@ -7605,13 +7582,13 @@
             }
         },
         "node_modules/@smithy/url-parser": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.11.tgz",
-            "integrity": "sha512-oTAGGHo8ZYc5VZsBREzuf5lf2pAurJQsccMusVZ85wDkX66ojEc/XauiGjzCj50A61ObFTPe6d7Pyt6UBYaing==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.12.tgz",
+            "integrity": "sha512-wOPKPEpso+doCZGIlr+e1lVI6+9VAKfL4kZWFgzVgGWY2hZxshNKod4l2LXS3PRC9otH/JRSjtEHqQ/7eLciRA==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/querystring-parser": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/querystring-parser": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7682,14 +7659,14 @@
             }
         },
         "node_modules/@smithy/util-defaults-mode-browser": {
-            "version": "4.3.39",
-            "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.39.tgz",
-            "integrity": "sha512-ui7/Ho/+VHqS7Km2wBw4/Ab4RktoiSshgcgpJzC4keFPs6tLJS4IQwbeahxQS3E/w98uq6E1mirCH/id9xIXeQ==",
+            "version": "4.3.42",
+            "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.42.tgz",
+            "integrity": "sha512-0vjwmcvkWAUtikXnWIUOyV6IFHTEeQUYh3JUZcDgcszF+hD/StAsQ3rCZNZEPHgI9kVNcbnyc8P2CBHnwgmcwg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/smithy-client": "^4.12.3",
-                "@smithy/types": "^4.13.0",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/smithy-client": "^4.12.6",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7697,17 +7674,17 @@
             }
         },
         "node_modules/@smithy/util-defaults-mode-node": {
-            "version": "4.2.42",
-            "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.42.tgz",
-            "integrity": "sha512-QDA84CWNe8Akpj15ofLO+1N3Rfg8qa2K5uX0y6HnOp4AnRYRgWrKx/xzbYNbVF9ZsyJUYOfcoaN3y93wA/QJ2A==",
+            "version": "4.2.45",
+            "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.45.tgz",
+            "integrity": "sha512-q5dOqqfTgUcLe38TAGiFn9srToKj2YCHJ34QGOLzM+xYLLA+qRZv7N+33kl1MERVusue36ZHnlNaNEvY/PzSrw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/config-resolver": "^4.4.10",
-                "@smithy/credential-provider-imds": "^4.2.11",
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/property-provider": "^4.2.11",
-                "@smithy/smithy-client": "^4.12.3",
-                "@smithy/types": "^4.13.0",
+                "@smithy/config-resolver": "^4.4.11",
+                "@smithy/credential-provider-imds": "^4.2.12",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/property-provider": "^4.2.12",
+                "@smithy/smithy-client": "^4.12.6",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7715,13 +7692,13 @@
             }
         },
         "node_modules/@smithy/util-endpoints": {
-            "version": "3.3.2",
-            "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.3.2.tgz",
-            "integrity": "sha512-+4HFLpE5u29AbFlTdlKIT7jfOzZ8PDYZKTb3e+AgLz986OYwqTourQ5H+jg79/66DB69Un1+qKecLnkZdAsYcA==",
+            "version": "3.3.3",
+            "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.3.3.tgz",
+            "integrity": "sha512-VACQVe50j0HZPjpwWcjyT51KUQ4AnsvEaQ2lKHOSL4mNLD0G9BjEniQ+yCt1qqfKfiAHRAts26ud7hBjamrwig==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/node-config-provider": "^4.3.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/node-config-provider": "^4.3.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7741,12 +7718,12 @@
             }
         },
         "node_modules/@smithy/util-middleware": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.11.tgz",
-            "integrity": "sha512-r3dtF9F+TpSZUxpOVVtPfk09Rlo4lT6ORBqEvX3IBT6SkQAdDSVKR5GcfmZbtl7WKhKnmb3wbDTQ6ibR2XHClw==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.12.tgz",
+            "integrity": "sha512-Er805uFUOvgc0l8nv0e0su0VFISoxhJ/AwOn3gL2NWNY2LUEldP5WtVcRYSQBcjg0y9NfG8JYrCJaYDpupBHJQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/types": "^4.13.0",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7754,13 +7731,13 @@
             }
         },
         "node_modules/@smithy/util-retry": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.11.tgz",
-            "integrity": "sha512-XSZULmL5x6aCTTii59wJqKsY1l3eMIAomRAccW7Tzh9r8s7T/7rdo03oektuH5jeYRlJMPcNP92EuRDvk9aXbw==",
+            "version": "4.2.12",
+            "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.12.tgz",
+            "integrity": "sha512-1zopLDUEOwumjcHdJ1mwBHddubYF8GMQvstVCLC54Y46rqoHwlIU+8ZzUeaBcD+WCJHyDGSeZ2ml9YSe9aqcoQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/service-error-classification": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/service-error-classification": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -7768,14 +7745,14 @@
             }
         },
         "node_modules/@smithy/util-stream": {
-            "version": "4.5.17",
-            "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.17.tgz",
-            "integrity": "sha512-793BYZ4h2JAQkNHcEnyFxDTcZbm9bVybD0UV/LEWmZ5bkTms7JqjfrLMi2Qy0E5WFcCzLwCAPgcvcvxoeALbAQ==",
+            "version": "4.5.20",
+            "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.20.tgz",
+            "integrity": "sha512-4yXLm5n/B5SRBR2p8cZ90Sbv4zL4NKsgxdzCzp/83cXw2KxLEumt5p+GAVyRNZgQOSrzXn9ARpO0lUe8XSlSDw==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/fetch-http-handler": "^5.3.13",
-                "@smithy/node-http-handler": "^4.4.14",
-                "@smithy/types": "^4.13.0",
+                "@smithy/fetch-http-handler": "^5.3.15",
+                "@smithy/node-http-handler": "^4.5.0",
+                "@smithy/types": "^4.13.1",
                 "@smithy/util-base64": "^4.3.2",
                 "@smithy/util-buffer-from": "^4.2.2",
                 "@smithy/util-hex-encoding": "^4.2.2",
@@ -7812,13 +7789,13 @@
             }
         },
         "node_modules/@smithy/util-waiter": {
-            "version": "4.2.11",
-            "resolved": "https://registry.npmjs.org/@smithy/util-waiter/-/util-waiter-4.2.11.tgz",
-            "integrity": "sha512-x7Rh2azQPs3XxbvCzcttRErKKvLnbZfqRf/gOjw2pb+ZscX88e5UkRPCB67bVnsFHxayvMvmePfKTqsRb+is1A==",
+            "version": "4.2.13",
+            "resolved": "https://registry.npmjs.org/@smithy/util-waiter/-/util-waiter-4.2.13.tgz",
+            "integrity": "sha512-2zdZ9DTHngRtcYxJK1GUDxruNr53kv5W2Lupe0LMU+Imr6ohQg8M2T14MNkj1Y0wS3FFwpgpGQyvuaMF7CiTmQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@smithy/abort-controller": "^4.2.11",
-                "@smithy/types": "^4.13.0",
+                "@smithy/abort-controller": "^4.2.12",
+                "@smithy/types": "^4.13.1",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -8469,7 +8446,6 @@
             "version": "5.90.21",
             "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
             "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
             "dependencies": {
                 "@tanstack/query-core": "5.90.20"
             },
@@ -8585,7 +8561,6 @@
             "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*"
             }
@@ -8926,7 +8901,6 @@
             "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/body-parser": "*",
                 "@types/express-serve-static-core": "^5.0.0",
@@ -9022,7 +8996,6 @@
             "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "undici-types": "~7.18.0"
             }
@@ -9050,7 +9023,6 @@
             "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*",
                 "pg-protocol": "*",
@@ -9076,7 +9048,6 @@
             "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
             "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
             "devOptional": true,
-            "peer": true,
             "dependencies": {
                 "csstype": "^3.2.2"
             }
@@ -9087,7 +9058,6 @@
             "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "peerDependencies": {
                 "@types/react": "^19.2.0"
             }
@@ -9174,7 +9144,8 @@
             "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
             "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
             "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
         },
         "node_modules/@types/ws": {
             "version": "8.18.1",
@@ -9248,7 +9219,6 @@
             "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@typescript-eslint/scope-manager": "8.56.1",
                 "@typescript-eslint/types": "8.56.1",
@@ -9774,7 +9744,6 @@
             "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "acorn": "bin/acorn"
             },
@@ -10239,7 +10208,6 @@
             "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/types": "^7.26.0"
             }
@@ -10306,7 +10274,6 @@
             "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "bindings": "^1.5.0",
                 "prebuild-install": "^7.1.1"
@@ -10434,7 +10401,6 @@
                 }
             ],
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "baseline-browser-mapping": "^2.9.0",
                 "caniuse-lite": "^1.0.30001759",
@@ -11388,7 +11354,6 @@
             "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
             "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
             "license": "ISC",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             }
@@ -11829,6 +11794,7 @@
             "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
             "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
             "engines": {
                 "node": ">=20"
             },
@@ -12461,7 +12427,6 @@
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "esbuild": "bin/esbuild"
             },
@@ -12560,7 +12525,6 @@
             "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.1",
@@ -12746,7 +12710,6 @@
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@rtsao/scc": "^1.1.0",
                 "array-includes": "^3.1.9",
@@ -13066,7 +13029,6 @@
             "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
             "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "accepts": "^2.0.0",
                 "body-parser": "^2.2.1",
@@ -13232,16 +13194,19 @@
             "license": "BSD-3-Clause"
         },
         "node_modules/fast-xml-builder": {
-            "version": "1.0.0",
-            "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
-            "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
+            "version": "1.1.4",
+            "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
+            "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
             "funding": [
                 {
                     "type": "github",
                     "url": "https://github.com/sponsors/NaturalIntelligence"
                 }
             ],
-            "license": "MIT"
+            "license": "MIT",
+            "dependencies": {
+                "path-expression-matcher": "^1.1.3"
+            }
         },
         "node_modules/fast-xml-parser": {
             "version": "5.4.1",
@@ -15593,6 +15558,7 @@
             "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
             "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "dompurify": "3.2.7",
                 "marked": "14.0.0"
@@ -15603,6 +15569,7 @@
             "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
             "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
             "license": "MIT",
+            "peer": true,
             "bin": {
                 "marked": "bin/marked.js"
             },
@@ -15690,7 +15657,6 @@
             "version": "15.5.12",
             "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz",
             "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==",
-            "peer": true,
             "dependencies": {
                 "@next/env": "15.5.12",
                 "@swc/helpers": "0.5.15",
@@ -16543,6 +16509,21 @@
                 "node": ">=8"
             }
         },
+        "node_modules/path-expression-matcher": {
+            "version": "1.1.3",
+            "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
+            "integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
+            "funding": [
+                {
+                    "type": "github",
+                    "url": "https://github.com/sponsors/NaturalIntelligence"
+                }
+            ],
+            "license": "MIT",
+            "engines": {
+                "node": ">=14.0.0"
+            }
+        },
         "node_modules/path-key": {
             "version": "3.1.1",
             "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
@@ -16625,7 +16606,6 @@
             "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
             "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "pg-connection-string": "^2.12.0",
                 "pg-pool": "^3.13.0",
@@ -17130,7 +17110,6 @@
             "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
             "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=0.10.0"
             }
@@ -17162,7 +17141,6 @@
             "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
             "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
@@ -17518,7 +17496,6 @@
             "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
             "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=18.0.0"
             },
@@ -19003,8 +18980,7 @@
             "version": "4.2.1",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
             "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.0",
@@ -19479,7 +19455,6 @@
             "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
             "devOptional": true,
             "license": "Apache-2.0",
-            "peer": true,
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -19907,7 +19882,6 @@
             "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
             "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@colors/colors": "^1.6.0",
                 "@dabh/diagnostics": "^2.0.8",
@@ -20114,7 +20088,6 @@
             "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
             "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/sponsors/colinhacks"
             }
diff --git a/package.json b/package.json
index 3529de66a..628de4435 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     },
     "dependencies": {
         "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1004.0",
+        "@aws-sdk/client-s3": "3.1011.0",
         "@faker-js/faker": "10.3.0",
         "@headlessui/react": "2.2.9",
         "@hookform/resolvers": "5.2.2",
@@ -62,8 +62,8 @@
         "@react-email/components": "1.0.8",
         "@react-email/render": "2.0.4",
         "@react-email/tailwind": "2.0.5",
-        "@simplewebauthn/browser": "13.2.2",
-        "@simplewebauthn/server": "13.2.3",
+        "@simplewebauthn/browser": "13.3.0",
+        "@simplewebauthn/server": "13.3.0",
         "@tailwindcss/forms": "0.5.11",
         "@tanstack/react-query": "5.90.21",
         "@tanstack/react-table": "8.21.3",

From 6c83e78256eb9437c9986e6e1d2db4dd41fbffbc Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Wed, 18 Mar 2026 16:06:50 +0000
Subject: [PATCH 025/314] chore(readme): Reorder and promote cloud

Simply moving the items around and improve the messaging around the cloud
---
 README.md | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index c566c8677..bac7b7e56 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@
 
 <p align="center">
     <strong>
-        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
+        Get started with Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
     </strong>
 </p>
 
@@ -60,9 +60,9 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
 
 | <img width=500 /> | Description |
 |-----------------|--------------|
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
-| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |
 
 ## Key Features
 
@@ -85,17 +85,16 @@ Download the Pangolin client for your platform:
 
 ## Get Started
 
+### Sign up now
+
+Create an account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud. A generous free tier is available.
+
 ### Check out the docs
 
 We encourage everyone to read the full documentation first, which is
 available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
 the docs to illustrate some basic ideas.
 
-### Sign up and try now
-
-For Pangolin's managed service, you will first need to create an account at
-[app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
-
 ## Licensing
 
 Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).

From 1d5dfd6db283a2297eae3ce6ee889891826be32d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 22:27:43 +0000
Subject: [PATCH 026/314] Bump github.com/charmbracelet/huh from 0.8.0 to 1.0.0
 in /install

Bumps [github.com/charmbracelet/huh](https://github.com/charmbracelet/huh) from 0.8.0 to 1.0.0.
- [Release notes](https://github.com/charmbracelet/huh/releases)
- [Commits](https://github.com/charmbracelet/huh/compare/v0.8.0...v1.0.0)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/huh
  dependency-version: 1.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 install/go.mod | 2 +-
 install/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/go.mod b/install/go.mod
index da73eec0f..005a079df 100644
--- a/install/go.mod
+++ b/install/go.mod
@@ -3,7 +3,7 @@ module installer
 go 1.25.0
 
 require (
-	github.com/charmbracelet/huh v0.8.0
+	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
 	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
diff --git a/install/go.sum b/install/go.sum
index e0b2a6c5e..b67ae57e5 100644
--- a/install/go.sum
+++ b/install/go.sum
@@ -14,8 +14,8 @@ github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGs
 github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
-github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY=
-github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
+github.com/charmbracelet/huh v1.0.0 h1:wOnedH8G4qzJbmhftTqrpppyqHakl/zbbNdXIWJyIxw=
+github.com/charmbracelet/huh v1.0.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=

From 63379964fa02d9504db3a144c8b75203afe52ada Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 22:28:22 +0000
Subject: [PATCH 027/314] Bump eslint from 9.39.2 to 10.0.3

Bumps [eslint](https://github.com/eslint/eslint) from 9.39.2 to 10.0.3.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v9.39.2...v10.0.3)

---
updated-dependencies:
- dependency-name: eslint
  dependency-version: 10.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 959 +++++++++++++++++++---------------------------
 package.json      |   2 +-
 2 files changed, 389 insertions(+), 572 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ff57d27e6..642dc8f27 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -139,7 +139,7 @@
                 "drizzle-kit": "0.31.10",
                 "esbuild": "0.27.3",
                 "esbuild-node-externals": "1.20.1",
-                "eslint": "9.39.2",
+                "eslint": "10.0.3",
                 "eslint-config-next": "16.1.7",
                 "postcss": "8.5.8",
                 "prettier": "3.8.1",
@@ -164,20 +164,6 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
-        "node_modules/@ampproject/remapping": {
-            "version": "2.3.0",
-            "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
-            "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
-            "dev": true,
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@jridgewell/gen-mapping": "^0.3.5",
-                "@jridgewell/trace-mapping": "^0.3.24"
-            },
-            "engines": {
-                "node": ">=6.0.0"
-            }
-        },
         "node_modules/@asteasolutions/zod-to-openapi": {
             "version": "8.4.1",
             "resolved": "https://registry.npmjs.org/@asteasolutions/zod-to-openapi/-/zod-to-openapi-8.4.1.tgz",
@@ -1042,13 +1028,13 @@
             }
         },
         "node_modules/@babel/code-frame": {
-            "version": "7.27.1",
-            "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz",
-            "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+            "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/helper-validator-identifier": "^7.27.1",
+                "@babel/helper-validator-identifier": "^7.28.5",
                 "js-tokens": "^4.0.0",
                 "picocolors": "^1.1.1"
             },
@@ -1057,9 +1043,9 @@
             }
         },
         "node_modules/@babel/compat-data": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.28.5.tgz",
-            "integrity": "sha512-6uFXyCayocRbqhZOB+6XcuZbkMNimwfVGFji8CTZnCzOHVGvDqzvitu1re2AU5LROliz7eQPhB8CpAMvnx9EjA==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.0.tgz",
+            "integrity": "sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -1067,22 +1053,22 @@
             }
         },
         "node_modules/@babel/core": {
-            "version": "7.26.10",
-            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.26.10.tgz",
-            "integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
+            "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@ampproject/remapping": "^2.2.0",
-                "@babel/code-frame": "^7.26.2",
-                "@babel/generator": "^7.26.10",
-                "@babel/helper-compilation-targets": "^7.26.5",
-                "@babel/helper-module-transforms": "^7.26.0",
-                "@babel/helpers": "^7.26.10",
-                "@babel/parser": "^7.26.10",
-                "@babel/template": "^7.26.9",
-                "@babel/traverse": "^7.26.10",
-                "@babel/types": "^7.26.10",
+                "@babel/code-frame": "^7.29.0",
+                "@babel/generator": "^7.29.0",
+                "@babel/helper-compilation-targets": "^7.28.6",
+                "@babel/helper-module-transforms": "^7.28.6",
+                "@babel/helpers": "^7.28.6",
+                "@babel/parser": "^7.29.0",
+                "@babel/template": "^7.28.6",
+                "@babel/traverse": "^7.29.0",
+                "@babel/types": "^7.29.0",
+                "@jridgewell/remapping": "^2.3.5",
                 "convert-source-map": "^2.0.0",
                 "debug": "^4.1.0",
                 "gensync": "^1.0.0-beta.2",
@@ -1097,6 +1083,41 @@
                 "url": "https://opencollective.com/babel"
             }
         },
+        "node_modules/@babel/core/node_modules/@babel/parser": {
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+            "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@babel/types": "^7.29.0"
+            },
+            "bin": {
+                "parser": "bin/babel-parser.js"
+            },
+            "engines": {
+                "node": ">=6.0.0"
+            }
+        },
+        "node_modules/@babel/core/node_modules/@babel/traverse": {
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+            "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@babel/code-frame": "^7.29.0",
+                "@babel/generator": "^7.29.0",
+                "@babel/helper-globals": "^7.28.0",
+                "@babel/parser": "^7.29.0",
+                "@babel/template": "^7.28.6",
+                "@babel/types": "^7.29.0",
+                "debug": "^4.3.1"
+            },
+            "engines": {
+                "node": ">=6.9.0"
+            }
+        },
         "node_modules/@babel/core/node_modules/semver": {
             "version": "6.3.1",
             "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
@@ -1108,14 +1129,14 @@
             }
         },
         "node_modules/@babel/generator": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.5.tgz",
-            "integrity": "sha512-3EwLFhZ38J4VyIP6WNtt2kUdW9dokXA9Cr4IVIFHuCpZ3H8/YFOl5JjZHisrn1fATPBmKKqXzDFvh9fUwHz6CQ==",
+            "version": "7.29.1",
+            "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+            "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/parser": "^7.28.5",
-                "@babel/types": "^7.28.5",
+                "@babel/parser": "^7.29.0",
+                "@babel/types": "^7.29.0",
                 "@jridgewell/gen-mapping": "^0.3.12",
                 "@jridgewell/trace-mapping": "^0.3.28",
                 "jsesc": "^3.0.2"
@@ -1125,13 +1146,13 @@
             }
         },
         "node_modules/@babel/generator/node_modules/@babel/parser": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz",
-            "integrity": "sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==",
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+            "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/types": "^7.28.5"
+                "@babel/types": "^7.29.0"
             },
             "bin": {
                 "parser": "bin/babel-parser.js"
@@ -1141,13 +1162,13 @@
             }
         },
         "node_modules/@babel/helper-compilation-targets": {
-            "version": "7.27.2",
-            "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.27.2.tgz",
-            "integrity": "sha512-2+1thGUUWWjLTYTHZWK1n8Yga0ijBz1XAhUXcKy81rd5g6yh7hGqMp45v7cadSbEHc9G3OTv45SyneRN3ps4DQ==",
+            "version": "7.28.6",
+            "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz",
+            "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/compat-data": "^7.27.2",
+                "@babel/compat-data": "^7.28.6",
                 "@babel/helper-validator-option": "^7.27.1",
                 "browserslist": "^4.24.0",
                 "lru-cache": "^5.1.1",
@@ -1178,27 +1199,27 @@
             }
         },
         "node_modules/@babel/helper-module-imports": {
-            "version": "7.27.1",
-            "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz",
-            "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==",
+            "version": "7.28.6",
+            "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+            "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/traverse": "^7.27.1",
-                "@babel/types": "^7.27.1"
+                "@babel/traverse": "^7.28.6",
+                "@babel/types": "^7.28.6"
             },
             "engines": {
                 "node": ">=6.9.0"
             }
         },
         "node_modules/@babel/helper-module-imports/node_modules/@babel/parser": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz",
-            "integrity": "sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==",
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+            "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/types": "^7.28.5"
+                "@babel/types": "^7.29.0"
             },
             "bin": {
                 "parser": "bin/babel-parser.js"
@@ -1208,18 +1229,18 @@
             }
         },
         "node_modules/@babel/helper-module-imports/node_modules/@babel/traverse": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz",
-            "integrity": "sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+            "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/code-frame": "^7.27.1",
-                "@babel/generator": "^7.28.5",
+                "@babel/code-frame": "^7.29.0",
+                "@babel/generator": "^7.29.0",
                 "@babel/helper-globals": "^7.28.0",
-                "@babel/parser": "^7.28.5",
-                "@babel/template": "^7.27.2",
-                "@babel/types": "^7.28.5",
+                "@babel/parser": "^7.29.0",
+                "@babel/template": "^7.28.6",
+                "@babel/types": "^7.29.0",
                 "debug": "^4.3.1"
             },
             "engines": {
@@ -1227,15 +1248,15 @@
             }
         },
         "node_modules/@babel/helper-module-transforms": {
-            "version": "7.28.3",
-            "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.3.tgz",
-            "integrity": "sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==",
+            "version": "7.28.6",
+            "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+            "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/helper-module-imports": "^7.27.1",
-                "@babel/helper-validator-identifier": "^7.27.1",
-                "@babel/traverse": "^7.28.3"
+                "@babel/helper-module-imports": "^7.28.6",
+                "@babel/helper-validator-identifier": "^7.28.5",
+                "@babel/traverse": "^7.28.6"
             },
             "engines": {
                 "node": ">=6.9.0"
@@ -1245,13 +1266,13 @@
             }
         },
         "node_modules/@babel/helper-module-transforms/node_modules/@babel/parser": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz",
-            "integrity": "sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==",
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+            "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/types": "^7.28.5"
+                "@babel/types": "^7.29.0"
             },
             "bin": {
                 "parser": "bin/babel-parser.js"
@@ -1261,18 +1282,18 @@
             }
         },
         "node_modules/@babel/helper-module-transforms/node_modules/@babel/traverse": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz",
-            "integrity": "sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+            "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/code-frame": "^7.27.1",
-                "@babel/generator": "^7.28.5",
+                "@babel/code-frame": "^7.29.0",
+                "@babel/generator": "^7.29.0",
                 "@babel/helper-globals": "^7.28.0",
-                "@babel/parser": "^7.28.5",
-                "@babel/template": "^7.27.2",
-                "@babel/types": "^7.28.5",
+                "@babel/parser": "^7.29.0",
+                "@babel/template": "^7.28.6",
+                "@babel/types": "^7.29.0",
                 "debug": "^4.3.1"
             },
             "engines": {
@@ -1310,14 +1331,14 @@
             }
         },
         "node_modules/@babel/helpers": {
-            "version": "7.28.4",
-            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.4.tgz",
-            "integrity": "sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==",
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.2.tgz",
+            "integrity": "sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/template": "^7.27.2",
-                "@babel/types": "^7.28.4"
+                "@babel/template": "^7.28.6",
+                "@babel/types": "^7.29.0"
             },
             "engines": {
                 "node": ">=6.9.0"
@@ -1349,28 +1370,28 @@
             }
         },
         "node_modules/@babel/template": {
-            "version": "7.27.2",
-            "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz",
-            "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==",
+            "version": "7.28.6",
+            "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+            "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/code-frame": "^7.27.1",
-                "@babel/parser": "^7.27.2",
-                "@babel/types": "^7.27.1"
+                "@babel/code-frame": "^7.28.6",
+                "@babel/parser": "^7.28.6",
+                "@babel/types": "^7.28.6"
             },
             "engines": {
                 "node": ">=6.9.0"
             }
         },
         "node_modules/@babel/template/node_modules/@babel/parser": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz",
-            "integrity": "sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==",
+            "version": "7.29.2",
+            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+            "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@babel/types": "^7.28.5"
+                "@babel/types": "^7.29.0"
             },
             "bin": {
                 "parser": "bin/babel-parser.js"
@@ -1399,9 +1420,9 @@
             }
         },
         "node_modules/@babel/types": {
-            "version": "7.28.5",
-            "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.5.tgz",
-            "integrity": "sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA==",
+            "version": "7.29.0",
+            "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+            "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
             "devOptional": true,
             "license": "MIT",
             "dependencies": {
@@ -2040,118 +2061,68 @@
             }
         },
         "node_modules/@eslint/config-array": {
-            "version": "0.21.1",
-            "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
-            "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
+            "version": "0.23.3",
+            "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.23.3.tgz",
+            "integrity": "sha512-j+eEWmB6YYLwcNOdlwQ6L2OsptI/LO6lNBuLIqe5R7RetD658HLoF+Mn7LzYmAWWNNzdC6cqP+L6r8ujeYXWLw==",
             "dev": true,
             "license": "Apache-2.0",
             "dependencies": {
-                "@eslint/object-schema": "^2.1.7",
+                "@eslint/object-schema": "^3.0.3",
                 "debug": "^4.3.1",
-                "minimatch": "^3.1.2"
+                "minimatch": "^10.2.4"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             }
         },
         "node_modules/@eslint/config-helpers": {
-            "version": "0.4.2",
-            "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.4.2.tgz",
-            "integrity": "sha512-gBrxN88gOIf3R7ja5K9slwNayVcZgK6SOUORm2uBzTeIEfeVaIhOpCtTox3P6R7o2jLFwLFTLnC7kU/RGcYEgw==",
+            "version": "0.5.3",
+            "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.5.3.tgz",
+            "integrity": "sha512-lzGN0onllOZCGroKJmRwY6QcEHxbjBw1gwB8SgRSqK8YbbtEXMvKynsXc3553ckIEBxsbMBU7oOZXKIPGZNeZw==",
             "dev": true,
             "license": "Apache-2.0",
             "dependencies": {
-                "@eslint/core": "^0.17.0"
+                "@eslint/core": "^1.1.1"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             }
         },
         "node_modules/@eslint/core": {
-            "version": "0.17.0",
-            "resolved": "https://registry.npmjs.org/@eslint/core/-/core-0.17.0.tgz",
-            "integrity": "sha512-yL/sLrpmtDaFEiUj1osRP4TI2MDz1AddJL+jZ7KSqvBuliN4xqYY54IfdN8qD8Toa6g1iloph1fxQNkjOxrrpQ==",
+            "version": "1.1.1",
+            "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz",
+            "integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==",
             "dev": true,
             "license": "Apache-2.0",
             "dependencies": {
                 "@types/json-schema": "^7.0.15"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            }
-        },
-        "node_modules/@eslint/eslintrc": {
-            "version": "3.3.3",
-            "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
-            "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "ajv": "^6.12.4",
-                "debug": "^4.3.2",
-                "espree": "^10.0.1",
-                "globals": "^14.0.0",
-                "ignore": "^5.2.0",
-                "import-fresh": "^3.2.1",
-                "js-yaml": "^4.1.1",
-                "minimatch": "^3.1.2",
-                "strip-json-comments": "^3.1.1"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "url": "https://opencollective.com/eslint"
-            }
-        },
-        "node_modules/@eslint/eslintrc/node_modules/globals": {
-            "version": "14.0.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-14.0.0.tgz",
-            "integrity": "sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=18"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
-        },
-        "node_modules/@eslint/js": {
-            "version": "9.39.2",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
-            "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "url": "https://eslint.org/donate"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             }
         },
         "node_modules/@eslint/object-schema": {
-            "version": "2.1.7",
-            "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-2.1.7.tgz",
-            "integrity": "sha512-VtAOaymWVfZcmZbp6E2mympDIHvyjXs/12LqWYjVw6qjrfF+VK+fyG33kChz3nnK+SU5/NeHOqrTEHS8sXO3OA==",
+            "version": "3.0.3",
+            "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-3.0.3.tgz",
+            "integrity": "sha512-iM869Pugn9Nsxbh/YHRqYiqd23AmIbxJOcpUMOuWCVNdoQJ5ZtwL6h3t0bcZzJUlC3Dq9jCFCESBZnX0GTv7iQ==",
             "dev": true,
             "license": "Apache-2.0",
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             }
         },
         "node_modules/@eslint/plugin-kit": {
-            "version": "0.4.1",
-            "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.4.1.tgz",
-            "integrity": "sha512-43/qtrDUokr7LJqoF2c3+RInu/t4zfrpYdoSDfYyhg52rwLV6TnOvdG4fXm7IkSB3wErkcmJS9iEhjVtOSEjjA==",
+            "version": "0.6.1",
+            "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.6.1.tgz",
+            "integrity": "sha512-iH1B076HoAshH1mLpHMgwdGeTs0CYwL0SPMkGuSebZrwBp16v415e9NZXg2jtrqPVQjf6IANe2Vtlr5KswtcZQ==",
             "dev": true,
             "license": "Apache-2.0",
             "dependencies": {
-                "@eslint/core": "^0.17.0",
+                "@eslint/core": "^1.1.1",
                 "levn": "^0.4.1"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             }
         },
         "node_modules/@faker-js/faker": {
@@ -8879,6 +8850,13 @@
                 "@types/d3-selection": "*"
             }
         },
+        "node_modules/@types/esrecurse": {
+            "version": "4.3.1",
+            "resolved": "https://registry.npmjs.org/@types/esrecurse/-/esrecurse-4.3.1.tgz",
+            "integrity": "sha512-xJBAbDifo5hpffDBuHl0Y8ywswbiAp/Wi7Y/GtAgSlZyIABppyurxVueOPE8LUQOxdlgi6Zqce7uoEpqNTeiUw==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/@types/estree": {
             "version": "1.0.8",
             "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
@@ -9353,45 +9331,6 @@
                 "typescript": ">=4.8.4 <6.0.0"
             }
         },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/balanced-match": {
-            "version": "4.0.4",
-            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-            "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-            "version": "5.0.4",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-            "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "balanced-match": "^4.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-            "version": "10.2.4",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-            "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
-            "dev": true,
-            "license": "BlueOak-1.0.0",
-            "dependencies": {
-                "brace-expansion": "^5.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/@typescript-eslint/utils": {
             "version": "8.56.1",
             "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.56.1.tgz",
@@ -9434,19 +9373,6 @@
                 "url": "https://opencollective.com/typescript-eslint"
             }
         },
-        "node_modules/@typescript-eslint/visitor-keys/node_modules/eslint-visitor-keys": {
-            "version": "5.0.1",
-            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
-            "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
-            "dev": true,
-            "license": "Apache-2.0",
-            "engines": {
-                "node": "^20.19.0 || ^22.13.0 || >=24"
-            },
-            "funding": {
-                "url": "https://opencollective.com/eslint"
-            }
-        },
         "node_modules/@unrs/resolver-binding-android-arm-eabi": {
             "version": "1.11.1",
             "resolved": "https://registry.npmjs.org/@unrs/resolver-binding-android-arm-eabi/-/resolver-binding-android-arm-eabi-1.11.1.tgz",
@@ -9730,9 +9656,9 @@
             }
         },
         "node_modules/acorn": {
-            "version": "8.15.0",
-            "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
-            "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
+            "version": "8.16.0",
+            "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
+            "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
             "dev": true,
             "license": "MIT",
             "bin": {
@@ -9753,9 +9679,9 @@
             }
         },
         "node_modules/ajv": {
-            "version": "6.12.6",
-            "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-            "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+            "version": "6.14.0",
+            "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+            "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -9823,22 +9749,6 @@
                 "url": "https://github.com/chalk/ansi-regex?sponsor=1"
             }
         },
-        "node_modules/ansi-styles": {
-            "version": "4.3.0",
-            "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-            "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "color-convert": "^2.0.1"
-            },
-            "engines": {
-                "node": ">=8"
-            },
-            "funding": {
-                "url": "https://github.com/chalk/ansi-styles?sponsor=1"
-            }
-        },
         "node_modules/anymatch": {
             "version": "3.1.3",
             "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
@@ -10164,9 +10074,9 @@
             }
         },
         "node_modules/axe-core": {
-            "version": "4.11.0",
-            "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.0.tgz",
-            "integrity": "sha512-ilYanEU8vxxBexpJd8cWM4ElSQq4QctCLKih0TSfjIfCQTeyH/6zVrmIJfLPrKTKJRbiG+cfnZbQIjAlJmF1jQ==",
+            "version": "4.11.1",
+            "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.1.tgz",
+            "integrity": "sha512-BASOg+YwO2C+346x3LZOeoovTIoTrRqEsqMa6fmfAV0P+U9mFr9NsyOEpiYvFjbc64NMrSswhV50WdXzdb/Z5A==",
             "dev": true,
             "license": "MPL-2.0",
             "engines": {
@@ -10204,11 +10114,13 @@
             }
         },
         "node_modules/balanced-match": {
-            "version": "1.0.2",
-            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-            "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-            "dev": true,
-            "license": "MIT"
+            "version": "4.0.4",
+            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+            "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+            "license": "MIT",
+            "engines": {
+                "node": "18 || 20 || >=22"
+            }
         },
         "node_modules/base64-js": {
             "version": "1.5.1",
@@ -10353,14 +10265,15 @@
             "license": "MIT"
         },
         "node_modules/brace-expansion": {
-            "version": "1.1.12",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-            "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-            "dev": true,
+            "version": "5.0.4",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
+            "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
             "license": "MIT",
             "dependencies": {
-                "balanced-match": "^1.0.0",
-                "concat-map": "0.0.1"
+                "balanced-match": "^4.0.2"
+            },
+            "engines": {
+                "node": "18 || 20 || >=22"
             }
         },
         "node_modules/braces": {
@@ -10503,16 +10416,6 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
-        "node_modules/callsites": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
-            "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6"
-            }
-        },
         "node_modules/caniuse-lite": {
             "version": "1.0.30001759",
             "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001759.tgz",
@@ -10543,23 +10446,6 @@
                 "url": "https://www.paypal.me/kirilvatev"
             }
         },
-        "node_modules/chalk": {
-            "version": "4.1.2",
-            "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
-            "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "ansi-styles": "^4.1.0",
-                "supports-color": "^7.1.0"
-            },
-            "engines": {
-                "node": ">=10"
-            },
-            "funding": {
-                "url": "https://github.com/chalk/chalk?sponsor=1"
-            }
-        },
         "node_modules/chokidar": {
             "version": "4.0.3",
             "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
@@ -10745,26 +10631,6 @@
                 "node": ">=18"
             }
         },
-        "node_modules/color-convert": {
-            "version": "2.0.1",
-            "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-            "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "color-name": "~1.1.4"
-            },
-            "engines": {
-                "node": ">=7.0.0"
-            }
-        },
-        "node_modules/color-name": {
-            "version": "1.1.4",
-            "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-            "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/color-string": {
             "version": "2.1.4",
             "resolved": "https://registry.npmjs.org/color-string/-/color-string-2.1.4.tgz",
@@ -12038,9 +11904,9 @@
             "license": "MIT"
         },
         "node_modules/electron-to-chromium": {
-            "version": "1.5.266",
-            "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.266.tgz",
-            "integrity": "sha512-kgWEglXvkEfMH7rxP5OSZZwnaDWT7J9EoZCujhnpLbfi0bbNtRkgdX2E3gt0Uer11c61qCYktB3hwkAS325sJg==",
+            "version": "1.5.321",
+            "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.321.tgz",
+            "integrity": "sha512-L2C7Q279W2D/J4PLZLk7sebOILDSWos7bMsMNN06rK482umHUrh/3lM8G7IlHFOYip2oAg5nha1rCMxr/rs6ZQ==",
             "dev": true,
             "license": "ISC"
         },
@@ -12243,9 +12109,9 @@
             }
         },
         "node_modules/es-abstract": {
-            "version": "1.24.0",
-            "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.24.0.tgz",
-            "integrity": "sha512-WSzPgsdLtTcQwm4CROfS5ju2Wa1QQcVeT37jFjYzdFz1r9ahadC8B8/a4qxJxM+09F18iumCdRmlr96ZYkQvEg==",
+            "version": "1.24.1",
+            "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.24.1.tgz",
+            "integrity": "sha512-zHXBLhP+QehSSbsS9Pt23Gg964240DPd6QCf8WpkqEXxQ7fhdZzYsocOr5u7apWonsS5EjZDmTF+/slGMyasvw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -12330,27 +12196,28 @@
             }
         },
         "node_modules/es-iterator-helpers": {
-            "version": "1.2.1",
-            "resolved": "https://registry.npmjs.org/es-iterator-helpers/-/es-iterator-helpers-1.2.1.tgz",
-            "integrity": "sha512-uDn+FE1yrDzyC0pCo961B2IHbdM8y/ACZsKD4dG6WqrjV53BADjwa7D+1aom2rsNVfLyDgU/eigvlJGJ08OQ4w==",
+            "version": "1.3.1",
+            "resolved": "https://registry.npmjs.org/es-iterator-helpers/-/es-iterator-helpers-1.3.1.tgz",
+            "integrity": "sha512-zWwRvqWiuBPr0muUG/78cW3aHROFCNIQ3zpmYDpwdbnt2m+xlNyRWpHBpa2lJjSBit7BQ+RXA1iwbSmu5yJ/EQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "call-bind": "^1.0.8",
-                "call-bound": "^1.0.3",
+                "call-bound": "^1.0.4",
                 "define-properties": "^1.2.1",
-                "es-abstract": "^1.23.6",
+                "es-abstract": "^1.24.1",
                 "es-errors": "^1.3.0",
-                "es-set-tostringtag": "^2.0.3",
+                "es-set-tostringtag": "^2.1.0",
                 "function-bind": "^1.1.2",
-                "get-intrinsic": "^1.2.6",
+                "get-intrinsic": "^1.3.0",
                 "globalthis": "^1.0.4",
                 "gopd": "^1.2.0",
                 "has-property-descriptors": "^1.0.2",
                 "has-proto": "^1.2.0",
                 "has-symbols": "^1.1.0",
                 "internal-slot": "^1.1.0",
-                "iterator.prototype": "^1.1.4",
+                "iterator.prototype": "^1.1.5",
+                "math-intrinsics": "^1.1.0",
                 "safe-array-concat": "^1.1.3"
             },
             "engines": {
@@ -12502,33 +12369,30 @@
             }
         },
         "node_modules/eslint": {
-            "version": "9.39.2",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
-            "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
+            "version": "10.0.3",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.0.3.tgz",
+            "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
-                "@eslint-community/regexpp": "^4.12.1",
-                "@eslint/config-array": "^0.21.1",
-                "@eslint/config-helpers": "^0.4.2",
-                "@eslint/core": "^0.17.0",
-                "@eslint/eslintrc": "^3.3.1",
-                "@eslint/js": "9.39.2",
-                "@eslint/plugin-kit": "^0.4.1",
+                "@eslint-community/regexpp": "^4.12.2",
+                "@eslint/config-array": "^0.23.3",
+                "@eslint/config-helpers": "^0.5.2",
+                "@eslint/core": "^1.1.1",
+                "@eslint/plugin-kit": "^0.6.1",
                 "@humanfs/node": "^0.16.6",
                 "@humanwhocodes/module-importer": "^1.0.1",
                 "@humanwhocodes/retry": "^0.4.2",
                 "@types/estree": "^1.0.6",
-                "ajv": "^6.12.4",
-                "chalk": "^4.0.0",
+                "ajv": "^6.14.0",
                 "cross-spawn": "^7.0.6",
                 "debug": "^4.3.2",
                 "escape-string-regexp": "^4.0.0",
-                "eslint-scope": "^8.4.0",
-                "eslint-visitor-keys": "^4.2.1",
-                "espree": "^10.4.0",
-                "esquery": "^1.5.0",
+                "eslint-scope": "^9.1.2",
+                "eslint-visitor-keys": "^5.0.1",
+                "espree": "^11.1.1",
+                "esquery": "^1.7.0",
                 "esutils": "^2.0.2",
                 "fast-deep-equal": "^3.1.3",
                 "file-entry-cache": "^8.0.0",
@@ -12538,8 +12402,7 @@
                 "imurmurhash": "^0.1.4",
                 "is-glob": "^4.0.0",
                 "json-stable-stringify-without-jsonify": "^1.0.1",
-                "lodash.merge": "^4.6.2",
-                "minimatch": "^3.1.2",
+                "minimatch": "^10.2.4",
                 "natural-compare": "^1.4.0",
                 "optionator": "^0.9.3"
             },
@@ -12547,7 +12410,7 @@
                 "eslint": "bin/eslint.js"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             },
             "funding": {
                 "url": "https://eslint.org/donate"
@@ -12588,42 +12451,25 @@
                 }
             }
         },
-        "node_modules/eslint-config-next/node_modules/globals": {
-            "version": "16.4.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-16.4.0.tgz",
-            "integrity": "sha512-ob/2LcVVaVGCYN+r14cnwnoDPUufjiYgSqRhiFD0Q1iI4Odora5RE8Iv1D24hAz5oMophRGkGz+yuvQmmUMnMw==",
+        "node_modules/eslint-config-next/node_modules/balanced-match": {
+            "version": "1.0.2",
+            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+            "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
             "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=18"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
+            "license": "MIT"
         },
-        "node_modules/eslint-import-resolver-node": {
-            "version": "0.3.9",
-            "resolved": "https://registry.npmjs.org/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.9.tgz",
-            "integrity": "sha512-WFj2isz22JahUv+B788TlO3N6zL3nNJGU8CcZbPZvVEkBPaJdCV4vy5wyghty5ROFbCRnm132v8BScu5/1BQ8g==",
+        "node_modules/eslint-config-next/node_modules/brace-expansion": {
+            "version": "1.1.12",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+            "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "debug": "^3.2.7",
-                "is-core-module": "^2.13.0",
-                "resolve": "^1.22.4"
+                "balanced-match": "^1.0.0",
+                "concat-map": "0.0.1"
             }
         },
-        "node_modules/eslint-import-resolver-node/node_modules/debug": {
-            "version": "3.2.7",
-            "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
-            "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "ms": "^2.1.1"
-            }
-        },
-        "node_modules/eslint-import-resolver-typescript": {
+        "node_modules/eslint-config-next/node_modules/eslint-import-resolver-typescript": {
             "version": "3.10.1",
             "resolved": "https://registry.npmjs.org/eslint-import-resolver-typescript/-/eslint-import-resolver-typescript-3.10.1.tgz",
             "integrity": "sha512-A1rHYb06zjMGAxdLSkN2fXPBwuSaQ0iO5M/hdyS0Ajj1VBaRp0sPD3dn1FhME3c/JluGFbwSxyCfqdSbtQLAHQ==",
@@ -12658,35 +12504,7 @@
                 }
             }
         },
-        "node_modules/eslint-module-utils": {
-            "version": "2.12.1",
-            "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.12.1.tgz",
-            "integrity": "sha512-L8jSWTze7K2mTg0vos/RuLRS5soomksDPoJLXIslC7c8Wmut3bx7CPpJijDcBZtxQ5lrbUdM+s0OlNbz0DCDNw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "debug": "^3.2.7"
-            },
-            "engines": {
-                "node": ">=4"
-            },
-            "peerDependenciesMeta": {
-                "eslint": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/eslint-module-utils/node_modules/debug": {
-            "version": "3.2.7",
-            "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
-            "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "ms": "^2.1.1"
-            }
-        },
-        "node_modules/eslint-plugin-import": {
+        "node_modules/eslint-config-next/node_modules/eslint-plugin-import": {
             "version": "2.32.0",
             "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.32.0.tgz",
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
@@ -12720,7 +12538,7 @@
                 "eslint": "^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8 || ^9"
             }
         },
-        "node_modules/eslint-plugin-import/node_modules/debug": {
+        "node_modules/eslint-config-next/node_modules/eslint-plugin-import/node_modules/debug": {
             "version": "3.2.7",
             "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
             "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
@@ -12730,17 +12548,7 @@
                 "ms": "^2.1.1"
             }
         },
-        "node_modules/eslint-plugin-import/node_modules/semver": {
-            "version": "6.3.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-            "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-            "dev": true,
-            "license": "ISC",
-            "bin": {
-                "semver": "bin/semver.js"
-            }
-        },
-        "node_modules/eslint-plugin-jsx-a11y": {
+        "node_modules/eslint-config-next/node_modules/eslint-plugin-jsx-a11y": {
             "version": "6.10.2",
             "resolved": "https://registry.npmjs.org/eslint-plugin-jsx-a11y/-/eslint-plugin-jsx-a11y-6.10.2.tgz",
             "integrity": "sha512-scB3nz4WmG75pV8+3eRUQOHZlNSUhFNq37xnpgRkCCELU3XMvXAxLk1eqWWyE22Ki4Q01Fnsw9BA3cJHDPgn2Q==",
@@ -12770,7 +12578,7 @@
                 "eslint": "^3 || ^4 || ^5 || ^6 || ^7 || ^8 || ^9"
             }
         },
-        "node_modules/eslint-plugin-react": {
+        "node_modules/eslint-config-next/node_modules/eslint-plugin-react": {
             "version": "7.37.5",
             "resolved": "https://registry.npmjs.org/eslint-plugin-react/-/eslint-plugin-react-7.37.5.tgz",
             "integrity": "sha512-Qteup0SqU15kdocexFNAJMvCJEfa2xUKNV4CC1xsVMrIIqEy3SQ/rqyxCWNzfrd3/ldy6HMlD2e0JDVpDg2qIA==",
@@ -12803,7 +12611,7 @@
                 "eslint": "^3 || ^4 || ^5 || ^6 || ^7 || ^8 || ^9.7"
             }
         },
-        "node_modules/eslint-plugin-react-hooks": {
+        "node_modules/eslint-config-next/node_modules/eslint-plugin-react-hooks": {
             "version": "7.0.1",
             "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.0.1.tgz",
             "integrity": "sha512-O0d0m04evaNzEPoSW+59Mezf8Qt0InfgGIBJnpC0h3NH/WjUAR7BIKUfysC6todmtiZ/A0oUVS8Gce0WhBrHsA==",
@@ -12823,7 +12631,67 @@
                 "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0"
             }
         },
-        "node_modules/eslint-plugin-react-hooks/node_modules/zod-validation-error": {
+        "node_modules/eslint-config-next/node_modules/globals": {
+            "version": "16.4.0",
+            "resolved": "https://registry.npmjs.org/globals/-/globals-16.4.0.tgz",
+            "integrity": "sha512-ob/2LcVVaVGCYN+r14cnwnoDPUufjiYgSqRhiFD0Q1iI4Odora5RE8Iv1D24hAz5oMophRGkGz+yuvQmmUMnMw==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
+        "node_modules/eslint-config-next/node_modules/minimatch": {
+            "version": "3.1.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+            "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+            "dev": true,
+            "license": "ISC",
+            "dependencies": {
+                "brace-expansion": "^1.1.7"
+            },
+            "engines": {
+                "node": "*"
+            }
+        },
+        "node_modules/eslint-config-next/node_modules/resolve": {
+            "version": "2.0.0-next.6",
+            "resolved": "https://registry.npmjs.org/resolve/-/resolve-2.0.0-next.6.tgz",
+            "integrity": "sha512-3JmVl5hMGtJ3kMmB3zi3DL25KfkCEyy3Tw7Gmw7z5w8M9WlwoPFnIvwChzu1+cF3iaK3sp18hhPz8ANeimdJfA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "es-errors": "^1.3.0",
+                "is-core-module": "^2.16.1",
+                "node-exports-info": "^1.6.0",
+                "object-keys": "^1.1.1",
+                "path-parse": "^1.0.7",
+                "supports-preserve-symlinks-flag": "^1.0.0"
+            },
+            "bin": {
+                "resolve": "bin/resolve"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/eslint-config-next/node_modules/semver": {
+            "version": "6.3.1",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+            "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+            "dev": true,
+            "license": "ISC",
+            "bin": {
+                "semver": "bin/semver.js"
+            }
+        },
+        "node_modules/eslint-config-next/node_modules/zod-validation-error": {
             "version": "4.0.2",
             "resolved": "https://registry.npmjs.org/zod-validation-error/-/zod-validation-error-4.0.2.tgz",
             "integrity": "sha512-Q6/nZLe6jxuU80qb/4uJ4t5v2VEZ44lzQjPDhYJNztRQ4wyWc6VF3D3Kb/fAuPetZQnhS3hnajCf9CsWesghLQ==",
@@ -12836,86 +12704,110 @@
                 "zod": "^3.25.0 || ^4.0.0"
             }
         },
-        "node_modules/eslint-plugin-react/node_modules/resolve": {
-            "version": "2.0.0-next.5",
-            "resolved": "https://registry.npmjs.org/resolve/-/resolve-2.0.0-next.5.tgz",
-            "integrity": "sha512-U7WjGVG9sH8tvjW5SmGbQuui75FiyjAX72HX15DwBBwF9dNiQZRQAg9nnPhYy+TUnE0+VcrttuvNI8oSxZcocA==",
+        "node_modules/eslint-import-resolver-node": {
+            "version": "0.3.9",
+            "resolved": "https://registry.npmjs.org/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.9.tgz",
+            "integrity": "sha512-WFj2isz22JahUv+B788TlO3N6zL3nNJGU8CcZbPZvVEkBPaJdCV4vy5wyghty5ROFbCRnm132v8BScu5/1BQ8g==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
+                "debug": "^3.2.7",
                 "is-core-module": "^2.13.0",
-                "path-parse": "^1.0.7",
-                "supports-preserve-symlinks-flag": "^1.0.0"
-            },
-            "bin": {
-                "resolve": "bin/resolve"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
+                "resolve": "^1.22.4"
             }
         },
-        "node_modules/eslint-plugin-react/node_modules/semver": {
-            "version": "6.3.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-            "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+        "node_modules/eslint-import-resolver-node/node_modules/debug": {
+            "version": "3.2.7",
+            "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+            "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
             "dev": true,
-            "license": "ISC",
-            "bin": {
-                "semver": "bin/semver.js"
+            "license": "MIT",
+            "dependencies": {
+                "ms": "^2.1.1"
+            }
+        },
+        "node_modules/eslint-module-utils": {
+            "version": "2.12.1",
+            "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.12.1.tgz",
+            "integrity": "sha512-L8jSWTze7K2mTg0vos/RuLRS5soomksDPoJLXIslC7c8Wmut3bx7CPpJijDcBZtxQ5lrbUdM+s0OlNbz0DCDNw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "debug": "^3.2.7"
+            },
+            "engines": {
+                "node": ">=4"
+            },
+            "peerDependenciesMeta": {
+                "eslint": {
+                    "optional": true
+                }
+            }
+        },
+        "node_modules/eslint-module-utils/node_modules/debug": {
+            "version": "3.2.7",
+            "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
+            "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "ms": "^2.1.1"
             }
         },
         "node_modules/eslint-scope": {
-            "version": "8.4.0",
-            "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
-            "integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
+            "version": "9.1.2",
+            "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-9.1.2.tgz",
+            "integrity": "sha512-xS90H51cKw0jltxmvmHy2Iai1LIqrfbw57b79w/J7MfvDfkIkFZ+kj6zC3BjtUwh150HsSSdxXZcsuv72miDFQ==",
             "dev": true,
             "license": "BSD-2-Clause",
             "dependencies": {
+                "@types/esrecurse": "^4.3.1",
+                "@types/estree": "^1.0.8",
                 "esrecurse": "^4.3.0",
                 "estraverse": "^5.2.0"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             },
             "funding": {
                 "url": "https://opencollective.com/eslint"
             }
         },
         "node_modules/eslint-visitor-keys": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-            "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+            "version": "5.0.1",
+            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+            "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
             "dev": true,
             "license": "Apache-2.0",
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             },
             "funding": {
                 "url": "https://opencollective.com/eslint"
             }
         },
         "node_modules/espree": {
-            "version": "10.4.0",
-            "resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
-            "integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
+            "version": "11.2.0",
+            "resolved": "https://registry.npmjs.org/espree/-/espree-11.2.0.tgz",
+            "integrity": "sha512-7p3DrVEIopW1B1avAGLuCSh1jubc01H2JHc8B4qqGblmg5gI9yumBgACjWo4JlIc04ufug4xJ3SQI8HkS/Rgzw==",
             "dev": true,
             "license": "BSD-2-Clause",
             "dependencies": {
-                "acorn": "^8.15.0",
+                "acorn": "^8.16.0",
                 "acorn-jsx": "^5.3.2",
-                "eslint-visitor-keys": "^4.2.1"
+                "eslint-visitor-keys": "^5.0.1"
             },
             "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+                "node": "^20.19.0 || ^22.13.0 || >=24"
             },
             "funding": {
                 "url": "https://opencollective.com/eslint"
             }
         },
         "node_modules/esquery": {
-            "version": "1.6.0",
-            "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz",
-            "integrity": "sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==",
+            "version": "1.7.0",
+            "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.7.0.tgz",
+            "integrity": "sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==",
             "dev": true,
             "license": "BSD-3-Clause",
             "dependencies": {
@@ -13683,42 +13575,6 @@
                 "node": ">=10.13.0"
             }
         },
-        "node_modules/glob/node_modules/balanced-match": {
-            "version": "4.0.4",
-            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-            "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-            "license": "MIT",
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
-        "node_modules/glob/node_modules/brace-expansion": {
-            "version": "5.0.3",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
-            "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
-            "license": "MIT",
-            "dependencies": {
-                "balanced-match": "^4.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            }
-        },
-        "node_modules/glob/node_modules/minimatch": {
-            "version": "10.2.3",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.3.tgz",
-            "integrity": "sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==",
-            "license": "BlueOak-1.0.0",
-            "dependencies": {
-                "brace-expansion": "^5.0.2"
-            },
-            "engines": {
-                "node": "18 || 20 || >=22"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
         "node_modules/globals": {
             "version": "11.12.0",
             "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
@@ -13799,16 +13655,6 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
-        "node_modules/has-flag": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
-            "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=8"
-            }
-        },
         "node_modules/has-property-descriptors": {
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz",
@@ -14025,23 +13871,6 @@
                 "node": ">= 4"
             }
         },
-        "node_modules/import-fresh": {
-            "version": "3.3.1",
-            "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz",
-            "integrity": "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "parent-module": "^1.0.0",
-                "resolve-from": "^4.0.0"
-            },
-            "engines": {
-                "node": ">=6"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
-        },
         "node_modules/imurmurhash": {
             "version": "0.1.4",
             "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
@@ -15173,13 +15002,6 @@
             "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==",
             "license": "MIT"
         },
-        "node_modules/lodash.merge": {
-            "version": "4.6.2",
-            "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
-            "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/lodash.once": {
             "version": "4.1.1",
             "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz",
@@ -15435,16 +15257,18 @@
             }
         },
         "node_modules/minimatch": {
-            "version": "3.1.4",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.4.tgz",
-            "integrity": "sha512-twmL+S8+7yIsE9wsqgzU3E8/LumN3M3QELrBZ20OdmQ9jB2JvW5oZtBEmft84k/Gs5CG9mqtWc6Y9vW+JEzGxw==",
-            "dev": true,
-            "license": "ISC",
+            "version": "10.2.4",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
+            "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+            "license": "BlueOak-1.0.0",
             "dependencies": {
-                "brace-expansion": "^1.1.7"
+                "brace-expansion": "^5.0.2"
             },
             "engines": {
-                "node": "*"
+                "node": "18 || 20 || >=22"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/isaacs"
             }
         },
         "node_modules/minimist": {
@@ -15774,10 +15598,39 @@
                 "node": ">= 8.0.0"
             }
         },
+        "node_modules/node-exports-info": {
+            "version": "1.6.0",
+            "resolved": "https://registry.npmjs.org/node-exports-info/-/node-exports-info-1.6.0.tgz",
+            "integrity": "sha512-pyFS63ptit/P5WqUkt+UUfe+4oevH+bFeIiPPdfb0pFeYEu/1ELnJu5l+5EcTKYL5M7zaAa7S8ddywgXypqKCw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "array.prototype.flatmap": "^1.3.3",
+                "es-errors": "^1.3.0",
+                "object.entries": "^1.1.9",
+                "semver": "^6.3.1"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
+        "node_modules/node-exports-info/node_modules/semver": {
+            "version": "6.3.1",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+            "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+            "dev": true,
+            "license": "ISC",
+            "bin": {
+                "semver": "bin/semver.js"
+            }
+        },
         "node_modules/node-releases": {
-            "version": "2.0.27",
-            "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz",
-            "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==",
+            "version": "2.0.36",
+            "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
+            "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
             "dev": true,
             "license": "MIT"
         },
@@ -16394,19 +16247,6 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
-        "node_modules/parent-module": {
-            "version": "1.0.1",
-            "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
-            "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "callsites": "^3.0.0"
-            },
-            "engines": {
-                "node": ">=6"
-            }
-        },
         "node_modules/parseley": {
             "version": "0.12.1",
             "resolved": "https://registry.npmjs.org/parseley/-/parseley-0.12.1.tgz",
@@ -17697,16 +17537,6 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
-        "node_modules/resolve-from": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
-            "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=4"
-            }
-        },
         "node_modules/resolve-pkg-maps": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
@@ -18741,19 +18571,6 @@
                 }
             }
         },
-        "node_modules/supports-color": {
-            "version": "7.2.0",
-            "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
-            "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "has-flag": "^4.0.0"
-            },
-            "engines": {
-                "node": ">=8"
-            }
-        },
         "node_modules/supports-preserve-symlinks-flag": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
@@ -19438,9 +19255,9 @@
             }
         },
         "node_modules/update-browserslist-db": {
-            "version": "1.2.2",
-            "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.2.tgz",
-            "integrity": "sha512-E85pfNzMQ9jpKkA7+TJAi4TJN+tBCuWh5rUcS/sv6cFi+1q9LYDwDI5dpUL0u/73EElyQ8d3TEaeW4sPedBqYA==",
+            "version": "1.2.3",
+            "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
+            "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==",
             "dev": true,
             "funding": [
                 {
diff --git a/package.json b/package.json
index 62cf11cfa..05ae3b49f 100644
--- a/package.json
+++ b/package.json
@@ -162,7 +162,7 @@
         "drizzle-kit": "0.31.10",
         "esbuild": "0.27.3",
         "esbuild-node-externals": "1.20.1",
-        "eslint": "9.39.2",
+        "eslint": "10.0.3",
         "eslint-config-next": "16.1.7",
         "postcss": "8.5.8",
         "prettier": "3.8.1",

From 0c3dc1ad145bde8c2d51fff53dccf279e8331733 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 22:30:09 +0000
Subject: [PATCH 028/314] Bump fast-xml-parser and @aws-sdk/xml-builder

Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) and [@aws-sdk/xml-builder](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/xml-builder). These dependencies needed to be updated together.

Updates `fast-xml-parser` from 5.4.1 to 5.5.6
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.1...v5.5.6)

Updates `@aws-sdk/xml-builder` from 3.972.10 to 3.972.12
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/xml-builder/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/xml-builder)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.5.6
  dependency-type: indirect
- dependency-name: "@aws-sdk/xml-builder"
  dependency-version: 3.972.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 642dc8f27..7b63f1691 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1005,13 +1005,13 @@
             }
         },
         "node_modules/@aws-sdk/xml-builder": {
-            "version": "3.972.11",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.11.tgz",
-            "integrity": "sha512-iitV/gZKQMvY9d7ovmyFnFuTHbBAtrmLnvaSb/3X8vOKyevwtpmEtyc8AdhVWZe0pI/1GsHxlEvQeOePFzy7KQ==",
+            "version": "3.972.12",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.12.tgz",
+            "integrity": "sha512-xjyucfn+F+kMf25c+LIUnvX3oyLSlj9T0Vncs5WMQI6G36JdnSwC8g0qf8RajfmSClXr660EpTz7FFKluZ4BqQ==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@smithy/types": "^4.13.1",
-                "fast-xml-parser": "5.4.1",
+                "fast-xml-parser": "5.5.6",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -13083,9 +13083,9 @@
             }
         },
         "node_modules/fast-xml-parser": {
-            "version": "5.4.1",
-            "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
-            "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
+            "version": "5.5.6",
+            "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.6.tgz",
+            "integrity": "sha512-3+fdZyBRVg29n4rXP0joHthhcHdPUHaIC16cuyyd1iLsuaO6Vea36MPrxgAzbZna8lhvZeRL8Bc9GP56/J9xEw==",
             "funding": [
                 {
                     "type": "github",
@@ -13094,7 +13094,8 @@
             ],
             "license": "MIT",
             "dependencies": {
-                "fast-xml-builder": "^1.0.0",
+                "fast-xml-builder": "^1.1.4",
+                "path-expression-matcher": "^1.1.3",
                 "strnum": "^2.1.2"
             },
             "bin": {

From 722595c1319535fa02d904794a205f1d8d926ae2 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 00:35:26 +0100
Subject: [PATCH 029/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20make=20site=20s?=
 =?UTF-8?q?elector=20popover=20its=20own=20component?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../resource-target-address-item.tsx          | 80 +++-------------
 src/components/site-selector.tsx              | 91 +++++++++++++++++++
 2 files changed, 104 insertions(+), 67 deletions(-)
 create mode 100644 src/components/site-selector.tsx

diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index dfefc3bf2..851b64b54 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -23,6 +23,7 @@ import {
 import { Input } from "./ui/input";
 import { Popover, PopoverContent, PopoverTrigger } from "./ui/popover";
 import { Select, SelectContent, SelectItem, SelectTrigger } from "./ui/select";
+import { SitesSelector } from "./site-selector";
 
 type SiteWithUpdateAvailable = ListSitesResponse["sites"][number];
 
@@ -54,16 +55,6 @@ export function ResourceTargetAddressItem({
 }: ResourceTargetAddressItemProps) {
     const t = useTranslations();
 
-    const [siteSearchQuery, setSiteSearchQuery] = useState("");
-
-    const { data: sites = [] } = useQuery(
-        orgQueries.sites({
-            orgId,
-            query: siteSearchQuery,
-            perPage: 10
-        })
-    );
-
     const [selectedSite, setSelectedSite] = useState<Pick<
         SiteWithUpdateAvailable,
         "name" | "siteId" | "type"
@@ -82,22 +73,6 @@ export function ResourceTargetAddressItem({
         return null;
     });
 
-    const sitesShown = useMemo(() => {
-        const allSites: Array<
-            Pick<SiteWithUpdateAvailable, "name" | "siteId" | "type">
-        > = [...sites];
-        if (
-            selectedSite !== null &&
-            !(
-                allSites.find((site) => site.siteId)?.siteId ===
-                selectedSite?.siteId
-            )
-        ) {
-            allSites.unshift(selectedSite);
-        }
-        return allSites;
-    }, [sites, selectedSite]);
-
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -150,47 +125,18 @@ export function ResourceTargetAddressItem({
                         </Button>
                     </PopoverTrigger>
                     <PopoverContent className="p-0 w-45">
-                        <Command shouldFilter={false}>
-                            <CommandInput
-                                placeholder={t("siteSearch")}
-                                value={siteSearchQuery}
-                                onValueChange={(v) => setSiteSearchQuery(v)}
-                            />
-                            <CommandList>
-                                <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
-                                <CommandGroup>
-                                    {sitesShown.map((site) => (
-                                        <CommandItem
-                                            key={site.siteId}
-                                            value={`${site.siteId}:${site.name}`}
-                                            onSelect={() => {
-                                                updateTarget(
-                                                    proxyTarget.targetId,
-                                                    {
-                                                        siteId: site.siteId,
-                                                        siteType: site.type,
-                                                        siteName: site.name
-                                                    }
-                                                );
-
-                                                setSelectedSite(site);
-                                            }}
-                                        >
-                                            <CheckIcon
-                                                className={cn(
-                                                    "mr-2 h-4 w-4",
-                                                    site.siteId ===
-                                                        proxyTarget.siteId
-                                                        ? "opacity-100"
-                                                        : "opacity-0"
-                                                )}
-                                            />
-                                            {site.name}
-                                        </CommandItem>
-                                    ))}
-                                </CommandGroup>
-                            </CommandList>
-                        </Command>
+                        <SitesSelector
+                            orgId={orgId}
+                            selectedSite={selectedSite}
+                            onSelectSite={(site) => {
+                                updateTarget(proxyTarget.targetId, {
+                                    siteId: site.siteId,
+                                    siteType: site.type,
+                                    siteName: site.name
+                                });
+                                setSelectedSite(site);
+                            }}
+                        />
                     </PopoverContent>
                 </Popover>
 
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
new file mode 100644
index 000000000..9b7d44034
--- /dev/null
+++ b/src/components/site-selector.tsx
@@ -0,0 +1,91 @@
+import { orgQueries } from "@app/lib/queries";
+import type { ListSitesResponse } from "@server/routers/site";
+import { useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { cn } from "@app/lib/cn";
+import { CheckIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useDebounce } from "use-debounce";
+
+type Selectedsite = Pick<
+    ListSitesResponse["sites"][number],
+    "name" | "siteId" | "type"
+>;
+
+export type SitesSelectorProps = {
+    orgId: string;
+    selectedSite?: Selectedsite | null;
+    onSelectSite: (selected: Selectedsite) => void;
+};
+
+export function SitesSelector({
+    orgId,
+    selectedSite,
+    onSelectSite
+}: SitesSelectorProps) {
+    const t = useTranslations();
+    const [siteSearchQuery, setSiteSearchQuery] = useState("");
+    const [debouncedQuery] = useDebounce(siteSearchQuery, 150);
+
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId,
+            query: debouncedQuery,
+            perPage: 10
+        })
+    );
+
+    // always include the selected site in the list of sites shown
+    const sitesShown = useMemo(() => {
+        const allSites: Array<Selectedsite> = [...sites];
+        if (
+            selectedSite &&
+            !allSites.find((site) => site.siteId === selectedSite?.siteId)
+        ) {
+            allSites.unshift(selectedSite);
+        }
+        return allSites;
+    }, [sites, selectedSite]);
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("siteSearch")}
+                value={siteSearchQuery}
+                onValueChange={(v) => setSiteSearchQuery(v)}
+            />
+            <CommandList>
+                <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {sitesShown.map((site) => (
+                        <CommandItem
+                            key={site.siteId}
+                            value={`${site.siteId}:${site.name}`}
+                            onSelect={() => {
+                                onSelectSite(site);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    site.siteId === selectedSite?.siteId
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {site.name}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}

From 8f33e25782b1dccb80997014d321bc2258b2a3c9 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 01:18:27 +0100
Subject: [PATCH 030/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20use=20site=20selec?=
 =?UTF-8?q?tor=20on=20private=20resources?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 81 +++++++------------------
 src/components/site-selector.tsx        |  2 +-
 2 files changed, 24 insertions(+), 59 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 6df1aceb7..fa1ee22d3 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -1,15 +1,10 @@
 "use client";
 
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { StrategySelect } from "@app/components/StrategySelect";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { Button } from "@app/components/ui/button";
-import {
-    Command,
-    CommandEmpty,
-    CommandGroup,
-    CommandInput,
-    CommandItem,
-    CommandList
-} from "@app/components/ui/command";
 import {
     Form,
     FormControl,
@@ -32,24 +27,22 @@ import {
     SelectValue
 } from "@app/components/ui/select";
 import { Switch } from "@app/components/ui/switch";
-import { getUserDisplayName } from "@app/lib/getUserDisplayName";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { cn } from "@app/lib/cn";
+import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { orgQueries, resourceQueries } from "@app/lib/queries";
-import { useQueries, useQuery } from "@tanstack/react-query";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ListSitesResponse } from "@server/routers/site";
 import { UserType } from "@server/types/UserTypes";
-import { Check, ChevronsUpDown, ExternalLink } from "lucide-react";
+import { useQuery } from "@tanstack/react-query";
+import { ChevronsUpDown, ExternalLink } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useEffect, useRef, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { useEnvContext } from "@app/hooks/useEnvContext";
-import { usePaidStatus } from "@app/hooks/usePaidStatus";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { HorizontalTabs } from "@app/components/HorizontalTabs";
-import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
-import { StrategySelect } from "@app/components/StrategySelect";
+import { SitesSelector, type Selectedsite } from "./site-selector";
 
 // --- Helpers (shared) ---
 
@@ -407,6 +400,10 @@ export function InternalResourceForm({
                   clients: []
               };
 
+    const [selectedSite, setSelectedSite] = useState<Selectedsite>(
+        availableSites[0]
+    );
+
     const form = useForm<FormData>({
         resolver: zodResolver(formSchema),
         defaultValues
@@ -578,46 +575,14 @@ export function InternalResourceForm({
                                         </FormControl>
                                     </PopoverTrigger>
                                     <PopoverContent className="w-full p-0">
-                                        <Command>
-                                            <CommandInput
-                                                placeholder={t("searchSites")}
-                                            />
-                                            <CommandList>
-                                                <CommandEmpty>
-                                                    {t("noSitesFound")}
-                                                </CommandEmpty>
-                                                <CommandGroup>
-                                                    {availableSites.map(
-                                                        (site) => (
-                                                            <CommandItem
-                                                                key={
-                                                                    site.siteId
-                                                                }
-                                                                value={
-                                                                    site.name
-                                                                }
-                                                                onSelect={() =>
-                                                                    field.onChange(
-                                                                        site.siteId
-                                                                    )
-                                                                }
-                                                            >
-                                                                <Check
-                                                                    className={cn(
-                                                                        "mr-2 h-4 w-4",
-                                                                        field.value ===
-                                                                            site.siteId
-                                                                            ? "opacity-100"
-                                                                            : "opacity-0"
-                                                                    )}
-                                                                />
-                                                                {site.name}
-                                                            </CommandItem>
-                                                        )
-                                                    )}
-                                                </CommandGroup>
-                                            </CommandList>
-                                        </Command>
+                                        <SitesSelector
+                                            orgId={orgId}
+                                            selectedSite={selectedSite}
+                                            onSelectSite={(site) => {
+                                                setSelectedSite(site);
+                                                field.onChange(site.siteId);
+                                            }}
+                                        />
                                     </PopoverContent>
                                 </Popover>
                                 <FormMessage />
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 9b7d44034..0afd94c9a 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -15,7 +15,7 @@ import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useDebounce } from "use-debounce";
 
-type Selectedsite = Pick<
+export type Selectedsite = Pick<
     ListSitesResponse["sites"][number],
     "name" | "siteId" | "type"
 >;

From e15703164d231c284090ee04e86b48a7e357cfe5 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 04:44:24 +0100
Subject: [PATCH 031/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20resource=20selecto?=
 =?UTF-8?q?r=20in=20create=20share=20link=20form?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/CreateShareLinkForm.tsx | 83 +++++++++++++++++---------
 src/components/resource-selector.tsx   | 81 +++++++++++++++++++++++++
 src/lib/queries.ts                     | 18 +++++-
 3 files changed, 151 insertions(+), 31 deletions(-)
 create mode 100644 src/components/resource-selector.tsx

diff --git a/src/components/CreateShareLinkForm.tsx b/src/components/CreateShareLinkForm.tsx
index 2f6f9aff2..fef1fb0e1 100644
--- a/src/components/CreateShareLinkForm.tsx
+++ b/src/components/CreateShareLinkForm.tsx
@@ -69,6 +69,7 @@ import {
 import AccessTokenSection from "@app/components/AccessTokenUsage";
 import { useTranslations } from "next-intl";
 import { toUnicode } from "punycode";
+import { ResourceSelector, type SelectedResource } from "./resource-selector";
 
 type FormProps = {
     open: boolean;
@@ -99,18 +100,21 @@ export default function CreateShareLinkForm({
         orgQueries.resources({ orgId: org?.org.orgId ?? "" })
     );
 
-    const resources = useMemo(
-        () =>
-            allResources
-                .filter((r) => r.http)
-                .map((r) => ({
-                    resourceId: r.resourceId,
-                    name: r.name,
-                    niceId: r.niceId,
-                    resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
-                })),
-        [allResources]
-    );
+    const [selectedResource, setSelectedResource] =
+        useState<SelectedResource | null>(null);
+
+    // const resources = useMemo(
+    //     () =>
+    //         allResources
+    //             .filter((r) => r.http)
+    //             .map((r) => ({
+    //                 resourceId: r.resourceId,
+    //                 name: r.name,
+    //                 niceId: r.niceId,
+    //                 resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
+    //             })),
+    //     [allResources]
+    // );
 
     const formSchema = z.object({
         resourceId: z.number({ message: t("shareErrorSelectResource") }),
@@ -199,15 +203,11 @@ export default function CreateShareLinkForm({
             setAccessToken(token.accessToken);
             setAccessTokenId(token.accessTokenId);
 
-            const resource = resources.find(
-                (r) => r.resourceId === values.resourceId
-            );
-
             onCreated?.({
                 accessTokenId: token.accessTokenId,
                 resourceId: token.resourceId,
                 resourceName: values.resourceName,
-                resourceNiceId: resource ? resource.niceId : "",
+                resourceNiceId: selectedResource ? selectedResource.niceId : "",
                 title: token.title,
                 createdAt: token.createdAt,
                 expiresAt: token.expiresAt
@@ -217,10 +217,10 @@ export default function CreateShareLinkForm({
         setLoading(false);
     }
 
-    function getSelectedResourceName(id: number) {
-        const resource = resources.find((r) => r.resourceId === id);
-        return `${resource?.name}`;
-    }
+    // function getSelectedResourceName(id: number) {
+    //     const resource = resources.find((r) => r.resourceId === id);
+    //     return `${resource?.name}`;
+    // }
 
     return (
         <>
@@ -241,7 +241,7 @@ export default function CreateShareLinkForm({
                         </CredenzaDescription>
                     </CredenzaHeader>
                     <CredenzaBody>
-                        <div className="space-y-4">
+                        <div className="flex flex-col gap-y-4 px-1">
                             {!link && (
                                 <Form {...form}>
                                     <form
@@ -269,10 +269,8 @@ export default function CreateShareLinkForm({
                                                                             "text-muted-foreground"
                                                                     )}
                                                                 >
-                                                                    {field.value
-                                                                        ? getSelectedResourceName(
-                                                                              field.value
-                                                                          )
+                                                                    {selectedResource?.name
+                                                                        ? selectedResource.name
                                                                         : t(
                                                                               "resourceSelect"
                                                                           )}
@@ -281,7 +279,7 @@ export default function CreateShareLinkForm({
                                                             </FormControl>
                                                         </PopoverTrigger>
                                                         <PopoverContent className="p-0">
-                                                            <Command>
+                                                            {/* <Command>
                                                                 <CommandInput
                                                                     placeholder={t(
                                                                         "resourceSearch"
@@ -333,7 +331,36 @@ export default function CreateShareLinkForm({
                                                                         )}
                                                                     </CommandGroup>
                                                                 </CommandList>
-                                                            </Command>
+                                                            </Command> */}
+
+                                                            <ResourceSelector
+                                                                orgId={
+                                                                    org.org
+                                                                        .orgId
+                                                                }
+                                                                selectedResource={
+                                                                    selectedResource
+                                                                }
+                                                                onSelectResource={(
+                                                                    r
+                                                                ) => {
+                                                                    form.setValue(
+                                                                        "resourceId",
+                                                                        r.resourceId
+                                                                    );
+                                                                    form.setValue(
+                                                                        "resourceName",
+                                                                        r.name
+                                                                    );
+                                                                    form.setValue(
+                                                                        "resourceUrl",
+                                                                        `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
+                                                                    );
+                                                                    setSelectedResource(
+                                                                        r
+                                                                    );
+                                                                }}
+                                                            />
                                                         </PopoverContent>
                                                     </Popover>
                                                     <FormMessage />
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
new file mode 100644
index 000000000..a940894b0
--- /dev/null
+++ b/src/components/resource-selector.tsx
@@ -0,0 +1,81 @@
+import { orgQueries } from "@app/lib/queries";
+import { useQuery } from "@tanstack/react-query";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { useState } from "react";
+import { useTranslations } from "next-intl";
+import { CheckIcon } from "lucide-react";
+import { cn } from "@app/lib/cn";
+import type { ListResourcesResponse } from "@server/routers/resource";
+import { useDebounce } from "use-debounce";
+
+export type SelectedResource = Pick<
+    ListResourcesResponse["resources"][number],
+    "name" | "resourceId" | "fullDomain" | "niceId" | "ssl"
+>;
+
+export type ResourceSelectorProps = {
+    orgId: string;
+    selectedResource?: SelectedResource | null;
+    onSelectResource: (resource: SelectedResource) => void;
+};
+
+export function ResourceSelector({
+    orgId,
+    selectedResource,
+    onSelectResource
+}: ResourceSelectorProps) {
+    const t = useTranslations();
+    const [resourceSearchQuery, setResourceSearchQuery] = useState("");
+
+    const [debouncedSearchQuery] = useDebounce(resourceSearchQuery, 150);
+
+    const { data: resources = [] } = useQuery(
+        orgQueries.resources({
+            orgId: orgId,
+            query: debouncedSearchQuery,
+            perPage: 10
+        })
+    );
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("resourceSearch")}
+                value={resourceSearchQuery}
+                onValueChange={setResourceSearchQuery}
+            />
+            <CommandList>
+                <CommandEmpty>{t("resourcesNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {resources.map((r) => (
+                        <CommandItem
+                            value={`${r.name}:${r.resourceId}`}
+                            key={r.resourceId}
+                            onSelect={() => {
+                                onSelectResource(r);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    r.resourceId ===
+                                        selectedResource?.resourceId
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {`${r.name}`}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index f6de28fc0..dfa706a88 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -191,14 +191,26 @@ export const orgQueries = {
             }
         }),
 
-    resources: ({ orgId }: { orgId: string }) =>
+    resources: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "RESOURCES"] as const,
+            queryKey: ["ORG", orgId, "RESOURCES", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListResourcesResponse>
                 >(`/org/${orgId}/resources?${sp.toString()}`, { signal });

From 26ab63d0e40fd6a2bd701503cfdc65ba38151886 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 19 Mar 2026 12:10:58 -0700
Subject: [PATCH 032/314] Adjust remote node language

---
 messages/en-US.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 3d5352293..c9d47708a 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
     "resourceRaw": "Raw TCP/UDP Resource",
     "resourceRawDescription": "Proxy requests over raw TCP/UDP using a port number.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. REQUIRES THE USE OF A REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Create Resource",
     "resourceCreateDescription": "Follow the steps below to create a new resource",
     "resourceSeeAll": "See All Resources",

From 991fed93eedddb0d560e80e54a8aef538f62447d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 19 Mar 2026 14:26:14 -0700
Subject: [PATCH 033/314] Add warning when creating resource with provided

---
 messages/en-US.json                                  |  1 +
 .../[orgId]/settings/resources/proxy/create/page.tsx |  3 +++
 src/components/DomainPicker.tsx                      | 12 +++++++++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index c9d47708a..dc84ec405 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1427,6 +1427,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Show More",
     "regionSelectorTitle": "Select Region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
     "regionSelectorPlaceholder": "Choose a region",
     "regionSelectorComingSoon": "Coming Soon",
diff --git a/src/app/[orgId]/settings/resources/proxy/create/page.tsx b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
index 4c8cb8443..fbc916479 100644
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -1109,6 +1109,9 @@ export default function Page() {
                                     <SettingsSectionBody>
                                         <DomainPicker
                                             orgId={orgId as string}
+                                            warnOnProvidedDomain={
+                                                remoteExitNodes.length >= 1
+                                            }
                                             onDomainChange={(res) => {
                                                 if (!res) return;
 
diff --git a/src/components/DomainPicker.tsx b/src/components/DomainPicker.tsx
index 82861d798..44446763b 100644
--- a/src/components/DomainPicker.tsx
+++ b/src/components/DomainPicker.tsx
@@ -79,6 +79,7 @@ interface DomainPickerProps {
     defaultFullDomain?: string | null;
     defaultSubdomain?: string | null;
     defaultDomainId?: string | null;
+    warnOnProvidedDomain?: boolean;
 }
 
 export default function DomainPicker({
@@ -88,7 +89,8 @@ export default function DomainPicker({
     hideFreeDomain = false,
     defaultSubdomain,
     defaultFullDomain,
-    defaultDomainId
+    defaultDomainId,
+    warnOnProvidedDomain = false
 }: DomainPickerProps) {
     const { env } = useEnvContext();
     const api = createApiClient({ env });
@@ -689,6 +691,14 @@ export default function DomainPicker({
 
             {showProvidedDomainSearch && (
                 <div className="space-y-4">
+                    {warnOnProvidedDomain && (
+                        <Alert variant="warning">
+                            <AlertCircle className="h-4 w-4" />
+                            <AlertDescription>
+                                {t("domainPickerRemoteExitNodeWarning")}
+                            </AlertDescription>
+                        </Alert>
+                    )}
                     {isChecking && (
                         <div className="flex items-center justify-center p-8">
                             <div className="flex items-center space-x-2 text-sm text-muted-foreground">

From f48d01acde78fd19d9e353538f0140f57c3caf18 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:50 -0700
Subject: [PATCH 034/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index d78a0a5af..2bc66a988 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
     "resourceRaw": "Ressource TCP/UDP brute",
     "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
-    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. REQUISE L'UTILISATION D'UN Nœud DE REMOTE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Créer une ressource",
     "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
     "resourceSeeAll": "Voir toutes les ressources",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Espace de noms : {namespace}",
     "domainPickerShowMore": "Afficher plus",
     "regionSelectorTitle": "Sélectionner Région",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
     "regionSelectorPlaceholder": "Choisissez une région",
     "regionSelectorComingSoon": "Bientôt disponible",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
     "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
     "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
-    "licenseRequiredToUse": "Une licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> est nécessaire pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Résolveur de certificat",
     "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
     "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
     "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
     "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
-    "approvalsEmptyStateButtonText": "Gérer les rôles"
+    "approvalsEmptyStateButtonText": "Gérer les rôles",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From ce2cf50b5a4951005a9b640c9e00310cf49cdd0b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:52 -0700
Subject: [PATCH 035/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index f2ad95be2..5bf046208 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
     "resourceRaw": "Суров TCP/UDP ресурс",
     "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
-    "resourceRawDescriptionCloud": "Прокси заявките през суров TCP/UDP, използвайки номер на порт. ИЗИСКВА ИЗПОЛЗВАНЕ НА ОТДАЛЕЧЕН УЗЕЛ.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Създайте ресурс",
     "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
     "resourceSeeAll": "Вижте всички ресурси",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Име на пространство: {namespace}",
     "domainPickerShowMore": "Покажи повече",
     "regionSelectorTitle": "Избор на регион",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
     "regionSelectorPlaceholder": "Изберете регион",
     "regionSelectorComingSoon": "Очаква се скоро",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Край на следващата година",
     "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
     "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
-    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Необходимо е <enterpriseEditionLink>изданието Enterprise</enterpriseEditionLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Решавач на сертификати",
     "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
     "selectCertResolver": "Изберете решавач на сертификати",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
     "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
     "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
-    "approvalsEmptyStateButtonText": "Управлявайте роли"
+    "approvalsEmptyStateButtonText": "Управлявайте роли",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From a479ef28ac4328fdc088edd8f55d2a5f40fd30b9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:53 -0700
Subject: [PATCH 036/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 2112d5e42..67a32eeeb 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
     "resourceRaw": "Surový TCP/UDP zdroj",
     "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
-    "resourceRawDescriptionCloud": "Požadavky na proxy přes syrové TCP/UDP pomocí portového čísla. ŽÁDOSTI POUŽÍVAT POUŽITÍ Z REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Vytvořit zdroj",
     "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
     "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Jmenný prostor: {namespace}",
     "domainPickerShowMore": "Zobrazit více",
     "regionSelectorTitle": "Vybrat region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
     "regionSelectorPlaceholder": "Vyberte region",
     "regionSelectorComingSoon": "Již brzy",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Konec následujícího roku",
     "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
     "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
-    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Tato funkce je také dostupná v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Oddělovač certifikátů",
     "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
     "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
     "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
     "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
-    "approvalsEmptyStateButtonText": "Spravovat role"
+    "approvalsEmptyStateButtonText": "Spravovat role",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From ae1f36f39a902dba0054cacf33ca1b25aae0b817 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:54 -0700
Subject: [PATCH 037/314] New translations en-us.json (German)

---
 messages/de-DE.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index e85ab9401..3c0cad907 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
     "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
     "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
-    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit einer Portnummer. Erfordert die NUTZUNG eines REMOTE Knotens.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Ressource erstellen",
     "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
     "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mehr anzeigen",
     "regionSelectorTitle": "Region auswählen",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
     "regionSelectorPlaceholder": "Wähle eine Region",
     "regionSelectorComingSoon": "Kommt bald",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
     "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
     "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
-    "licenseRequiredToUse": "Um diese Funktion nutzen zu können, ist eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
-    "ossEnterpriseEditionRequired": "Um diese Funktion nutzen zu können, ist die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Zertifikatsauflöser",
     "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
     "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
     "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
     "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
-    "approvalsEmptyStateButtonText": "Rollen verwalten"
+    "approvalsEmptyStateButtonText": "Rollen verwalten",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From c7cfe2efcb73acdd79b701260ee3741172847060 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:56 -0700
Subject: [PATCH 038/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 4b6c9bf68..d73516f49 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
     "resourceRaw": "Risorsa Raw TCP/UDP",
     "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
-    "resourceRawDescriptionCloud": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta. RICHIEDE L'USO DI UN NODO REMOTO.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Crea Risorsa",
     "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
     "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostra Altro",
     "regionSelectorTitle": "Seleziona regione",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
     "regionSelectorPlaceholder": "Scegli una regione",
     "regionSelectorComingSoon": "Prossimamente",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
     "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
     "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
-    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Risolutore Di Certificato",
     "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
     "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
     "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
     "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
-    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From 802e8f7a224ce92646246c279f6415cce0e3a71f Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:57 -0700
Subject: [PATCH 039/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index bf59dd870..66f9b48bb 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
     "resourceRaw": "원시 TCP/UDP 리소스",
     "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
-    "resourceRawDescriptionCloud": "원시 TCP/UDP를 포트 번호를 사용하여 프록시 요청합니다. 원격 노드 사용이 필요합니다.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "리소스 생성",
     "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
     "resourceSeeAll": "모든 리소스 보기",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "이름 공간: {namespace}",
     "domainPickerShowMore": "더보기",
     "regionSelectorTitle": "지역 선택",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
     "regionSelectorPlaceholder": "지역 선택",
     "regionSelectorComingSoon": "곧 출시 예정",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "다음 연도 말",
     "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
     "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
-    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
-    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "인증서 해결사",
     "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
     "selectCertResolver": "인증서 해결사 선택",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "장치 승인 활성화",
     "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
     "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
-    "approvalsEmptyStateButtonText": "역할 관리"
+    "approvalsEmptyStateButtonText": "역할 관리",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From 517c607ecf4eb210200a8b4918e1e901480f39f2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:38:59 -0700
Subject: [PATCH 040/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 4c2d5d4e7..422146af7 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
     "resourceRaw": "TCP/UDP bron",
     "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
-    "resourceRawDescriptionCloud": "Proxy vraagt om onbewerkte TCP/UDP met behulp van een poortnummer. VEREIST HET GEBRUIK VAN EEN AFSTANDSBEDIENING NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Bron maken",
     "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
     "resourceSeeAll": "Alle bronnen bekijken",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Naamruimte: {namespace}",
     "domainPickerShowMore": "Meer weergeven",
     "regionSelectorTitle": "Selecteer Regio",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
     "regionSelectorPlaceholder": "Kies een regio",
     "regionSelectorComingSoon": "Komt binnenkort",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
     "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
     "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
-    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Certificaat Resolver",
     "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
     "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
     "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
     "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
-    "approvalsEmptyStateButtonText": "Rollen beheren"
+    "approvalsEmptyStateButtonText": "Rollen beheren",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From 2efe6cfdb310c1bb3534800cf9e0764874018eeb Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:00 -0700
Subject: [PATCH 041/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 049c99b70..eba01b129 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
     "resourceRaw": "Surowy zasób TCP/UDP",
     "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
-    "resourceRawDescriptionCloud": "Proxy żądania przesyłania danych nad surowym TCP/UDP przy użyciu numeru portu. Wymaga UŻYTKOWANIA PALIWA węzła.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Utwórz zasób",
     "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
     "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
     "domainPickerShowMore": "Pokaż więcej",
     "regionSelectorTitle": "Wybierz region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
     "regionSelectorPlaceholder": "Wybierz region",
     "regionSelectorComingSoon": "Wkrótce dostępne",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Koniec następnego roku",
     "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
     "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
-    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Rozwiązywanie certyfikatów",
     "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
     "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
     "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
     "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
-    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From 1b1f9ab4cf60439c5bbe727bed139d0c91885a52 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:02 -0700
Subject: [PATCH 042/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 732b33aa2..5a3e50163 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
     "resourceRaw": "Recurso TCP/UDP bruto",
     "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
-    "resourceRawDescriptionCloud": "Proxy solicita sobre TCP/UDP bruto usando um número de porta. OBRIGATÓRIO O USO DE UMA NOTA REMOTA.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Criar Recurso",
     "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
     "resourceSeeAll": "Ver todos os recursos",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostrar Mais",
     "regionSelectorTitle": "Selecionar Região",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
     "regionSelectorPlaceholder": "Escolher uma região",
     "regionSelectorComingSoon": "Em breve",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
     "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
     "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
-    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> é necessária para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Resolvedor de Certificado",
     "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
     "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
     "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
-    "approvalsEmptyStateButtonText": "Gerir Funções"
+    "approvalsEmptyStateButtonText": "Gerir Funções",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From cdbc190bfc88b944a4c007354e9d17216c81c03d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:03 -0700
Subject: [PATCH 043/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 15804f523..e7df7fc73 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
     "resourceRaw": "Сырой TCP/UDP-ресурс",
     "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
-    "resourceRawDescriptionCloud": "Прокси-запросы через необработанный TCP/UDP с использованием номера порта. ТРЕБУЕТЕСЬ ИСПОЛЬЗОВАТЬ НЕОБХОДИМЫ.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Создание ресурса",
     "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
     "resourceSeeAll": "Посмотреть все ресурсы",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Пространство имен: {namespace}",
     "domainPickerShowMore": "Показать еще",
     "regionSelectorTitle": "Выберите регион",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
     "regionSelectorPlaceholder": "Выбор региона",
     "regionSelectorComingSoon": "Скоро будет",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Конец следующего года",
     "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
     "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
-    "licenseRequiredToUse": "Лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Для использования этой функции требуется <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink>. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Резольвер сертификата",
     "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
     "selectCertResolver": "Выберите резолвер сертификата",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
     "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
     "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
-    "approvalsEmptyStateButtonText": "Управление ролями"
+    "approvalsEmptyStateButtonText": "Управление ролями",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From 4f26fb77508f39fe5e5fa505bb3fe8d4ce80038e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:04 -0700
Subject: [PATCH 044/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index f93470e95..542de80fe 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
     "resourceRaw": "Ham TCP/UDP Kaynağı",
     "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
-    "resourceRawDescriptionCloud": "Bir port numarası kullanarak ham TCP/UDP üzerinden istekleri proxy ile yönlendirin. UZAKTAN BİR DÜĞÜM KULLANIMINI GEREKTİRİR.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Kaynak Oluştur",
     "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
     "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Ad Alanı: {namespace}",
     "domainPickerShowMore": "Daha Fazla Göster",
     "regionSelectorTitle": "Bölge Seç",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
     "regionSelectorPlaceholder": "Bölge Seçin",
     "regionSelectorComingSoon": "Yakında Geliyor",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
     "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
     "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
-    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
-    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Sertifika Çözücü",
     "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
     "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
     "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
     "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
-    "approvalsEmptyStateButtonText": "Rolleri Yönet"
+    "approvalsEmptyStateButtonText": "Rolleri Yönet",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From e7f5bc585c0349fd1a4d2f77023371249df714c9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:06 -0700
Subject: [PATCH 045/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 3f06385f0..3998596f6 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
     "resourceRaw": "TCP/UDP 资源",
     "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
-    "resourceRawDescriptionCloud": "正在使用端口号的 TCP/UDP 代理请求。请使用一个REMOTE",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "创建资源",
     "resourceCreateDescription": "按照下面的步骤创建新资源",
     "resourceSeeAll": "查看所有资源",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "命名空间：{namespace}",
     "domainPickerShowMore": "显示更多",
     "regionSelectorTitle": "选择区域",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
     "regionSelectorPlaceholder": "选择一个区域",
     "regionSelectorComingSoon": "即将推出",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "下一年结束",
     "actionLogsDescription": "查看此机构执行的操作历史",
     "accessLogsDescription": "查看此机构资源的访问认证请求",
-    "licenseRequiredToUse": "需要 <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> 许可才能使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 需要使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "证书解决器",
     "certResolverDescription": "选择用于此资源的证书解析器。",
     "selectCertResolver": "选择证书解析",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "启用设备批准",
     "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
     "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
-    "approvalsEmptyStateButtonText": "管理角色"
+    "approvalsEmptyStateButtonText": "管理角色",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From eeaa1d56ad7ac41c7c2db0cb3633c57f35655e14 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:07 -0700
Subject: [PATCH 046/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 2feca1027..2d323e4ba 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
     "resourceRaw": "Rå TCP/UDP-ressurs",
     "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
-    "resourceRawDescriptionCloud": "Proxy ber om et portnummer. Om du vil bruke et sportsnummer.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Opprett ressurs",
     "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
     "resourceSeeAll": "Se alle ressurser",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Navnerom: {namespace}",
     "domainPickerShowMore": "Vis mer",
     "regionSelectorTitle": "Velg Region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
     "regionSelectorPlaceholder": "Velg en region",
     "regionSelectorComingSoon": "Kommer snart",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Slutt på neste år",
     "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
     "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
-    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens er påkrevd for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Sertifikat løser",
     "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
     "selectCertResolver": "Velg sertifikatløser",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
     "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
     "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
-    "approvalsEmptyStateButtonText": "Administrer Roller"
+    "approvalsEmptyStateButtonText": "Administrer Roller",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From d9766b0f991576795243106bf1a86899396831e5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 14:39:09 -0700
Subject: [PATCH 047/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 70e22e524..6a6d495e1 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
     "resourceRaw": "Recurso TCP/UDP sin procesar",
     "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
-    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. REQUIERE EL USO DE UN NODO REMOTE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
     "resourceCreate": "Crear Recurso",
     "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
     "resourceSeeAll": "Ver todos los recursos",
@@ -1426,6 +1426,7 @@
     "domainPickerNamespace": "Espacio de nombres: {namespace}",
     "domainPickerShowMore": "Mostrar más",
     "regionSelectorTitle": "Seleccionar Región",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
     "regionSelectorPlaceholder": "Elige una región",
     "regionSelectorComingSoon": "Próximamente",
@@ -2342,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fin del año siguiente",
     "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
     "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
-    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> para utilizar esta función. Esta característica también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>versión Enterprise</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Resolver certificado",
     "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
     "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2680,5 +2681,6 @@
     "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
     "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
-    "approvalsEmptyStateButtonText": "Administrar roles"
+    "approvalsEmptyStateButtonText": "Administrar roles",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }

From ce58e71c440f40a8ea26d6d4d7546c19f16b658a Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 03:59:10 +0100
Subject: [PATCH 048/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20make=20machine=20s?=
 =?UTF-8?q?elector=20a=20multi-combobox?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 messages/en-US.json                     |   5 +
 src/components/CreateShareLinkForm.tsx  |  59 ----------
 src/components/InternalResourceForm.tsx | 140 ++++++++++++++----------
 src/components/MachineClientsTable.tsx  |   2 +-
 src/components/UserDevicesTable.tsx     |   2 +-
 src/components/machine-selector.tsx     | 108 ++++++++++++++++++
 src/components/resource-selector.tsx    |  19 +++-
 src/lib/queries.ts                      |  16 ++-
 8 files changed, 231 insertions(+), 120 deletions(-)
 create mode 100644 src/components/machine-selector.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 3d5352293..06be10e65 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -148,6 +148,11 @@
     "createLink": "Create Link",
     "resourcesNotFound": "No resources found",
     "resourceSearch": "Search resources",
+    "machineSearch": "Search machines",
+    "machinesSearch": "Search machine clients...",
+    "machineNotFound": "No machines found",
+    "userDeviceSearch": "Search user devices",
+    "userDevicesSearch": "Search user devices...",
     "openMenu": "Open menu",
     "resource": "Resource",
     "title": "Title",
diff --git a/src/components/CreateShareLinkForm.tsx b/src/components/CreateShareLinkForm.tsx
index fef1fb0e1..d0e26a1c2 100644
--- a/src/components/CreateShareLinkForm.tsx
+++ b/src/components/CreateShareLinkForm.tsx
@@ -217,11 +217,6 @@ export default function CreateShareLinkForm({
         setLoading(false);
     }
 
-    // function getSelectedResourceName(id: number) {
-    //     const resource = resources.find((r) => r.resourceId === id);
-    //     return `${resource?.name}`;
-    // }
-
     return (
         <>
             <Credenza
@@ -279,60 +274,6 @@ export default function CreateShareLinkForm({
                                                             </FormControl>
                                                         </PopoverTrigger>
                                                         <PopoverContent className="p-0">
-                                                            {/* <Command>
-                                                                <CommandInput
-                                                                    placeholder={t(
-                                                                        "resourceSearch"
-                                                                    )}
-                                                                />
-                                                                <CommandList>
-                                                                    <CommandEmpty>
-                                                                        {t(
-                                                                            "resourcesNotFound"
-                                                                        )}
-                                                                    </CommandEmpty>
-                                                                    <CommandGroup>
-                                                                        {resources.map(
-                                                                            (
-                                                                                r
-                                                                            ) => (
-                                                                                <CommandItem
-                                                                                    value={`${r.name}:${r.resourceId}`}
-                                                                                    key={
-                                                                                        r.resourceId
-                                                                                    }
-                                                                                    onSelect={() => {
-                                                                                        form.setValue(
-                                                                                            "resourceId",
-                                                                                            r.resourceId
-                                                                                        );
-                                                                                        form.setValue(
-                                                                                            "resourceName",
-                                                                                            r.name
-                                                                                        );
-                                                                                        form.setValue(
-                                                                                            "resourceUrl",
-                                                                                            r.resourceUrl
-                                                                                        );
-                                                                                    }}
-                                                                                >
-                                                                                    <CheckIcon
-                                                                                        className={cn(
-                                                                                            "mr-2 h-4 w-4",
-                                                                                            r.resourceId ===
-                                                                                                field.value
-                                                                                                ? "opacity-100"
-                                                                                                : "opacity-0"
-                                                                                        )}
-                                                                                    />
-                                                                                    {`${r.name}`}
-                                                                                </CommandItem>
-                                                                            )
-                                                                        )}
-                                                                    </CommandGroup>
-                                                                </CommandList>
-                                                            </Command> */}
-
                                                             <ResourceSelector
                                                                 orgId={
                                                                     org.org
diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index fa1ee22d3..dc3223500 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -43,6 +43,8 @@ import { useEffect, useRef, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { SitesSelector, type Selectedsite } from "./site-selector";
+import { CaretSortIcon } from "@radix-ui/react-icons";
+import { MachineSelector } from "./machine-selector";
 
 // --- Helpers (shared) ---
 
@@ -243,7 +245,14 @@ export function InternalResourceForm({
         authDaemonPort: z.number().int().positive().optional().nullable(),
         roles: z.array(tagSchema).optional(),
         users: z.array(tagSchema).optional(),
-        clients: z.array(tagSchema).optional()
+        clients: z
+            .array(
+                z.object({
+                    clientId: z.number(),
+                    name: z.string()
+                })
+            )
+            .optional()
     });
 
     type FormData = z.infer<typeof formSchema>;
@@ -252,7 +261,7 @@ export function InternalResourceForm({
 
     const rolesQuery = useQuery(orgQueries.roles({ orgId }));
     const usersQuery = useQuery(orgQueries.users({ orgId }));
-    const clientsQuery = useQuery(orgQueries.clients({ orgId }));
+    const clientsQuery = useQuery(orgQueries.machineClients({ orgId }));
     const resourceRolesQuery = useQuery({
         ...resourceQueries.siteResourceRoles({
             siteResourceId: siteResourceId ?? 0
@@ -310,12 +319,9 @@ export function InternalResourceForm({
             }));
         }
         if (clientsData) {
-            existingClients = (
-                clientsData as { clientId: number; name: string }[]
-            ).map((c) => ({
-                id: c.clientId.toString(),
-                text: c.name
-            }));
+            existingClients = [
+                ...(clientsData as { clientId: number; name: string }[])
+            ];
         }
     }
 
@@ -592,8 +598,7 @@ export function InternalResourceForm({
                 </div>
 
                 <HorizontalTabs
-                    clientSide={true}
-                    defaultTab={0}
+                    clientSide
                     items={[
                         {
                             title: t(
@@ -610,7 +615,7 @@ export function InternalResourceForm({
                             : [{ title: t("sshAccess"), href: "#" }])
                     ]}
                 >
-                    <div className="space-y-4 mt-4">
+                    <div className="space-y-4 mt-4 p-1">
                         <div>
                             <div className="mb-8">
                                 <label className="font-medium block">
@@ -981,7 +986,7 @@ export function InternalResourceForm({
                         </div>
                     </div>
 
-                    <div className="space-y-4 mt-4">
+                    <div className="space-y-4 mt-4 p-1">
                         <div className="mb-8">
                             <label className="font-medium block">
                                 {t("editInternalResourceDialogAccessControl")}
@@ -1101,48 +1106,73 @@ export function InternalResourceForm({
                                                 <FormLabel>
                                                     {t("machineClients")}
                                                 </FormLabel>
-                                                <FormControl>
-                                                    <TagInput
-                                                        {...field}
-                                                        activeTagIndex={
-                                                            activeClientsTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveClientsTagIndex
-                                                        }
-                                                        placeholder={
-                                                            t(
-                                                                "accessClientSelect"
-                                                            ) ||
-                                                            "Select machine clients"
-                                                        }
-                                                        size="sm"
-                                                        tags={
-                                                            form.getValues()
-                                                                .clients ?? []
-                                                        }
-                                                        setTags={(newClients) =>
-                                                            form.setValue(
-                                                                "clients",
-                                                                newClients as [
-                                                                    Tag,
-                                                                    ...Tag[]
-                                                                ]
-                                                            )
-                                                        }
-                                                        enableAutocomplete={
-                                                            true
-                                                        }
-                                                        autocompleteOptions={
-                                                            allClients
-                                                        }
-                                                        allowDuplicates={false}
-                                                        restrictTagsToAutocompleteOptions={
-                                                            true
-                                                        }
-                                                        sortTags={true}
-                                                    />
-                                                </FormControl>
+                                                <Popover>
+                                                    <PopoverTrigger asChild>
+                                                        <FormControl>
+                                                            <Button
+                                                                variant="outline"
+                                                                role="combobox"
+                                                                className={cn(
+                                                                    "justify-between w-full",
+                                                                    "text-muted-foreground pl-1.5"
+                                                                )}
+                                                            >
+                                                                <span
+                                                                    className={cn(
+                                                                        "inline-flex items-center gap-1",
+                                                                        "overflow-x-auto"
+                                                                    )}
+                                                                >
+                                                                    {(
+                                                                        field.value ??
+                                                                        []
+                                                                    ).map(
+                                                                        (
+                                                                            client
+                                                                        ) => (
+                                                                            <span
+                                                                                key={
+                                                                                    client.clientId
+                                                                                }
+                                                                                className={cn(
+                                                                                    "bg-muted-foreground/20 font-normal text-foreground rounded-sm",
+                                                                                    "py-1 px-1.5 text-xs"
+                                                                                )}
+                                                                            >
+                                                                                {
+                                                                                    client.name
+                                                                                }
+                                                                            </span>
+                                                                        )
+                                                                    )}
+                                                                    <span className="pl-1">
+                                                                        {t(
+                                                                            "accessClientSelect"
+                                                                        )}
+                                                                    </span>
+                                                                </span>
+                                                                <CaretSortIcon className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                                                            </Button>
+                                                        </FormControl>
+                                                    </PopoverTrigger>
+                                                    <PopoverContent className="p-0">
+                                                        <MachineSelector
+                                                            selectedMachines={
+                                                                field.value ??
+                                                                []
+                                                            }
+                                                            orgId={orgId}
+                                                            onSelectMachines={(
+                                                                machines
+                                                            ) => {
+                                                                form.setValue(
+                                                                    "clients",
+                                                                    machines
+                                                                );
+                                                            }}
+                                                        />
+                                                    </PopoverContent>
+                                                </Popover>
                                                 <FormMessage />
                                             </FormItem>
                                         )}
@@ -1154,7 +1184,7 @@ export function InternalResourceForm({
 
                     {/* SSH Access tab */}
                     {!disableEnterpriseFeatures && mode !== "cidr" && (
-                        <div className="space-y-4 mt-4">
+                        <div className="space-y-4 mt-4 p-1">
                             <PaidFeaturesAlert tiers={tierMatrix.sshPam} />
                             <div className="mb-8">
                                 <label className="font-medium block">
diff --git a/src/components/MachineClientsTable.tsx b/src/components/MachineClientsTable.tsx
index bd5a8e00d..9c1da5b4d 100644
--- a/src/components/MachineClientsTable.tsx
+++ b/src/components/MachineClientsTable.tsx
@@ -540,7 +540,7 @@ export default function MachineClientsTable({
                 columns={columns}
                 rows={machineClients}
                 tableId="machine-clients"
-                searchPlaceholder={t("resourcesSearch")}
+                searchPlaceholder={t("machinesSearch")}
                 onAdd={() =>
                     startNavigation(() =>
                         router.push(`/${orgId}/settings/clients/machine/create`)
diff --git a/src/components/UserDevicesTable.tsx b/src/components/UserDevicesTable.tsx
index 1b7b0c694..52f2d1384 100644
--- a/src/components/UserDevicesTable.tsx
+++ b/src/components/UserDevicesTable.tsx
@@ -770,7 +770,7 @@ export default function UserDevicesTable({
                 columns={columns}
                 rows={userClients || []}
                 tableId="user-clients"
-                searchPlaceholder={t("resourcesSearch")}
+                searchPlaceholder={t("userDevicesSearch")}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing || isFiltering}
                 enableColumnVisibility
diff --git a/src/components/machine-selector.tsx b/src/components/machine-selector.tsx
new file mode 100644
index 000000000..c184079ca
--- /dev/null
+++ b/src/components/machine-selector.tsx
@@ -0,0 +1,108 @@
+import { orgQueries } from "@app/lib/queries";
+import type { ListClientsResponse } from "@server/routers/client";
+import { useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+import { useDebounce } from "use-debounce";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { cn } from "@app/lib/cn";
+
+import { CheckIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+
+export type SelectedMachine = Pick<
+    ListClientsResponse["clients"][number],
+    "name" | "clientId"
+>;
+
+export type MachineSelectorProps = {
+    orgId: string;
+    selectedMachines?: SelectedMachine[];
+    onSelectMachines: (machine: SelectedMachine[]) => void;
+};
+
+export function MachineSelector({
+    orgId,
+    selectedMachines = [],
+    onSelectMachines
+}: MachineSelectorProps) {
+    const t = useTranslations();
+    const [machineSearchQuery, setMachineSearchQuery] = useState("");
+
+    const [debouncedValue] = useDebounce(machineSearchQuery, 150);
+
+    const { data: machines = [] } = useQuery(
+        orgQueries.machineClients({ orgId, perPage: 10, query: debouncedValue })
+    );
+
+    // always include the selected site in the list of sites shown
+    const machinesShown = useMemo(() => {
+        const allMachines: Array<SelectedMachine> = [...machines];
+        for (const machine of selectedMachines) {
+            if (
+                !allMachines.find(
+                    (machine) => machine.clientId === machine.clientId
+                )
+            ) {
+                allMachines.unshift(machine);
+            }
+        }
+
+        return allMachines;
+    }, [machines, selectedMachines]);
+
+    const selectedMachinesIds = new Set(
+        selectedMachines.map((m) => m.clientId)
+    );
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("machineSearch")}
+                value={machineSearchQuery}
+                onValueChange={setMachineSearchQuery}
+            />
+            <CommandList>
+                <CommandEmpty>{t("machineNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {machinesShown.map((m) => (
+                        <CommandItem
+                            value={`${m.name}:${m.clientId}`}
+                            key={m.clientId}
+                            onSelect={() => {
+                                let newMachineClients = [];
+                                if (selectedMachinesIds.has(m.clientId)) {
+                                    newMachineClients = selectedMachines.filter(
+                                        (mc) => mc.clientId !== m.clientId
+                                    );
+                                } else {
+                                    newMachineClients = [
+                                        ...selectedMachines,
+                                        m
+                                    ];
+                                }
+                                onSelectMachines(newMachineClients);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    selectedMachinesIds.has(m.clientId)
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {`${m.name}`}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
index a940894b0..134c2c71a 100644
--- a/src/components/resource-selector.tsx
+++ b/src/components/resource-selector.tsx
@@ -8,7 +8,7 @@ import {
     CommandItem,
     CommandList
 } from "./ui/command";
-import { useState } from "react";
+import { useMemo, useState } from "react";
 import { useTranslations } from "next-intl";
 import { CheckIcon } from "lucide-react";
 import { cn } from "@app/lib/cn";
@@ -44,6 +44,21 @@ export function ResourceSelector({
         })
     );
 
+    // always include the selected site in the list of sites shown
+    const resourcesShown = useMemo(() => {
+        const allResources: Array<SelectedResource> = [...resources];
+        if (
+            selectedResource &&
+            !allResources.find(
+                (resource) =>
+                    resource.resourceId === selectedResource?.resourceId
+            )
+        ) {
+            allResources.unshift(selectedResource);
+        }
+        return allResources;
+    }, [resources, selectedResource]);
+
     return (
         <Command shouldFilter={false}>
             <CommandInput
@@ -54,7 +69,7 @@ export function ResourceSelector({
             <CommandList>
                 <CommandEmpty>{t("resourcesNotFound")}</CommandEmpty>
                 <CommandGroup>
-                    {resources.map((r) => (
+                    {resourcesShown.map((r) => (
                         <CommandItem
                             value={`${r.name}:${r.resourceId}`}
                             key={r.resourceId}
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index dfa706a88..69c496e24 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -92,14 +92,26 @@ export const productUpdatesQueries = {
 };
 
 export const orgQueries = {
-    clients: ({ orgId }: { orgId: string }) =>
+    machineClients: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
             queryKey: ["ORG", orgId, "CLIENTS"] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListClientsResponse>
                 >(`/org/${orgId}/clients?${sp.toString()}`, { signal });

From 02697e27a4fa7be24affe70328b0e54a67bcb1d4 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:02:51 +0100
Subject: [PATCH 049/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20refactor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/machine-selector.tsx  | 18 +++++++++---------
 src/components/resource-selector.tsx |  5 +++--
 src/components/site-selector.tsx     |  3 ++-
 src/lib/queries.ts                   |  2 +-
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/components/machine-selector.tsx b/src/components/machine-selector.tsx
index c184079ca..6aaf1afdd 100644
--- a/src/components/machine-selector.tsx
+++ b/src/components/machine-selector.tsx
@@ -41,21 +41,21 @@ export function MachineSelector({
         orgQueries.machineClients({ orgId, perPage: 10, query: debouncedValue })
     );
 
-    // always include the selected site in the list of sites shown
+    // always include the selected machines in the list of machines shown (if the user isn't searching)
     const machinesShown = useMemo(() => {
         const allMachines: Array<SelectedMachine> = [...machines];
-        for (const machine of selectedMachines) {
-            if (
-                !allMachines.find(
-                    (machine) => machine.clientId === machine.clientId
-                )
-            ) {
-                allMachines.unshift(machine);
+        if (debouncedValue.trim().length === 0) {
+            for (const machine of selectedMachines) {
+                if (
+                    !allMachines.find((mc) => mc.clientId === machine.clientId)
+                ) {
+                    allMachines.unshift(machine);
+                }
             }
         }
 
         return allMachines;
-    }, [machines, selectedMachines]);
+    }, [machines, selectedMachines, debouncedValue]);
 
     const selectedMachinesIds = new Set(
         selectedMachines.map((m) => m.clientId)
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
index 134c2c71a..96044a8d2 100644
--- a/src/components/resource-selector.tsx
+++ b/src/components/resource-selector.tsx
@@ -44,10 +44,11 @@ export function ResourceSelector({
         })
     );
 
-    // always include the selected site in the list of sites shown
+    // always include the selected resource in the list of resources shown
     const resourcesShown = useMemo(() => {
         const allResources: Array<SelectedResource> = [...resources];
         if (
+            debouncedSearchQuery.trim().length === 0 &&
             selectedResource &&
             !allResources.find(
                 (resource) =>
@@ -57,7 +58,7 @@ export function ResourceSelector({
             allResources.unshift(selectedResource);
         }
         return allResources;
-    }, [resources, selectedResource]);
+    }, [debouncedSearchQuery, resources, selectedResource]);
 
     return (
         <Command shouldFilter={false}>
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 0afd94c9a..4c3c97651 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -47,13 +47,14 @@ export function SitesSelector({
     const sitesShown = useMemo(() => {
         const allSites: Array<Selectedsite> = [...sites];
         if (
+            debouncedQuery.trim().length === 0 &&
             selectedSite &&
             !allSites.find((site) => site.siteId === selectedSite?.siteId)
         ) {
             allSites.unshift(selectedSite);
         }
         return allSites;
-    }, [sites, selectedSite]);
+    }, [debouncedQuery, sites, selectedSite]);
 
     return (
         <Command shouldFilter={false}>
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index 69c496e24..2fd34e8ac 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -102,7 +102,7 @@ export const orgQueries = {
         perPage?: number;
     }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "CLIENTS"] as const,
+            queryKey: ["ORG", orgId, "CLIENTS", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
                     pageSize: perPage.toString()

From e358d1276568bd5e318b5711d4fd93377f67bea1 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:15:18 +0100
Subject: [PATCH 050/314] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20submit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index dc3223500..e79575ab3 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -531,9 +531,15 @@ export function InternalResourceForm({
     return (
         <Form {...form}>
             <form
-                onSubmit={form.handleSubmit((values) =>
-                    onSubmit(values as InternalResourceFormValues)
-                )}
+                onSubmit={form.handleSubmit((values) => {
+                    onSubmit({
+                        ...values,
+                        clients: (values.clients ?? []).map((c) => ({
+                            id: c.clientId.toString(),
+                            text: c.name
+                        }))
+                    });
+                })}
                 className="space-y-6"
                 id={formId}
             >

From 52cac4aa21ea44c01633f9aaf9d80deca6a74f3d Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:17:35 +0100
Subject: [PATCH 051/314] =?UTF-8?q?=F0=9F=9A=9A=20rename=20component?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx                       | 4 ++--
 .../{machine-selector.tsx => machines-selector.tsx}           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename src/components/{machine-selector.tsx => machines-selector.tsx} (99%)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index e79575ab3..ef2e02d57 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -44,7 +44,7 @@ import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { SitesSelector, type Selectedsite } from "./site-selector";
 import { CaretSortIcon } from "@radix-ui/react-icons";
-import { MachineSelector } from "./machine-selector";
+import { MachinesSelector } from "./machines-selector";
 
 // --- Helpers (shared) ---
 
@@ -1162,7 +1162,7 @@ export function InternalResourceForm({
                                                         </FormControl>
                                                     </PopoverTrigger>
                                                     <PopoverContent className="p-0">
-                                                        <MachineSelector
+                                                        <MachinesSelector
                                                             selectedMachines={
                                                                 field.value ??
                                                                 []
diff --git a/src/components/machine-selector.tsx b/src/components/machines-selector.tsx
similarity index 99%
rename from src/components/machine-selector.tsx
rename to src/components/machines-selector.tsx
index 6aaf1afdd..9c31a0bd3 100644
--- a/src/components/machine-selector.tsx
+++ b/src/components/machines-selector.tsx
@@ -27,7 +27,7 @@ export type MachineSelectorProps = {
     onSelectMachines: (machine: SelectedMachine[]) => void;
 };
 
-export function MachineSelector({
+export function MachinesSelector({
     orgId,
     selectedMachines = [],
     onSelectMachines

From e0fa5607e580c74010fe0992da9e3e547096d1a0 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:37:57 +0100
Subject: [PATCH 052/314] push


From 56e25d01ae17be559d6c0f49d3218c44359a6f49 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 19 Mar 2026 20:54:05 -0700
Subject: [PATCH 053/314] Fix spelling mistake

---
 messages/en-US.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index dc84ec405..0c29a31eb 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1427,7 +1427,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Show More",
     "regionSelectorTitle": "Select Region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
     "regionSelectorPlaceholder": "Choose a region",
     "regionSelectorComingSoon": "Coming Soon",

From 594ee31f43cd24431e0e7ced36f8edc4711a41f9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:51 -0700
Subject: [PATCH 054/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 2bc66a988..1192ac89a 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Espace de noms : {namespace}",
     "domainPickerShowMore": "Afficher plus",
     "regionSelectorTitle": "Sélectionner Région",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
     "regionSelectorPlaceholder": "Choisissez une région",
     "regionSelectorComingSoon": "Bientôt disponible",

From d363ee02edd8ef46a30179cb2bc073d75af61770 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:53 -0700
Subject: [PATCH 055/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 5bf046208..c030bae4e 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Име на пространство: {namespace}",
     "domainPickerShowMore": "Покажи повече",
     "regionSelectorTitle": "Избор на регион",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
     "regionSelectorPlaceholder": "Изберете регион",
     "regionSelectorComingSoon": "Очаква се скоро",

From 5eed547f91e57bc8d5ce4f01fdb2693c06b3959d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:54 -0700
Subject: [PATCH 056/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 67a32eeeb..0da3c3e56 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Jmenný prostor: {namespace}",
     "domainPickerShowMore": "Zobrazit více",
     "regionSelectorTitle": "Vybrat region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
     "regionSelectorPlaceholder": "Vyberte region",
     "regionSelectorComingSoon": "Již brzy",

From 38af02ad3ceb213eeeb19fe45311361667b0d0b0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:55 -0700
Subject: [PATCH 057/314] New translations en-us.json (German)

---
 messages/de-DE.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 3c0cad907..bb646a2f3 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mehr anzeigen",
     "regionSelectorTitle": "Region auswählen",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
     "regionSelectorPlaceholder": "Wähle eine Region",
     "regionSelectorComingSoon": "Kommt bald",

From cd28720e469f334c678557931214c5eeb1770d6e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:56 -0700
Subject: [PATCH 058/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index d73516f49..c7e07781b 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostra Altro",
     "regionSelectorTitle": "Seleziona regione",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
     "regionSelectorPlaceholder": "Scegli una regione",
     "regionSelectorComingSoon": "Prossimamente",

From 46ad1317e49a5f8fef727da3e0175bcd92a65c8a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:58 -0700
Subject: [PATCH 059/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 66f9b48bb..9b7eb7379 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "이름 공간: {namespace}",
     "domainPickerShowMore": "더보기",
     "regionSelectorTitle": "지역 선택",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
     "regionSelectorPlaceholder": "지역 선택",
     "regionSelectorComingSoon": "곧 출시 예정",

From 720080e4875db5a8c6714aeb709743924d99fa03 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:37:59 -0700
Subject: [PATCH 060/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 422146af7..7dfe3a95d 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Naamruimte: {namespace}",
     "domainPickerShowMore": "Meer weergeven",
     "regionSelectorTitle": "Selecteer Regio",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
     "regionSelectorPlaceholder": "Kies een regio",
     "regionSelectorComingSoon": "Komt binnenkort",

From 6258787c73cd6ca6535cd645b63e9b6f186d5778 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:00 -0700
Subject: [PATCH 061/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index eba01b129..231a4e806 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
     "domainPickerShowMore": "Pokaż więcej",
     "regionSelectorTitle": "Wybierz region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
     "regionSelectorPlaceholder": "Wybierz region",
     "regionSelectorComingSoon": "Wkrótce dostępne",

From 76746fb6e1dc218dcb193f25a06e392999fd8c87 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:02 -0700
Subject: [PATCH 062/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 5a3e50163..df748a002 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostrar Mais",
     "regionSelectorTitle": "Selecionar Região",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
     "regionSelectorPlaceholder": "Escolher uma região",
     "regionSelectorComingSoon": "Em breve",

From b2b72169fd4cb2de15ab9e9c43c9d4404e1ff858 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:03 -0700
Subject: [PATCH 063/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index e7df7fc73..9e26f5b63 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Пространство имен: {namespace}",
     "domainPickerShowMore": "Показать еще",
     "regionSelectorTitle": "Выберите регион",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
     "regionSelectorPlaceholder": "Выбор региона",
     "regionSelectorComingSoon": "Скоро будет",

From ffd648ed749fff7692369a21a0ed357c67b24073 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:05 -0700
Subject: [PATCH 064/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 542de80fe..aa5e75cd6 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Ad Alanı: {namespace}",
     "domainPickerShowMore": "Daha Fazla Göster",
     "regionSelectorTitle": "Bölge Seç",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
     "regionSelectorPlaceholder": "Bölge Seçin",
     "regionSelectorComingSoon": "Yakında Geliyor",

From f86a1eb32b342c788347abb0be6712fbd573f7fe Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:06 -0700
Subject: [PATCH 065/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 3998596f6..7f34b334e 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "命名空间：{namespace}",
     "domainPickerShowMore": "显示更多",
     "regionSelectorTitle": "选择区域",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
     "regionSelectorPlaceholder": "选择一个区域",
     "regionSelectorComingSoon": "即将推出",

From ee4e8f702944ed59bdfe386d9ba7f343100536cd Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:07 -0700
Subject: [PATCH 066/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 2d323e4ba..568e8749c 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Navnerom: {namespace}",
     "domainPickerShowMore": "Vis mer",
     "regionSelectorTitle": "Velg Region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
     "regionSelectorPlaceholder": "Velg en region",
     "regionSelectorComingSoon": "Kommer snart",

From ca9ab6522863bd1d7270d62a3a9fd244c25f6b64 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 19 Mar 2026 21:38:08 -0700
Subject: [PATCH 067/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 6a6d495e1..e7cb5b3ea 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Espacio de nombres: {namespace}",
     "domainPickerShowMore": "Mostrar más",
     "regionSelectorTitle": "Seleccionar Región",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
     "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
     "regionSelectorPlaceholder": "Elige una región",
     "regionSelectorComingSoon": "Próximamente",

From 222dd6bba3e689a4b3ded7a8bb715b89f4517121 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 20 Mar 2026 10:27:18 -0700
Subject: [PATCH 068/314] Santize inserts

---
 server/routers/badger/logRequestAudit.ts | 45 +++++++++++++++++-------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/server/routers/badger/logRequestAudit.ts b/server/routers/badger/logRequestAudit.ts
index 1e36bd4d5..4dd5bff99 100644
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -5,6 +5,26 @@ import cache from "#dynamic/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
 
+/**
+ * Sanitize a string field by replacing lone UTF-16 surrogates (which cannot
+ * be encoded as valid UTF-8) with the Unicode replacement character, and
+ * stripping ASCII control characters that are invalid in most text columns.
+ */
+function sanitizeString(value: string | undefined | null): string | undefined {
+    if (value == null) return undefined;
+    return (
+        value
+            // Replace lone high surrogates (not followed by a low surrogate)
+            // and lone low surrogates (not preceded by a high surrogate)
+            .replace(
+                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
+                "\uFFFD"
+            )
+            // Strip C0 control characters except HT (\x09), LF (\x0A), CR (\x0D)
+            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
+    );
+}
+
 /**
 
 Reasons:
@@ -253,24 +273,23 @@ export async function logRequestAudit(
         // Add to buffer instead of writing directly to DB
         auditLogBuffer.push({
             timestamp,
-            orgId: data.orgId,
-            actorType,
-            actor,
-            actorId,
-            metadata,
+            orgId: sanitizeString(data.orgId),
+            actorType: sanitizeString(actorType),
+            actor: sanitizeString(actor),
+            actorId: sanitizeString(actorId),
+            metadata: sanitizeString(metadata),
             action: data.action,
             resourceId: data.resourceId,
             reason: data.reason,
-            location: data.location,
-            originalRequestURL: body.originalRequestURL,
-            scheme: body.scheme,
-            host: body.host,
-            path: body.path,
-            method: body.method,
-            ip: clientIp,
+            location: sanitizeString(data.location),
+            originalRequestURL: sanitizeString(body.originalRequestURL) ?? "",
+            scheme: sanitizeString(body.scheme) ?? "",
+            host: sanitizeString(body.host) ?? "",
+            path: sanitizeString(body.path) ?? "",
+            method: sanitizeString(body.method) ?? "",
+            ip: sanitizeString(clientIp),
             tls: body.tls
         });
-
         // Flush immediately if buffer is full, otherwise schedule a flush
         if (auditLogBuffer.length >= BATCH_SIZE) {
             // Fire and forget - don't block the caller

From 046b431bb8ae09add81015cd50facb43719a9527 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:15:58 -0700
Subject: [PATCH 069/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 1192ac89a..ec3dbffb8 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
     "resourceRaw": "Ressource TCP/UDP brute",
     "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. Nécessite des sites pour se connecter à un noeud distant.",
     "resourceCreate": "Créer une ressource",
     "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
     "resourceSeeAll": "Voir toutes les ressources",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Espace de noms : {namespace}",
     "domainPickerShowMore": "Afficher plus",
     "regionSelectorTitle": "Sélectionner Région",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Les domaines fournis ne sont pas pris en charge lorsque les sites se connectent à des nœuds de sortie distants. Pour que les ressources soient disponibles sur des nœuds distants, utilisez un domaine personnalisé à la place.",
     "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
     "regionSelectorPlaceholder": "Choisissez une région",
     "regionSelectorComingSoon": "Bientôt disponible",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
     "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
     "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Une <enterpriseLicenseLink>licence Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> est requise pour utiliser cette fonctionnalité. <bookADemoLink>Réservez une démonstration ou une évaluation de POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Réservez une démo ou un essai POC</bookADemoLink>.",
     "certResolver": "Résolveur de certificat",
     "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
     "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
     "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
     "approvalsEmptyStateButtonText": "Gérer les rôles",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine"
 }

From 695e8310908113271b6f2c58a67c13336fafc8c5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:15:59 -0700
Subject: [PATCH 070/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index c030bae4e..0b96141e9 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
     "resourceRaw": "Суров TCP/UDP ресурс",
     "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Получавайте заявки чрез суров TCP/UDP с използване на портен номер. Изисква се сайтовете да се свързват към отдалечен възел.",
     "resourceCreate": "Създайте ресурс",
     "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
     "resourceSeeAll": "Вижте всички ресурси",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Име на пространство: {namespace}",
     "domainPickerShowMore": "Покажи повече",
     "regionSelectorTitle": "Избор на регион",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Предоставените домейни не се поддържат, когато сайтовете се свързват към отдалечени крайни възли. За да бъдат ресурсите налични на отдалечени възли, използвайте персонализиран домейн вместо това.",
     "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
     "regionSelectorPlaceholder": "Изберете регион",
     "regionSelectorComingSoon": "Очаква се скоро",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Край на следващата година",
     "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
     "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> за използване на тази функция. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> е необходим за използване на тази функция. Тази функция също е налична в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
     "certResolver": "Решавач на сертификати",
     "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
     "selectCertResolver": "Изберете решавач на сертификати",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
     "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
     "approvalsEmptyStateButtonText": "Управлявайте роли",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн"
 }

From 48ff6dd7051e7e17341451e3e6401f56b82de886 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:01 -0700
Subject: [PATCH 071/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 0da3c3e56..cb5372b36 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
     "resourceRaw": "Surový TCP/UDP zdroj",
     "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy požadavky na syrové TCP/UDP pomocí čísla portu. Vyžaduje připojení stránek ke vzdálenému uzlu.",
     "resourceCreate": "Vytvořit zdroj",
     "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
     "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Jmenný prostor: {namespace}",
     "domainPickerShowMore": "Zobrazit více",
     "regionSelectorTitle": "Vybrat region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Poskytnuté domény nejsou podporovány, když se stránky připojují k vzdáleným výstupním uzlům. Pro dostupné zdroje na vzdálených uzlech použijte vlastní doménu.",
     "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
     "regionSelectorPlaceholder": "Vyberte region",
     "regionSelectorComingSoon": "Již brzy",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Konec následujícího roku",
     "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
     "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> nebo <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Rezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
     "certResolver": "Oddělovač certifikátů",
     "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
     "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
     "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
     "approvalsEmptyStateButtonText": "Spravovat role",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Máme problém s ověřením tvé domény"
 }

From 312cdc563b3c0afbd4f339aa2d019e1dce573e96 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:02 -0700
Subject: [PATCH 072/314] New translations en-us.json (German)

---
 messages/de-DE.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index bb646a2f3..150a8597e 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
     "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
     "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit Portnummer. Benötigt Sites, um sich mit einem entfernten Knoten zu verbinden.",
     "resourceCreate": "Ressource erstellen",
     "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
     "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mehr anzeigen",
     "regionSelectorTitle": "Region auswählen",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Angegebene Domains werden nicht unterstützt, wenn sich Websites mit externen Exit-Knoten verbinden. Damit Ressourcen auf entfernten Knoten verfügbar sind, verwenden Sie stattdessen eine eigene Domain.",
     "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
     "regionSelectorPlaceholder": "Wähle eine Region",
     "regionSelectorComingSoon": "Kommt bald",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
     "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
     "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz oder <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> wird benötigt, um diese Funktion nutzen zu können. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können. Diese Funktion ist auch in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>verfügbar. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
     "certResolver": "Zertifikatsauflöser",
     "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
     "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
     "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
     "approvalsEmptyStateButtonText": "Rollen verwalten",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain"
 }

From 38e4b3077f60ed39dd474f329a761c8c803704ad Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:03 -0700
Subject: [PATCH 073/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index c7e07781b..adab7879a 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
     "resourceRaw": "Risorsa Raw TCP/UDP",
     "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Richiesta proxy su TCP/UDP grezzo utilizzando un numero di porta. Richiede siti per connettersi a un nodo remoto.",
     "resourceCreate": "Crea Risorsa",
     "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
     "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostra Altro",
     "regionSelectorTitle": "Seleziona regione",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "I domini forniti non sono supportati quando i siti si connettono a nodi di uscita remoti. Affinché le risorse siano disponibili su nodi remoti, utilizza invece un dominio personalizzato.",
     "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
     "regionSelectorPlaceholder": "Scegli una regione",
     "regionSelectorComingSoon": "Prossimamente",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
     "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
     "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzione è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
     "certResolver": "Risolutore Di Certificato",
     "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
     "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
     "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
     "approvalsEmptyStateButtonText": "Gestisci Ruoli",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio"
 }

From fb7e9f68987f0c2f3c7e276a6938eac3787403e9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:05 -0700
Subject: [PATCH 074/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 9b7eb7379..59f464305 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
     "resourceRaw": "원시 TCP/UDP 리소스",
     "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "포트 번호를 사용하여 원격 노드에 연결해야 합니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
     "resourceCreate": "리소스 생성",
     "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
     "resourceSeeAll": "모든 리소스 보기",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "이름 공간: {namespace}",
     "domainPickerShowMore": "더보기",
     "regionSelectorTitle": "지역 선택",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "제공된 도메인은 원격 종료 노드에 연결된 사이트에서 지원되지 않습니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
     "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
     "regionSelectorPlaceholder": "지역 선택",
     "regionSelectorComingSoon": "곧 출시 예정",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "다음 연도 말",
     "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
     "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이(가) 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
     "certResolver": "인증서 해결사",
     "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
     "selectCertResolver": "인증서 해결사 선택",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
     "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
     "approvalsEmptyStateButtonText": "역할 관리",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다."
 }

From 73d1f9288d226421b2c99d5cb8b82a747cec8da2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:06 -0700
Subject: [PATCH 075/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 7dfe3a95d..32580cc45 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
     "resourceRaw": "TCP/UDP bron",
     "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy verzoeken over rauwe TCP/UDP met behulp van een poortnummer. Vereist sites om verbinding te maken met een remote node.",
     "resourceCreate": "Bron maken",
     "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
     "resourceSeeAll": "Alle bronnen bekijken",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Naamruimte: {namespace}",
     "domainPickerShowMore": "Meer weergeven",
     "regionSelectorTitle": "Selecteer Regio",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Opgegeven domeinen worden niet ondersteund wanneer websites verbinding maken met externe sluitnodes. Gebruik in plaats daarvan een aangepast domein. Om bronnen beschikbaar te maken op externe nodes.",
     "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
     "regionSelectorPlaceholder": "Kies een regio",
     "regionSelectorComingSoon": "Komt binnenkort",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
     "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
     "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie of <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is vereist om deze functie te gebruiken. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
     "certResolver": "Certificaat Resolver",
     "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
     "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
     "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
     "approvalsEmptyStateButtonText": "Rollen beheren",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein"
 }

From be3bd72c1be68fe43460dd35fa44210cb850797d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:08 -0700
Subject: [PATCH 076/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 231a4e806..ba0587b94 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
     "resourceRaw": "Surowy zasób TCP/UDP",
     "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Żądania proxy nad surowym TCP/UDP przy użyciu numeru portu. Wymaga stron aby połączyć się ze zdalnym węzłem.",
     "resourceCreate": "Utwórz zasób",
     "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
     "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
     "domainPickerShowMore": "Pokaż więcej",
     "regionSelectorTitle": "Wybierz region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Podane domeny nie są obsługiwane, gdy witryny łączą się ze zdalnymi węzłami wyjścia. Aby zasoby były dostępne w węzłach zdalnych, użyj domeny niestandardowej.",
     "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
     "regionSelectorPlaceholder": "Wybierz region",
     "regionSelectorComingSoon": "Wkrótce dostępne",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Koniec następnego roku",
     "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
     "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lub <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezerwuj wersję demonstracyjną lub wersję próbną POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Zarezerwuj demo lub okres próbny POC</bookADemoLink>.",
     "certResolver": "Rozwiązywanie certyfikatów",
     "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
     "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
     "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
     "approvalsEmptyStateButtonText": "Zarządzaj rolami",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny"
 }

From c7901ef74b71883f9303fc878d58f8b52bce0090 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:09 -0700
Subject: [PATCH 077/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index df748a002..3ce98fff6 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
     "resourceRaw": "Recurso TCP/UDP bruto",
     "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy solicita por TCP/UDP bruto usando um número de porta. Requer que sites se conectem a um nó remoto.",
     "resourceCreate": "Criar Recurso",
     "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
     "resourceSeeAll": "Ver todos os recursos",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Namespace: {namespace}",
     "domainPickerShowMore": "Mostrar Mais",
     "regionSelectorTitle": "Selecionar Região",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Domínios fornecidos não são suportados quando os sites se conectam a nós de saída remota. Para recursos disponíveis em nós remotos, use um domínio personalizado.",
     "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
     "regionSelectorPlaceholder": "Escolher uma região",
     "regionSelectorComingSoon": "Em breve",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
     "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
     "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> é necessária para usar este recurso. <bookADemoLink>Reserve um teste de demonstração ou POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserve uma demonstração ou avaliação POC</bookADemoLink>.",
     "certResolver": "Resolvedor de Certificado",
     "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
     "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
     "approvalsEmptyStateButtonText": "Gerir Funções",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio"
 }

From 8c8e4e62332592675f6ddeea392a34636c6eba75 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:11 -0700
Subject: [PATCH 078/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 9e26f5b63..12043d8a2 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
     "resourceRaw": "Сырой TCP/UDP-ресурс",
     "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Прокси запросы через необработанный TCP/UDP с использованием номера порта. Требуется подключение сайтов к удаленному узлу.",
     "resourceCreate": "Создание ресурса",
     "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
     "resourceSeeAll": "Посмотреть все ресурсы",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Пространство имен: {namespace}",
     "domainPickerShowMore": "Показать еще",
     "regionSelectorTitle": "Выберите регион",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Предоставленные домены не поддерживаются при подключении сайтов к удаленным узлам. Для доступа к ресурсам на удаленных узлах используйте пользовательский домен.",
     "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
     "regionSelectorPlaceholder": "Выбор региона",
     "regionSelectorComingSoon": "Скоро будет",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Конец следующего года",
     "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
     "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Требуется лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> для использования этой функции. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
     "certResolver": "Резольвер сертификата",
     "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
     "selectCertResolver": "Выберите резолвер сертификата",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
     "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
     "approvalsEmptyStateButtonText": "Управление ролями",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена"
 }

From 569ebc671d8695ca35288957b73f64d0d500d449 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:12 -0700
Subject: [PATCH 079/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index aa5e75cd6..362f891fb 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
     "resourceRaw": "Ham TCP/UDP Kaynağı",
     "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy isteklerini bir port numarası kullanarak ham TCP/UDP üzerinden yapın. Sitelerin uzak bir düğüme bağlanması gereklidir.",
     "resourceCreate": "Kaynak Oluştur",
     "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
     "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Ad Alanı: {namespace}",
     "domainPickerShowMore": "Daha Fazla Göster",
     "regionSelectorTitle": "Bölge Seç",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Belirtilen alan adları, siteler uzak çıkış düğümlerine bağlandığında desteklenmez. Kaynakların uzak düğümlerde kullanılabilir olması için özel bir alan adı kullanın.",
     "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
     "regionSelectorPlaceholder": "Bölge Seçin",
     "regionSelectorComingSoon": "Yakında Geliyor",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
     "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
     "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı veya <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> gereklidir. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>’da da mevcuttur. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
     "certResolver": "Sertifika Çözücü",
     "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
     "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
     "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
     "approvalsEmptyStateButtonText": "Rolleri Yönet",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz"
 }

From 2d4d0df5cac7e43be6e9b7f0b964d9327e26ded2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:14 -0700
Subject: [PATCH 080/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 7f34b334e..a7f2682fa 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
     "resourceRaw": "TCP/UDP 资源",
     "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "正在使用端口号使用 TCP/UDP 代理请求。需要站点连接到远程节点。",
     "resourceCreate": "创建资源",
     "resourceCreateDescription": "按照下面的步骤创建新资源",
     "resourceSeeAll": "查看所有资源",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "命名空间：{namespace}",
     "domainPickerShowMore": "显示更多",
     "regionSelectorTitle": "选择区域",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "当站点连接到远程退出节点时不支持所提供的域。为了资源可在远程节点上使用，请使用自定义域名。",
     "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
     "regionSelectorPlaceholder": "选择一个区域",
     "regionSelectorComingSoon": "即将推出",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "下一年结束",
     "actionLogsDescription": "查看此机构执行的操作历史",
     "accessLogsDescription": "查看此机构资源的访问认证请求",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "使用此功能需要<enterpriseLicenseLink>企业版</enterpriseLicenseLink>许可证或<pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>。<bookADemoLink>预约演示或POC试用</bookADemoLink>。",
+    "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。 此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>上获取。 <bookADemoLink>预订演示或POC 试用</bookADemoLink>。",
     "certResolver": "证书解决器",
     "certResolverDescription": "选择用于此资源的证书解析器。",
     "selectCertResolver": "选择证书解析",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
     "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
     "approvalsEmptyStateButtonText": "管理角色",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "我们在验证您的域名时遇到了问题"
 }

From db3f90318b281e8e37a745a16170a86fccc2f332 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:15 -0700
Subject: [PATCH 081/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 568e8749c..e8a9fa9a3 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
     "resourceRaw": "Rå TCP/UDP-ressurs",
     "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Proxy forespørsler om rå TCP/UDP ved hjelp av et portnummer. Krever sider for å koble til en ekstern node.",
     "resourceCreate": "Opprett ressurs",
     "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
     "resourceSeeAll": "Se alle ressurser",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Navnerom: {namespace}",
     "domainPickerShowMore": "Vis mer",
     "regionSelectorTitle": "Velg Region",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Tilbudte domener støttes ikke når sider kobles til eksterne avkjøringsnoder. For ressurser som skal være tilgjengelige på eksterne noder, brukes et egendefinert domene i stedet.",
     "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
     "regionSelectorPlaceholder": "Velg en region",
     "regionSelectorComingSoon": "Kommer snart",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Slutt på neste år",
     "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
     "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens eller <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> er påkrevd for å bruke denne funksjonen. <bookADemoLink>Bestill en demo eller POC prøveversjon</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Bestill en demo eller POC studie</bookADemoLink>.",
     "certResolver": "Sertifikat løser",
     "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
     "selectCertResolver": "Velg sertifikatløser",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
     "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
     "approvalsEmptyStateButtonText": "Administrer Roller",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt"
 }

From a8c9d2e7e6afc32312eed5aba16d3f2aad929505 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 20 Mar 2026 11:16:17 -0700
Subject: [PATCH 082/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index e7cb5b3ea..e33a85ace 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -175,7 +175,7 @@
     "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
     "resourceRaw": "Recurso TCP/UDP sin procesar",
     "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
+    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. Requiere que los sitios se conecten a un nodo remoto.",
     "resourceCreate": "Crear Recurso",
     "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
     "resourceSeeAll": "Ver todos los recursos",
@@ -1426,7 +1426,7 @@
     "domainPickerNamespace": "Espacio de nombres: {namespace}",
     "domainPickerShowMore": "Mostrar más",
     "regionSelectorTitle": "Seleccionar Región",
-    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
+    "domainPickerRemoteExitNodeWarning": "Los dominios suministrados no son compatibles cuando los sitios se conectan a nodos de salida remotos. Para que los recursos estén disponibles en nodos remotos, utilice un dominio personalizado en su lugar.",
     "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
     "regionSelectorPlaceholder": "Elige una región",
     "regionSelectorComingSoon": "Próximamente",
@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "Fin del año siguiente",
     "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
     "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> para usar esta función. <bookADemoLink>Reserve una demostración o prueba POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserva una demostración o prueba POC</bookADemoLink>.",
     "certResolver": "Resolver certificado",
     "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
     "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2682,5 +2682,5 @@
     "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
     "approvalsEmptyStateButtonText": "Administrar roles",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio"
 }

From 0c4d9ea164631bbd56e147f2794438b53d2371c5 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 20 Mar 2026 14:31:12 -0700
Subject: [PATCH 083/314] Extend santize into hybrid

---
 server/lib/sanitize.ts                   | 40 ++++++++++++++++++++++++
 server/private/routers/hybrid.ts         | 25 ++++++++-------
 server/routers/badger/logRequestAudit.ts | 20 +-----------
 3 files changed, 54 insertions(+), 31 deletions(-)
 create mode 100644 server/lib/sanitize.ts

diff --git a/server/lib/sanitize.ts b/server/lib/sanitize.ts
new file mode 100644
index 000000000..9eba8a583
--- /dev/null
+++ b/server/lib/sanitize.ts
@@ -0,0 +1,40 @@
+/**
+ * Sanitize a string field before inserting into a database TEXT column.
+ *
+ * Two passes are applied:
+ *
+ * 1. Lone UTF-16 surrogates – JavaScript strings can hold unpaired surrogates
+ *    (e.g. \uD800 without a following \uDC00-\uDFFF codepoint). These are
+ *    valid in JS but cannot be encoded as UTF-8, triggering
+ *    `report_invalid_encoding` in SQLite / Postgres. They are replaced with
+ *    the Unicode replacement character U+FFFD so the data is preserved as a
+ *    visible signal that something was malformed.
+ *
+ * 2. Null bytes and C0 control characters – SQLite stores TEXT as
+ *    null-terminated C strings, so \x00 in a value causes
+ *    `report_invalid_encoding`. Bots and scanners routinely inject null bytes
+ *    into URLs (e.g. `/path\u0000.jpg`). All C0 control characters in the
+ *    range \x00-\x1F are stripped except for the three that are legitimate in
+ *    text payloads: HT (\x09), LF (\x0A), and CR (\x0D). DEL (\x7F) is also
+ *    stripped.
+ */
+export function sanitizeString(value: string): string;
+export function sanitizeString(
+    value: string | null | undefined
+): string | undefined;
+export function sanitizeString(
+    value: string | null | undefined
+): string | undefined {
+    if (value == null) return undefined;
+    return (
+        value
+            // Replace lone high surrogates (not followed by a low surrogate)
+            // and lone low surrogates (not preceded by a high surrogate).
+            .replace(
+                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
+                "\uFFFD"
+            )
+            // Strip null bytes, C0 control chars (except HT/LF/CR), and DEL.
+            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
+    );
+}
\ No newline at end of file
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 0e5d1ec2e..c626e07ba 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -81,6 +81,7 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import semver from "semver";
 import { maxmindAsnLookup } from "@server/db/maxmindAsn";
 import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
+import { sanitizeString } from "@server/lib/sanitize";
 
 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -1859,24 +1860,24 @@ hybridRouter.post(
                 })
                 .map((logEntry) => ({
                     timestamp: logEntry.timestamp,
-                    orgId: logEntry.orgId,
-                    actorType: logEntry.actorType,
-                    actor: logEntry.actor,
-                    actorId: logEntry.actorId,
-                    metadata: logEntry.metadata,
+                    orgId: sanitizeString(logEntry.orgId),
+                    actorType: sanitizeString(logEntry.actorType),
+                    actor: sanitizeString(logEntry.actor),
+                    actorId: sanitizeString(logEntry.actorId),
+                    metadata: sanitizeString(logEntry.metadata),
                     action: logEntry.action,
                     resourceId: logEntry.resourceId,
                     reason: logEntry.reason,
-                    location: logEntry.location,
+                    location: sanitizeString(logEntry.location),
                     // userAgent: data.userAgent, // TODO: add this
                     // headers: data.body.headers,
                     // query: data.body.query,
-                    originalRequestURL: logEntry.originalRequestURL,
-                    scheme: logEntry.scheme,
-                    host: logEntry.host,
-                    path: logEntry.path,
-                    method: logEntry.method,
-                    ip: logEntry.ip,
+                    originalRequestURL: sanitizeString(logEntry.originalRequestURL) ?? "",
+                    scheme: sanitizeString(logEntry.scheme) ?? "",
+                    host: sanitizeString(logEntry.host) ?? "",
+                    path: sanitizeString(logEntry.path) ?? "",
+                    method: sanitizeString(logEntry.method) ?? "",
+                    ip: sanitizeString(logEntry.ip),
                     tls: logEntry.tls
                 }));
 
diff --git a/server/routers/badger/logRequestAudit.ts b/server/routers/badger/logRequestAudit.ts
index 4dd5bff99..92d01332e 100644
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -5,25 +5,7 @@ import cache from "#dynamic/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
 
-/**
- * Sanitize a string field by replacing lone UTF-16 surrogates (which cannot
- * be encoded as valid UTF-8) with the Unicode replacement character, and
- * stripping ASCII control characters that are invalid in most text columns.
- */
-function sanitizeString(value: string | undefined | null): string | undefined {
-    if (value == null) return undefined;
-    return (
-        value
-            // Replace lone high surrogates (not followed by a low surrogate)
-            // and lone low surrogates (not preceded by a high surrogate)
-            .replace(
-                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
-                "\uFFFD"
-            )
-            // Strip C0 control characters except HT (\x09), LF (\x0A), CR (\x0D)
-            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
-    );
-}
+import { sanitizeString } from "@server/lib/sanitize";
 
 /**
 

From 73117665128a7df61a1ab4c1a0cc8cf6cf819b25 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 20 Mar 2026 15:30:41 -0700
Subject: [PATCH 084/314] Fix offline issue

---
 .../handleRemoteExitNodePingMessage.ts        | 33 +++++--------------
 .../newt/handleNewtDisconnectingMessage.ts    |  6 ++--
 2 files changed, 12 insertions(+), 27 deletions(-)

diff --git a/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts b/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
index dafc14121..9c2889a99 100644
--- a/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
+++ b/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
@@ -38,7 +38,7 @@ export const startRemoteExitNodeOfflineChecker = (): void => {
             );
 
             // Find clients that haven't pinged in the last 2 minutes and mark them as offline
-            const newlyOfflineNodes = await db
+            const offlineNodes = await db
                 .update(exitNodes)
                 .set({ online: false })
                 .where(
@@ -53,32 +53,15 @@ export const startRemoteExitNodeOfflineChecker = (): void => {
                 )
                 .returning();
 
-            // Update the sites to offline if they have not pinged either
-            const exitNodeIds = newlyOfflineNodes.map(
-                (node) => node.exitNodeId
-            );
-
-            const sitesOnNode = await db
-                .select()
-                .from(sites)
-                .where(
-                    and(
-                        eq(sites.online, true),
-                        inArray(sites.exitNodeId, exitNodeIds)
-                    )
+            if (offlineNodes.length > 0) {
+                logger.info(
+                    `checkRemoteExitNodeOffline: Marked ${offlineNodes.length} remoteExitNode client(s) offline due to inactivity`
                 );
 
-            // loop through the sites and process their lastBandwidthUpdate as an iso string and if its more than 1 minute old then mark the site offline
-            for (const site of sitesOnNode) {
-                if (!site.lastBandwidthUpdate) {
-                    continue;
-                }
-                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate);
-                if (Date.now() - lastBandwidthUpdate.getTime() > 60 * 1000) {
-                    await db
-                        .update(sites)
-                        .set({ online: false })
-                        .where(eq(sites.siteId, site.siteId));
+                for (const offlineClient of offlineNodes) {
+                    logger.debug(
+                        `checkRemoteExitNodeOffline: Client ${offlineClient.exitNodeId} marked offline (lastPing: ${offlineClient.lastPing})`
+                    );
                 }
             }
         } catch (error) {
diff --git a/server/routers/newt/handleNewtDisconnectingMessage.ts b/server/routers/newt/handleNewtDisconnectingMessage.ts
index e23710616..02c5a95ac 100644
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -6,7 +6,9 @@ import logger from "@server/logger";
 /**
  * Handles disconnecting messages from sites to show disconnected in the ui
  */
-export const handleNewtDisconnectingMessage: MessageHandler = async (context) => {
+export const handleNewtDisconnectingMessage: MessageHandler = async (
+    context
+) => {
     const { message, client: c, sendToClient } = context;
     const newt = c as Newt;
 
@@ -27,7 +29,7 @@ export const handleNewtDisconnectingMessage: MessageHandler = async (context) =>
             .set({
                 online: false
             })
-            .where(eq(sites.siteId, sites.siteId));
+            .where(eq(sites.siteId, newt.siteId));
     } catch (error) {
         logger.error("Error handling disconnecting message", { error });
     }

From f643abf19a9858026d2a04459a1b78370e961c7d Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 20 Mar 2026 16:03:50 -0700
Subject: [PATCH 085/314] dont show create org for oidc users

---
 src/components/OrgSelector.tsx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/components/OrgSelector.tsx b/src/components/OrgSelector.tsx
index db43b1e65..fcbc700a2 100644
--- a/src/components/OrgSelector.tsx
+++ b/src/components/OrgSelector.tsx
@@ -29,6 +29,7 @@ import { usePathname, useRouter } from "next/navigation";
 import { useMemo, useState } from "react";
 import { useUserContext } from "@app/hooks/useUserContext";
 import { useTranslations } from "next-intl";
+import { build } from "@server/build";
 
 interface OrgSelectorProps {
     orgId?: string;
@@ -50,6 +51,11 @@ export function OrgSelector({
 
     const selectedOrg = orgs?.find((org) => org.orgId === orgId);
 
+    let canCreateOrg = !env.flags.disableUserCreateOrg || user.serverAdmin;
+    if (build === "saas" && user.type !== "internal") {
+        canCreateOrg = false;
+    }
+
     const sortedOrgs = useMemo(() => {
         if (!orgs?.length) return orgs ?? [];
         return [...orgs].sort((a, b) => {
@@ -161,7 +167,7 @@ export function OrgSelector({
                         </CommandGroup>
                     </CommandList>
                 </Command>
-                {(!env.flags.disableUserCreateOrg || user.serverAdmin) && (
+                {canCreateOrg && (
                     <div className="p-2 border-t border-border">
                         <Button
                             variant="ghost"

From 6c2c620c99f55092b28ae43af8619fb7d4578111 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 20 Mar 2026 17:52:07 -0700
Subject: [PATCH 086/314] set cache ttl and default ttl

---
 server/private/lib/cache.ts              | 39 ++++++++++++++++++------
 server/routers/client/listClients.ts     |  2 +-
 server/routers/client/listUserDevices.ts |  2 +-
 server/routers/site/listSites.ts         |  4 +--
 server/routers/user/inviteUser.ts        |  2 +-
 5 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/server/private/lib/cache.ts b/server/private/lib/cache.ts
index 1d8c24537..e8c03ba3d 100644
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -24,23 +24,31 @@ setInterval(() => {
  */
 class AdaptiveCache {
     private useRedis(): boolean {
-        return redisManager.isRedisEnabled() && redisManager.getHealthStatus().isHealthy;
+        return (
+            redisManager.isRedisEnabled() &&
+            redisManager.getHealthStatus().isHealthy
+        );
     }
 
     /**
      * Set a value in the cache
      * @param key - Cache key
      * @param value - Value to cache (will be JSON stringified for Redis)
-     * @param ttl - Time to live in seconds (0 = no expiration)
+     * @param ttl - Time to live in seconds (0 = no expiration; omit = 3600s for Redis)
      * @returns boolean indicating success
      */
     async set(key: string, value: any, ttl?: number): Promise<boolean> {
         const effectiveTtl = ttl === 0 ? undefined : ttl;
+        const redisTtl = ttl === 0 ? undefined : (ttl ?? 3600);
 
         if (this.useRedis()) {
             try {
                 const serialized = JSON.stringify(value);
-                const success = await redisManager.set(key, serialized, effectiveTtl);
+                const success = await redisManager.set(
+                    key,
+                    serialized,
+                    redisTtl
+                );
 
                 if (success) {
                     logger.debug(`Set key in Redis: ${key}`);
@@ -48,7 +56,9 @@ class AdaptiveCache {
                 }
 
                 // Redis failed, fall through to local cache
-                logger.debug(`Redis set failed for key ${key}, falling back to local cache`);
+                logger.debug(
+                    `Redis set failed for key ${key}, falling back to local cache`
+                );
             } catch (error) {
                 logger.error(`Redis set error for key ${key}:`, error);
                 // Fall through to local cache
@@ -120,9 +130,14 @@ class AdaptiveCache {
                 }
 
                 // Some Redis deletes failed, fall through to local cache
-                logger.debug(`Some Redis deletes failed, falling back to local cache`);
+                logger.debug(
+                    `Some Redis deletes failed, falling back to local cache`
+                );
             } catch (error) {
-                logger.error(`Redis del error for keys ${keys.join(", ")}:`, error);
+                logger.error(
+                    `Redis del error for keys ${keys.join(", ")}:`,
+                    error
+                );
                 // Fall through to local cache
                 deletedCount = 0;
             }
@@ -195,7 +210,9 @@ class AdaptiveCache {
      */
     async flushAll(): Promise<void> {
         if (this.useRedis()) {
-            logger.warn("Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed");
+            logger.warn(
+                "Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed"
+            );
         }
 
         localCache.flushAll();
@@ -239,7 +256,9 @@ class AdaptiveCache {
     getTtl(key: string): number {
         // Note: This only works for local cache, Redis TTL is not supported
         if (this.useRedis()) {
-            logger.warn(`getTtl called for key ${key} but Redis TTL lookup is not implemented`);
+            logger.warn(
+                `getTtl called for key ${key} but Redis TTL lookup is not implemented`
+            );
         }
 
         const ttl = localCache.getTtl(key);
@@ -255,7 +274,9 @@ class AdaptiveCache {
      */
     keys(): string[] {
         if (this.useRedis()) {
-            logger.warn("keys() called but Redis keys are not included, only local cache keys returned");
+            logger.warn(
+                "keys() called but Redis keys are not included, only local cache keys returned"
+            );
         }
         return localCache.keys();
     }
diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts
index 84226a6dc..3b7adf2d5 100644
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -70,7 +70,7 @@ async function getLatestOlmVersion(): Promise<string | null> {
         tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
-        olmVersionCache.set("latestOlmVersion", latestVersion);
+        olmVersionCache.set("latestOlmVersion", latestVersion, 3600);
 
         return latestVersion;
     } catch (error: any) {
diff --git a/server/routers/client/listUserDevices.ts b/server/routers/client/listUserDevices.ts
index eb63812c6..e99760b91 100644
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -71,7 +71,7 @@ async function getLatestOlmVersion(): Promise<string | null> {
         tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
-        olmVersionCache.set("latestOlmVersion", latestVersion);
+        olmVersionCache.set("latestOlmVersion", latestVersion, 3600);
 
         return latestVersion;
     } catch (error: any) {
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index 9ff7a6933..a87ad3daf 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -55,7 +55,7 @@ async function getLatestNewtVersion(): Promise<string | null> {
         tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
-        await cache.set("latestNewtVersion", latestVersion);
+        await cache.set("latestNewtVersion", latestVersion, 3600);
 
         return latestVersion;
     } catch (error: any) {
@@ -180,7 +180,7 @@ registry.registerPath({
     method: "get",
     path: "/org/{orgId}/sites",
     description: "List all sites in an organization",
-    tags: [OpenAPITags.Site],
+    tags: [OpenAPITags.Org, OpenAPITags.Site],
     request: {
         params: listSitesParamsSchema,
         query: listSitesSchema
diff --git a/server/routers/user/inviteUser.ts b/server/routers/user/inviteUser.ts
index 06d9512fb..b0632da9e 100644
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -201,7 +201,7 @@ export async function inviteUser(
                 );
             }
 
-            await cache.set(email, attempts + 1);
+            await cache.set("regenerateInvite:" + email, attempts + 1, 3600);
 
             const inviteId = existingInvite[0].inviteId; // Retrieve the original inviteId
             const token = generateRandomString(

From 871f14ef3a9273b5b078f4d35f70c719bea2923c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 21 Mar 2026 11:17:41 +0000
Subject: [PATCH 087/314] Bump flatted from 3.3.3 to 3.4.2

Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..0056b0c5e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13229,9 +13229,9 @@
             }
         },
         "node_modules/flatted": {
-            "version": "3.3.3",
-            "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-            "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+            "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
             "dev": true,
             "license": "ISC"
         },

From ad2a0ae1272b2de201e7c8da5b1e1bcd391a3612 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 21 Mar 2026 10:42:31 -0700
Subject: [PATCH 088/314] Use the log database in hybrid as well

---
 server/private/routers/hybrid.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index c626e07ba..a38385b0c 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -15,6 +15,7 @@ import { verifySessionRemoteExitNodeMiddleware } from "#private/middlewares/veri
 import { Router } from "express";
 import {
     db,
+    logsDb,
     exitNodes,
     Resource,
     ResourcePassword,
@@ -1885,7 +1886,7 @@ hybridRouter.post(
             const batchSize = 100;
             for (let i = 0; i < logEntries.length; i += batchSize) {
                 const batch = logEntries.slice(i, i + batchSize);
-                await db.insert(requestAuditLog).values(batch);
+                await logsDb.insert(requestAuditLog).values(batch);
             }
 
             return response(res, {

From 3cca0c09c06e1a928c5cae9b8b5ad10ab231ee88 Mon Sep 17 00:00:00 2001
From: Noe Charmet <noe.charmet@shipfox.io>
Date: Mon, 23 Mar 2026 11:09:19 +0100
Subject: [PATCH 089/314] Allow setting Redis password from env

---
 server/private/lib/readConfigFile.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index 0ce6d0272..54260009b 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -57,7 +57,10 @@ export const privateConfigSchema = z.object({
         .object({
             host: z.string(),
             port: portSchema,
-            password: z.string().optional(),
+            password: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REDIS_PASSWORD")),
             db: z.int().nonnegative().optional().default(0),
             replicas: z
                 .array(

From 60982bf19fb74905062e441d369d5c4849df9367 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Mon, 23 Mar 2026 22:55:59 +0100
Subject: [PATCH 090/314] =?UTF-8?q?=F0=9F=9A=A7=20edit=20niceid=20in=20pri?=
 =?UTF-8?q?vate=20resources?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../siteResource/updateSiteResource.ts        | 78 +++++++++++--------
 src/components/EditInternalResourceDialog.tsx | 12 +--
 src/components/InternalResourceForm.tsx       | 24 +++++-
 3 files changed, 75 insertions(+), 39 deletions(-)

diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index 596ed9a3f..fcb42a08e 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -1,5 +1,4 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import {
     clientSiteResources,
     clientSiteResourcesAssociationsCache,
@@ -8,19 +7,13 @@ import {
     orgs,
     roles,
     roleSiteResources,
+    SiteResource,
+    siteResources,
     sites,
     Transaction,
     userSiteResources
 } from "@server/db";
-import { siteResources, SiteResource } from "@server/db";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { eq, and, ne } from "drizzle-orm";
-import { fromError } from "zod-validation-error";
-import logger from "@server/logger";
-import { OpenAPITags, registry } from "@server/openApi";
-import { updatePeerData, updateTargets } from "@server/routers/client/targets";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
@@ -28,12 +21,17 @@ import {
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
-import {
-    getClientSiteResourceAccess,
-    rebuildClientAssociationsFromSiteResource
-} from "@server/lib/rebuildClientAssociations";
-import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import { updatePeerData, updateTargets } from "@server/routers/client/targets";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, ne } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
 
 const updateSiteResourceParamsSchema = z.strictObject({
     siteResourceId: z.string().transform(Number).pipe(z.int().positive())
@@ -43,7 +41,15 @@ const updateSiteResourceSchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
         siteId: z.int(),
-        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
+        niceId: z
+            .string()
+            .min(1)
+            .max(255)
+            .regex(
+                /^[a-zA-Z0-9-]+$/,
+                "niceId can only contain letters, numbers, and dashes"
+            )
+            .optional(),
         // mode: z.enum(["host", "cidr", "port"]).optional(),
         mode: z.enum(["host", "cidr"]).optional(),
         // protocol: z.enum(["tcp", "udp"]).nullish(),
@@ -167,6 +173,7 @@ export async function updateSiteResource(
         const {
             name,
             siteId, // because it can change
+            niceId,
             mode,
             destination,
             alias,
@@ -321,7 +328,8 @@ export async function updateSiteResource(
 
                 const sshPamSet =
                     isLicensedSshPam &&
-                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
+                    (authDaemonPort !== undefined ||
+                        authDaemonMode !== undefined)
                         ? {
                               ...(authDaemonPort !== undefined && {
                                   authDaemonPort
@@ -334,15 +342,16 @@ export async function updateSiteResource(
                 [updatedSiteResource] = await trx
                     .update(siteResources)
                     .set({
-                        name: name,
-                        siteId: siteId,
-                        mode: mode,
-                        destination: destination,
-                        enabled: enabled,
+                        name,
+                        siteId,
+                        niceId,
+                        mode,
+                        destination,
+                        enabled,
                         alias: alias && alias.trim() ? alias : null,
-                        tcpPortRangeString: tcpPortRangeString,
-                        udpPortRangeString: udpPortRangeString,
-                        disableIcmp: disableIcmp,
+                        tcpPortRangeString,
+                        udpPortRangeString,
+                        disableIcmp,
                         ...sshPamSet
                     })
                     .where(
@@ -423,7 +432,8 @@ export async function updateSiteResource(
                 // Update the site resource
                 const sshPamSet =
                     isLicensedSshPam &&
-                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
+                    (authDaemonPort !== undefined ||
+                        authDaemonMode !== undefined)
                         ? {
                               ...(authDaemonPort !== undefined && {
                                   authDaemonPort
@@ -617,10 +627,14 @@ export async function handleMessagingForUpdatedSiteResource(
                 mergedAllClients
             );
 
-            await updateTargets(newt.newtId, {
-                oldTargets: oldTargets,
-                newTargets: newTargets
-            }, newt.version);
+            await updateTargets(
+                newt.newtId,
+                {
+                    oldTargets: oldTargets,
+                    newTargets: newTargets
+                },
+                newt.version
+            );
         }
 
         const olmJobs: Promise<void>[] = [];
diff --git a/src/components/EditInternalResourceDialog.tsx b/src/components/EditInternalResourceDialog.tsx
index 866aebe3a..690ad405d 100644
--- a/src/components/EditInternalResourceDialog.tsx
+++ b/src/components/EditInternalResourceDialog.tsx
@@ -18,7 +18,7 @@ import { resourceQueries } from "@app/lib/queries";
 import { ListSitesResponse } from "@server/routers/site";
 import { useQueryClient } from "@tanstack/react-query";
 import { useTranslations } from "next-intl";
-import { useState } from "react";
+import { useState, useTransition } from "react";
 import {
     cleanForFQDN,
     InternalResourceForm,
@@ -49,10 +49,9 @@ export default function EditInternalResourceDialog({
     const t = useTranslations();
     const api = createApiClient(useEnvContext());
     const queryClient = useQueryClient();
-    const [isSubmitting, setIsSubmitting] = useState(false);
+    const [isSubmitting, startTransition] = useTransition();
 
     async function handleSubmit(values: InternalResourceFormValues) {
-        setIsSubmitting(true);
         try {
             let data = { ...values };
             if (data.mode === "host" && isHostname(data.destination)) {
@@ -70,6 +69,7 @@ export default function EditInternalResourceDialog({
                 name: data.name,
                 siteId: data.siteId,
                 mode: data.mode,
+                niceId: data.niceId,
                 destination: data.destination,
                 alias:
                     data.alias &&
@@ -127,8 +127,6 @@ export default function EditInternalResourceDialog({
                 ),
                 variant: "destructive"
             });
-        } finally {
-            setIsSubmitting(false);
         }
     }
 
@@ -162,7 +160,9 @@ export default function EditInternalResourceDialog({
                         orgId={orgId}
                         siteResourceId={resource.id}
                         formId="edit-internal-resource-form"
-                        onSubmit={handleSubmit}
+                        onSubmit={(values) =>
+                            startTransition(() => handleSubmit(values))
+                        }
                     />
                 </CredenzaBody>
                 <CredenzaFooter>
diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 6df1aceb7..0cf86a8eb 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -132,6 +132,7 @@ export type InternalResourceData = {
     siteName: string;
     mode: "host" | "cidr";
     siteId: number;
+    niceId: string;
     destination: string;
     alias?: string | null;
     tcpPortRangeString?: string | null;
@@ -149,6 +150,7 @@ export type InternalResourceFormValues = {
     mode: "host" | "cidr";
     destination: string;
     alias?: string | null;
+    niceId?: string;
     tcpPortRangeString?: string | null;
     udpPortRangeString?: string | null;
     disableIcmp?: boolean;
@@ -243,6 +245,12 @@ export function InternalResourceForm({
                     : undefined
             ),
         alias: z.string().nullish(),
+        niceId: z
+            .string()
+            .min(1)
+            .max(255)
+            .regex(/^[a-zA-Z0-9-]+$/)
+            .optional(),
         tcpPortRangeString: createPortRangeStringSchema(t),
         udpPortRangeString: createPortRangeStringSchema(t),
         disableIcmp: z.boolean().optional(),
@@ -387,6 +395,7 @@ export function InternalResourceForm({
                   disableIcmp: resource.disableIcmp ?? false,
                   authDaemonMode: resource.authDaemonMode ?? "site",
                   authDaemonPort: resource.authDaemonPort ?? null,
+                  niceId: resource.niceId,
                   roles: [],
                   users: [],
                   clients: []
@@ -534,7 +543,7 @@ export function InternalResourceForm({
                 className="space-y-6"
                 id={formId}
             >
-                <div className="grid grid-cols-2 gap-4">
+                <div className="grid gap-4">
                     <FormField
                         control={form.control}
                         name="name"
@@ -548,6 +557,19 @@ export function InternalResourceForm({
                             </FormItem>
                         )}
                     />
+                    <FormField
+                        control={form.control}
+                        name="niceId"
+                        render={({ field }) => (
+                            <FormItem>
+                                <FormLabel>{t("identifier")}</FormLabel>
+                                <FormControl>
+                                    <Input {...field} />
+                                </FormControl>
+                                <FormMessage />
+                            </FormItem>
+                        )}
+                    />
                     <FormField
                         control={form.control}
                         name="siteId"

From 37d331e813a67274c22bfcd7839bbdd8bc692541 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 16:05:05 -0700
Subject: [PATCH 091/314] Update version

---
 server/routers/client/targets.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routers/client/targets.ts b/server/routers/client/targets.ts
index 7cd59133c..b2d49db4c 100644
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -11,7 +11,7 @@ import logger from "@server/logger";
 import { eq } from "drizzle-orm";
 import semver from "semver";
 
-const NEWT_V2_TARGETS_VERSION = ">=1.11.0";
+const NEWT_V2_TARGETS_VERSION = ">=1.10.3";
 
 export async function convertTargetsIfNessicary(
     newtId: string,

From 7d8797840a1d9cc8d455fe858ff97d4f3b206e15 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 17:01:34 -0700
Subject: [PATCH 092/314] Add connection log

---
 server/cleanup.ts                             |   4 +-
 server/db/pg/schema/privateSchema.ts          |  38 ++-
 server/db/sqlite/schema/privateSchema.ts      |  36 ++-
 server/private/cleanup.ts                     |   4 +-
 server/private/routers/ws/messageHandlers.ts  |   4 +-
 .../newt/handleConnectionLogMessage.ts        | 302 ++++++++++++++++++
 server/routers/newt/index.ts                  |   1 +
 7 files changed, 384 insertions(+), 5 deletions(-)
 create mode 100644 server/routers/newt/handleConnectionLogMessage.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 137654827..7366bb876 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,9 +1,11 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
 async function cleanup() {
     await flushBandwidthToDb();
+    await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
     await wsCleanup();
 
@@ -14,4 +16,4 @@ export async function initCleanup() {
     // Handle process termination
     process.on("SIGTERM", () => cleanup());
     process.on("SIGINT", () => cleanup());
-}
\ No newline at end of file
+}
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index c9d7cc907..8fed6462a 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -17,7 +17,9 @@ import {
     users,
     exitNodes,
     sessions,
-    clients
+    clients,
+    siteResources,
+    sites
 } from "./schema";
 
 export const certificates = pgTable("certificates", {
@@ -302,6 +304,39 @@ export const accessAuditLog = pgTable(
     ]
 );
 
+export const connectionAuditLog = pgTable(
+    "connectionAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = pgTable("approvals", {
     approvalId: serial("approvalId").primaryKey(),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -357,3 +392,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 8baeb5220..ecc386ea6 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -6,7 +6,7 @@ import {
     sqliteTable,
     text
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, siteResources, sites, users } from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -294,6 +294,39 @@ export const accessAuditLog = sqliteTable(
     ]
 );
 
+export const connectionAuditLog = sqliteTable(
+    "connectionAuditLog",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = sqliteTable("approvals", {
     approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -348,3 +381,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 0bd9822dd..933c943ed 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,10 +14,12 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 
 async function cleanup() {
     await flushBandwidthToDb();
+    await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
     await rateLimitService.cleanup();
     await wsCleanup();
@@ -29,4 +31,4 @@ export async function initCleanup() {
     // Handle process termination
     process.on("SIGTERM", () => cleanup());
     process.on("SIGINT", () => cleanup());
-}
\ No newline at end of file
+}
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index d388ce40a..9e4622e2d 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,10 +18,12 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
+import { handleConnectionLogMessage } from "@server/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
-    "remoteExitNode/ping": handleRemoteExitNodePingMessage
+    "remoteExitNode/ping": handleRemoteExitNodePingMessage,
+    "newt/access-log": handleConnectionLogMessage,
 };
 
 if (build != "saas") {
diff --git a/server/routers/newt/handleConnectionLogMessage.ts b/server/routers/newt/handleConnectionLogMessage.ts
new file mode 100644
index 000000000..458470af7
--- /dev/null
+++ b/server/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,302 @@
+import { db } from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { connectionAuditLog, sites, Newt } from "@server/db";
+import { eq } from "drizzle-orm";
+import logger from "@server/logger";
+import { inflate } from "zlib";
+import { promisify } from "util";
+
+const zlibInflate = promisify(inflate);
+
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// How often to flush accumulated connection log data to the database
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+// Maximum number of records to buffer before forcing a flush
+const MAX_BUFFERED_RECORDS = 500;
+
+// Maximum number of records to insert in a single batch
+const INSERT_BATCH_SIZE = 100;
+
+interface ConnectionSessionData {
+    sessionId: string;
+    resourceId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: string; // ISO 8601 timestamp
+    endedAt?: string; // ISO 8601 timestamp
+    bytesTx?: number;
+    bytesRx?: number;
+}
+
+interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// In-memory buffer of records waiting to be flushed
+let buffer: ConnectionLogRecord[] = [];
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Decompress a base64-encoded zlib-compressed string into parsed JSON.
+ */
+async function decompressConnectionLog(
+    compressed: string
+): Promise<ConnectionSessionData[]> {
+    const compressedBuffer = Buffer.from(compressed, "base64");
+    const decompressed = await zlibInflate(compressedBuffer);
+    const jsonString = decompressed.toString("utf-8");
+    const parsed = JSON.parse(jsonString);
+
+    if (!Array.isArray(parsed)) {
+        throw new Error("Decompressed connection log data is not an array");
+    }
+
+    return parsed;
+}
+
+/**
+ * Convert an ISO 8601 timestamp string to epoch seconds.
+ * Returns null if the input is falsy.
+ */
+function toEpochSeconds(isoString: string | undefined | null): number | null {
+    if (!isoString) {
+        return null;
+    }
+    const ms = new Date(isoString).getTime();
+    if (isNaN(ms)) {
+        return null;
+    }
+    return Math.floor(ms / 1000);
+}
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    // Insert in batches to avoid overly large SQL statements
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await db.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if DB is unreachable
+            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
+                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
+                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop trying further batches from this snapshot — they'll be
+            // picked up by the next flush via the re-queued records above
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+export const handleConnectionLogMessage: MessageHandler = async (context) => {
+    const { message, client } = context;
+    const newt = client as Newt;
+
+    if (!newt) {
+        logger.warn("Connection log received but no newt client in context");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Connection log received but newt has no siteId");
+        return;
+    }
+
+    if (!message.data?.compressed) {
+        logger.warn("Connection log message missing compressed data");
+        return;
+    }
+
+    // Look up the org for this site
+    const [site] = await db
+        .select({ orgId: sites.orgId })
+        .from(sites)
+        .where(eq(sites.siteId, newt.siteId));
+
+    if (!site) {
+        logger.warn(
+            `Connection log received but site ${newt.siteId} not found in database`
+        );
+        return;
+    }
+
+    const orgId = site.orgId;
+
+    let sessions: ConnectionSessionData[];
+    try {
+        sessions = await decompressConnectionLog(message.data.compressed);
+    } catch (error) {
+        logger.error("Failed to decompress connection log data:", error);
+        return;
+    }
+
+    if (sessions.length === 0) {
+        return;
+    }
+
+    // Convert to DB records and add to the buffer
+    for (const session of sessions) {
+        // Validate required fields
+        if (
+            !session.sessionId ||
+            !session.resourceId ||
+            !session.sourceAddr ||
+            !session.destAddr ||
+            !session.protocol
+        ) {
+            logger.debug(
+                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
+            );
+            continue;
+        }
+
+        const startedAt = toEpochSeconds(session.startedAt);
+        if (startedAt === null) {
+            logger.debug(
+                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
+            );
+            continue;
+        }
+
+        buffer.push({
+            sessionId: session.sessionId,
+            siteResourceId: session.resourceId,
+            orgId,
+            siteId: newt.siteId,
+            sourceAddr: session.sourceAddr,
+            destAddr: session.destAddr,
+            protocol: session.protocol,
+            startedAt,
+            endedAt: toEpochSeconds(session.endedAt),
+            bytesTx: session.bytesTx ?? null,
+            bytesRx: session.bytesRx ?? null
+        });
+    }
+
+    logger.debug(
+        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
+    );
+
+    // If the buffer has grown large enough, trigger an immediate flush
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+};
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index f31cd753b..63d1e1068 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -8,3 +8,4 @@ export * from "./handleNewtPingRequestMessage";
 export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
+export * from "./handleConnectionLogMessage";

From 0d4edcd1c79219f65f223cbdce179c3cf0cfcf1b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 17:23:51 -0700
Subject: [PATCH 093/314] make private

---
 server/cleanup.ts                             |   2 +-
 server/db/pg/schema/schema.ts                 |   3 +
 server/db/sqlite/schema/schema.ts             |   3 +
 server/lib/cleanupLogs.ts                     |  18 +-
 server/private/cleanup.ts                     |   2 +-
 .../newt/handleConnectionLogMessage.ts        | 324 ++++++++++++++++++
 server/private/routers/newt/index.ts          |   1 +
 server/private/routers/ws/messageHandlers.ts  |   2 +-
 .../newt/handleConnectionLogMessage.ts        | 299 +---------------
 9 files changed, 354 insertions(+), 300 deletions(-)
 create mode 100644 server/private/routers/newt/handleConnectionLogMessage.ts
 create mode 100644 server/private/routers/newt/index.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 7366bb876..81cc31692 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,5 +1,5 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
+import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index b93c21fd6..de423945d 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -55,6 +55,9 @@ export const orgs = pgTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: boolean("isBillingOrg"),
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 188caac2b..ba02cfb76 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -47,6 +47,9 @@ export const orgs = sqliteTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
diff --git a/server/lib/cleanupLogs.ts b/server/lib/cleanupLogs.ts
index 8eb4ca77f..f5b6d8b2f 100644
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -2,6 +2,7 @@ import { db, orgs } from "@server/db";
 import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAudit";
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
+import { cleanUpOldLogs as cleanUpOldConnectionLogs } from "#dynamic/routers/newt";
 import { gt, or } from "drizzle-orm";
 import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";
 import { build } from "@server/build";
@@ -20,14 +21,17 @@ export function initLogCleanupInterval() {
                     settingsLogRetentionDaysAccess:
                         orgs.settingsLogRetentionDaysAccess,
                     settingsLogRetentionDaysRequest:
-                        orgs.settingsLogRetentionDaysRequest
+                        orgs.settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection:
+                        orgs.settingsLogRetentionDaysConnection
                 })
                 .from(orgs)
                 .where(
                     or(
                         gt(orgs.settingsLogRetentionDaysAction, 0),
                         gt(orgs.settingsLogRetentionDaysAccess, 0),
-                        gt(orgs.settingsLogRetentionDaysRequest, 0)
+                        gt(orgs.settingsLogRetentionDaysRequest, 0),
+                        gt(orgs.settingsLogRetentionDaysConnection, 0)
                     )
                 );
 
@@ -37,7 +41,8 @@ export function initLogCleanupInterval() {
                     orgId,
                     settingsLogRetentionDaysAction,
                     settingsLogRetentionDaysAccess,
-                    settingsLogRetentionDaysRequest
+                    settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection
                 } = org;
 
                 if (settingsLogRetentionDaysAction > 0) {
@@ -60,6 +65,13 @@ export function initLogCleanupInterval() {
                         settingsLogRetentionDaysRequest
                     );
                 }
+
+                if (settingsLogRetentionDaysConnection > 0) {
+                    await cleanUpOldConnectionLogs(
+                        orgId,
+                        settingsLogRetentionDaysConnection
+                    );
+                }
             }
 
             await cleanUpOldFingerprintSnapshots(365);
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 933c943ed..4b12f1b3c 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,7 +14,7 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
+import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 
 async function cleanup() {
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
new file mode 100644
index 000000000..7549ab37f
--- /dev/null
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,324 @@
+import { db, logsDb } from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { connectionAuditLog, sites, Newt } from "@server/db";
+import { and, eq, lt } from "drizzle-orm";
+import logger from "@server/logger";
+import { inflate } from "zlib";
+import { promisify } from "util";
+import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+
+const zlibInflate = promisify(inflate);
+
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// How often to flush accumulated connection log data to the database
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+// Maximum number of records to buffer before forcing a flush
+const MAX_BUFFERED_RECORDS = 500;
+
+// Maximum number of records to insert in a single batch
+const INSERT_BATCH_SIZE = 100;
+
+interface ConnectionSessionData {
+    sessionId: string;
+    resourceId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: string; // ISO 8601 timestamp
+    endedAt?: string; // ISO 8601 timestamp
+    bytesTx?: number;
+    bytesRx?: number;
+}
+
+interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// In-memory buffer of records waiting to be flushed
+let buffer: ConnectionLogRecord[] = [];
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Decompress a base64-encoded zlib-compressed string into parsed JSON.
+ */
+async function decompressConnectionLog(
+    compressed: string
+): Promise<ConnectionSessionData[]> {
+    const compressedBuffer = Buffer.from(compressed, "base64");
+    const decompressed = await zlibInflate(compressedBuffer);
+    const jsonString = decompressed.toString("utf-8");
+    const parsed = JSON.parse(jsonString);
+
+    if (!Array.isArray(parsed)) {
+        throw new Error("Decompressed connection log data is not an array");
+    }
+
+    return parsed;
+}
+
+/**
+ * Convert an ISO 8601 timestamp string to epoch seconds.
+ * Returns null if the input is falsy.
+ */
+function toEpochSeconds(isoString: string | undefined | null): number | null {
+    if (!isoString) {
+        return null;
+    }
+    const ms = new Date(isoString).getTime();
+    if (isNaN(ms)) {
+        return null;
+    }
+    return Math.floor(ms / 1000);
+}
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    // Insert in batches to avoid overly large SQL statements
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await logsDb.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if DB is unreachable
+            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
+                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
+                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop trying further batches from this snapshot — they'll be
+            // picked up by the next flush via the re-queued records above
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
+
+    try {
+        await logsDb
+            .delete(connectionAuditLog)
+            .where(
+                and(
+                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
+                    eq(connectionAuditLog.orgId, orgId)
+                )
+            );
+
+        // logger.debug(
+        //     `Cleaned up connection audit logs older than ${retentionDays} days`
+        // );
+    } catch (error) {
+        logger.error("Error cleaning up old connection audit logs:", error);
+    }
+}
+
+export const handleConnectionLogMessage: MessageHandler = async (context) => {
+    const { message, client } = context;
+    const newt = client as Newt;
+
+    if (!newt) {
+        logger.warn("Connection log received but no newt client in context");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Connection log received but newt has no siteId");
+        return;
+    }
+
+    if (!message.data?.compressed) {
+        logger.warn("Connection log message missing compressed data");
+        return;
+    }
+
+    // Look up the org for this site
+    const [site] = await db
+        .select({ orgId: sites.orgId })
+        .from(sites)
+        .where(eq(sites.siteId, newt.siteId));
+
+    if (!site) {
+        logger.warn(
+            `Connection log received but site ${newt.siteId} not found in database`
+        );
+        return;
+    }
+
+    const orgId = site.orgId;
+
+    let sessions: ConnectionSessionData[];
+    try {
+        sessions = await decompressConnectionLog(message.data.compressed);
+    } catch (error) {
+        logger.error("Failed to decompress connection log data:", error);
+        return;
+    }
+
+    if (sessions.length === 0) {
+        return;
+    }
+
+    // Convert to DB records and add to the buffer
+    for (const session of sessions) {
+        // Validate required fields
+        if (
+            !session.sessionId ||
+            !session.resourceId ||
+            !session.sourceAddr ||
+            !session.destAddr ||
+            !session.protocol
+        ) {
+            logger.debug(
+                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
+            );
+            continue;
+        }
+
+        const startedAt = toEpochSeconds(session.startedAt);
+        if (startedAt === null) {
+            logger.debug(
+                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
+            );
+            continue;
+        }
+
+        buffer.push({
+            sessionId: session.sessionId,
+            siteResourceId: session.resourceId,
+            orgId,
+            siteId: newt.siteId,
+            sourceAddr: session.sourceAddr,
+            destAddr: session.destAddr,
+            protocol: session.protocol,
+            startedAt,
+            endedAt: toEpochSeconds(session.endedAt),
+            bytesTx: session.bytesTx ?? null,
+            bytesRx: session.bytesRx ?? null
+        });
+    }
+
+    logger.debug(
+        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
+    );
+
+    // If the buffer has grown large enough, trigger an immediate flush
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+};
diff --git a/server/private/routers/newt/index.ts b/server/private/routers/newt/index.ts
new file mode 100644
index 000000000..cc182cf7d
--- /dev/null
+++ b/server/private/routers/newt/index.ts
@@ -0,0 +1 @@
+export * from "./handleConnectionLogMessage";
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index 9e4622e2d..a3c9c5bdb 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,7 +18,7 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
-import { handleConnectionLogMessage } from "@server/routers/newt";
+import { handleConnectionLogMessage } from "#dynamic/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
diff --git a/server/routers/newt/handleConnectionLogMessage.ts b/server/routers/newt/handleConnectionLogMessage.ts
index 458470af7..ca1b129d2 100644
--- a/server/routers/newt/handleConnectionLogMessage.ts
+++ b/server/routers/newt/handleConnectionLogMessage.ts
@@ -1,302 +1,13 @@
-import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt } from "@server/db";
-import { eq } from "drizzle-orm";
-import logger from "@server/logger";
-import { inflate } from "zlib";
-import { promisify } from "util";
 
-const zlibInflate = promisify(inflate);
-
-// Retry configuration for deadlock handling
-const MAX_RETRIES = 3;
-const BASE_DELAY_MS = 50;
-
-// How often to flush accumulated connection log data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
-
-// Maximum number of records to buffer before forcing a flush
-const MAX_BUFFERED_RECORDS = 500;
-
-// Maximum number of records to insert in a single batch
-const INSERT_BATCH_SIZE = 100;
-
-interface ConnectionSessionData {
-    sessionId: string;
-    resourceId: number;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: string; // ISO 8601 timestamp
-    endedAt?: string; // ISO 8601 timestamp
-    bytesTx?: number;
-    bytesRx?: number;
-}
-
-interface ConnectionLogRecord {
-    sessionId: string;
-    siteResourceId: number;
-    orgId: string;
-    siteId: number;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: number; // epoch seconds
-    endedAt: number | null;
-    bytesTx: number | null;
-    bytesRx: number | null;
-}
-
-// In-memory buffer of records waiting to be flushed
-let buffer: ConnectionLogRecord[] = [];
-
-/**
- * Check if an error is a deadlock error
- */
-function isDeadlockError(error: any): boolean {
-    return (
-        error?.code === "40P01" ||
-        error?.cause?.code === "40P01" ||
-        (error?.message && error.message.includes("deadlock"))
-    );
-}
-
-/**
- * Execute a function with retry logic for deadlock handling
- */
-async function withDeadlockRetry<T>(
-    operation: () => Promise<T>,
-    context: string
-): Promise<T> {
-    let attempt = 0;
-    while (true) {
-        try {
-            return await operation();
-        } catch (error: any) {
-            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
-                attempt++;
-                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
-                const jitter = Math.random() * baseDelay;
-                const delay = baseDelay + jitter;
-                logger.warn(
-                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
-                );
-                await new Promise((resolve) => setTimeout(resolve, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-}
-
-/**
- * Decompress a base64-encoded zlib-compressed string into parsed JSON.
- */
-async function decompressConnectionLog(
-    compressed: string
-): Promise<ConnectionSessionData[]> {
-    const compressedBuffer = Buffer.from(compressed, "base64");
-    const decompressed = await zlibInflate(compressedBuffer);
-    const jsonString = decompressed.toString("utf-8");
-    const parsed = JSON.parse(jsonString);
-
-    if (!Array.isArray(parsed)) {
-        throw new Error("Decompressed connection log data is not an array");
-    }
-
-    return parsed;
-}
-
-/**
- * Convert an ISO 8601 timestamp string to epoch seconds.
- * Returns null if the input is falsy.
- */
-function toEpochSeconds(isoString: string | undefined | null): number | null {
-    if (!isoString) {
-        return null;
-    }
-    const ms = new Date(isoString).getTime();
-    if (isNaN(ms)) {
-        return null;
-    }
-    return Math.floor(ms / 1000);
-}
-
-/**
- * Flush all buffered connection log records to the database.
- *
- * Swaps out the buffer before writing so that any records added during the
- * flush are captured in the new buffer rather than being lost. Entries that
- * fail to write are re-queued back into the buffer so they will be retried
- * on the next flush.
- *
- * This function is exported so that the application's graceful-shutdown
- * cleanup handler can call it before the process exits.
- */
 export async function flushConnectionLogToDb(): Promise<void> {
-    if (buffer.length === 0) {
-        return;
-    }
-
-    // Atomically swap out the buffer so new data keeps flowing in
-    const snapshot = buffer;
-    buffer = [];
-
-    logger.debug(
-        `Flushing ${snapshot.length} connection log record(s) to the database`
-    );
-
-    // Insert in batches to avoid overly large SQL statements
-    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
-        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
-
-        try {
-            await withDeadlockRetry(async () => {
-                await db.insert(connectionAuditLog).values(batch);
-            }, `flush connection log batch (${batch.length} records)`);
-        } catch (error) {
-            logger.error(
-                `Failed to flush connection log batch of ${batch.length} records:`,
-                error
-            );
-
-            // Re-queue the failed batch so it is retried on the next flush
-            buffer = [...batch, ...buffer];
-
-            // Cap buffer to prevent unbounded growth if DB is unreachable
-            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
-                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
-                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
-                logger.warn(
-                    `Connection log buffer overflow, dropped ${dropped} oldest records`
-                );
-            }
-
-            // Stop trying further batches from this snapshot — they'll be
-            // picked up by the next flush via the re-queued records above
-            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
-            if (remaining.length > 0) {
-                buffer = [...remaining, ...buffer];
-            }
-            break;
-        }
-    }
+   return;
 }
 
-const flushTimer = setInterval(async () => {
-    try {
-        await flushConnectionLogToDb();
-    } catch (error) {
-        logger.error(
-            "Unexpected error during periodic connection log flush:",
-            error
-        );
-    }
-}, FLUSH_INTERVAL_MS);
-
-// Calling unref() means this timer will not keep the Node.js event loop alive
-// on its own — the process can still exit normally when there is no other work
-// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
-// before process.exit(), so no data is lost.
-flushTimer.unref();
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    return;
+}
 
 export const handleConnectionLogMessage: MessageHandler = async (context) => {
-    const { message, client } = context;
-    const newt = client as Newt;
-
-    if (!newt) {
-        logger.warn("Connection log received but no newt client in context");
-        return;
-    }
-
-    if (!newt.siteId) {
-        logger.warn("Connection log received but newt has no siteId");
-        return;
-    }
-
-    if (!message.data?.compressed) {
-        logger.warn("Connection log message missing compressed data");
-        return;
-    }
-
-    // Look up the org for this site
-    const [site] = await db
-        .select({ orgId: sites.orgId })
-        .from(sites)
-        .where(eq(sites.siteId, newt.siteId));
-
-    if (!site) {
-        logger.warn(
-            `Connection log received but site ${newt.siteId} not found in database`
-        );
-        return;
-    }
-
-    const orgId = site.orgId;
-
-    let sessions: ConnectionSessionData[];
-    try {
-        sessions = await decompressConnectionLog(message.data.compressed);
-    } catch (error) {
-        logger.error("Failed to decompress connection log data:", error);
-        return;
-    }
-
-    if (sessions.length === 0) {
-        return;
-    }
-
-    // Convert to DB records and add to the buffer
-    for (const session of sessions) {
-        // Validate required fields
-        if (
-            !session.sessionId ||
-            !session.resourceId ||
-            !session.sourceAddr ||
-            !session.destAddr ||
-            !session.protocol
-        ) {
-            logger.debug(
-                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
-            );
-            continue;
-        }
-
-        const startedAt = toEpochSeconds(session.startedAt);
-        if (startedAt === null) {
-            logger.debug(
-                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
-            );
-            continue;
-        }
-
-        buffer.push({
-            sessionId: session.sessionId,
-            siteResourceId: session.resourceId,
-            orgId,
-            siteId: newt.siteId,
-            sourceAddr: session.sourceAddr,
-            destAddr: session.destAddr,
-            protocol: session.protocol,
-            startedAt,
-            endedAt: toEpochSeconds(session.endedAt),
-            bytesTx: session.bytesTx ?? null,
-            bytesRx: session.bytesRx ?? null
-        });
-    }
-
-    logger.debug(
-        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
-    );
-
-    // If the buffer has grown large enough, trigger an immediate flush
-    if (buffer.length >= MAX_BUFFERED_RECORDS) {
-        // Fire and forget — errors are handled inside flushConnectionLogToDb
-        flushConnectionLogToDb().catch((error) => {
-            logger.error(
-                "Unexpected error during size-triggered connection log flush:",
-                error
-            );
-        });
-    }
+    return;
 };

From fe40ea58c14a5eae05efdbdd64f6460d12566b4d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 20:05:54 -0700
Subject: [PATCH 094/314] Source client info into schema

---
 server/db/pg/schema/privateSchema.ts          |  6 ++
 server/db/sqlite/schema/privateSchema.ts      |  6 ++
 .../newt/handleConnectionLogMessage.ts        | 64 ++++++++++++++++++-
 3 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 8fed6462a..8d4e663df 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -319,6 +319,12 @@ export const connectionAuditLog = pgTable(
         siteId: integer("siteId").references(() => sites.siteId, {
             onDelete: "cascade"
         }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
         sourceAddr: text("sourceAddr").notNull(),
         destAddr: text("destAddr").notNull(),
         protocol: text("protocol").notNull(),
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index ecc386ea6..f58b5cd18 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -309,6 +309,12 @@ export const connectionAuditLog = sqliteTable(
         siteId: integer("siteId").references(() => sites.siteId, {
             onDelete: "cascade"
         }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
         sourceAddr: text("sourceAddr").notNull(),
         destAddr: text("destAddr").notNull(),
         protocol: text("protocol").notNull(),
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 7549ab37f..164c14488 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,7 +1,7 @@
 import { db, logsDb } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt } from "@server/db";
-import { and, eq, lt } from "drizzle-orm";
+import { connectionAuditLog, sites, Newt, clients, orgs } from "@server/db";
+import { and, eq, lt, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { inflate } from "zlib";
 import { promisify } from "util";
@@ -39,6 +39,8 @@ interface ConnectionLogRecord {
     siteResourceId: number;
     orgId: string;
     siteId: number;
+    clientId: number | null;
+    userId: string | null;
     sourceAddr: string;
     destAddr: string;
     protocol: string;
@@ -243,8 +245,9 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
     // Look up the org for this site
     const [site] = await db
-        .select({ orgId: sites.orgId })
+        .select({ orgId: sites.orgId, orgSubnet: orgs.subnet })
         .from(sites)
+        .innerJoin(orgs, eq(sites.orgId, orgs.orgId))
         .where(eq(sites.siteId, newt.siteId));
 
     if (!site) {
@@ -256,6 +259,12 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
     const orgId = site.orgId;
 
+    // Extract the CIDR suffix (e.g. "/16") from the org subnet so we can
+    // reconstruct the exact subnet string stored on each client record.
+    const cidrSuffix = site.orgSubnet?.includes("/")
+        ? site.orgSubnet.substring(site.orgSubnet.indexOf("/"))
+        : null;
+
     let sessions: ConnectionSessionData[];
     try {
         sessions = await decompressConnectionLog(message.data.compressed);
@@ -268,6 +277,48 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
+    // Build a map from sourceAddr → { clientId, userId } by querying clients
+    // whose subnet field matches exactly. Client subnets are stored with the
+    // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
+    // each unique sourceAddr + the org's CIDR suffix and do a targeted IN query.
+    const ipToClient = new Map<string, { clientId: number; userId: string | null }>();
+
+    if (cidrSuffix) {
+        // Collect unique source addresses so we only query for what we need
+        const uniqueSourceAddrs = new Set<string>();
+        for (const session of sessions) {
+            if (session.sourceAddr) {
+                uniqueSourceAddrs.add(session.sourceAddr);
+            }
+        }
+
+        if (uniqueSourceAddrs.size > 0) {
+            // Construct the exact subnet strings as stored in the DB
+            const subnetQueries = Array.from(uniqueSourceAddrs).map(
+                (addr) => `${addr}${cidrSuffix}`
+            );
+
+            const matchedClients = await db
+                .select({
+                    clientId: clients.clientId,
+                    userId: clients.userId,
+                    subnet: clients.subnet
+                })
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.orgId, orgId),
+                        inArray(clients.subnet, subnetQueries)
+                    )
+                );
+
+            for (const c of matchedClients) {
+                const ip = c.subnet.split("/")[0];
+                ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
+            }
+        }
+    }
+
     // Convert to DB records and add to the buffer
     for (const session of sessions) {
         // Validate required fields
@@ -292,11 +343,18 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
             continue;
         }
 
+        // Match the source address to a client. The sourceAddr is the
+        // client's IP on the WireGuard network, which corresponds to the IP
+        // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
+        const clientInfo = ipToClient.get(session.sourceAddr) ?? null;
+
         buffer.push({
             sessionId: session.sessionId,
             siteResourceId: session.resourceId,
             orgId,
             siteId: newt.siteId,
+            clientId: clientInfo?.clientId ?? null,
+            userId: clientInfo?.userId ?? null,
             sourceAddr: session.sourceAddr,
             destAddr: session.destAddr,
             protocol: session.protocol,

From 6471571bc66798a97cfd3a87fe54e509f8a81822 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 20:18:03 -0700
Subject: [PATCH 095/314] Add ui for connection logs

---
 messages/en-US.json                           |   6 +
 server/lib/billing/tierMatrix.ts              |   2 +
 .../auditLogs/exportConnectionAuditLog.ts     |  99 +++
 server/private/routers/auditLogs/index.ts     |   2 +
 .../auditLogs/queryConnectionAuditLog.ts      | 378 +++++++++++
 server/private/routers/external.ts            |  19 +
 server/private/routers/integration.ts         |  19 +
 server/routers/auditLogs/types.ts             |  31 +
 .../[orgId]/settings/logs/connection/page.tsx | 630 ++++++++++++++++++
 src/app/navigation.tsx                        |   6 +
 10 files changed, 1192 insertions(+)
 create mode 100644 server/private/routers/auditLogs/exportConnectionAuditLog.ts
 create mode 100644 server/private/routers/auditLogs/queryConnectionAuditLog.ts
 create mode 100644 src/app/[orgId]/settings/logs/connection/page.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..3be427ee0 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2345,6 +2345,12 @@
     "logRetentionEndOfFollowingYear": "End of following year",
     "actionLogsDescription": "View a history of actions performed in this organization",
     "accessLogsDescription": "View access auth requests for resources in this organization",
+    "connectionLogs": "Connection Logs",
+    "connectionLogsDescription": "View connection logs for tunnels in this organization",
+    "sidebarLogsConnection": "Connection Logs",
+    "sourceAddress": "Source Address",
+    "destinationAddress": "Destination Address",
+    "duration": "Duration",
     "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Certificate Resolver",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index c08bcea71..f8a0cd2f5 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -8,6 +8,7 @@ export enum TierFeature {
     LogExport = "logExport",
     AccessLogs = "accessLogs", // set the retention period to none on downgrade
     ActionLogs = "actionLogs", // set the retention period to none on downgrade
+    ConnectionLogs = "connectionLogs",
     RotateCredentials = "rotateCredentials",
     MaintencePage = "maintencePage", // handle downgrade
     DevicePosture = "devicePosture",
@@ -26,6 +27,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.LogExport]: ["tier3", "enterprise"],
     [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
     [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.ConnectionLogs]: ["tier2", "tier3", "enterprise"],
     [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
diff --git a/server/private/routers/auditLogs/exportConnectionAuditLog.ts b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
new file mode 100644
index 000000000..9349528ad
--- /dev/null
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -0,0 +1,99 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { registry } from "@server/openApi";
+import { NextFunction } from "express";
+import { Request, Response } from "express";
+import { OpenAPITags } from "@server/openApi";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import {
+    queryConnectionAuditLogsParams,
+    queryConnectionAuditLogsQuery,
+    queryConnection,
+    countConnectionQuery
+} from "./queryConnectionAuditLog";
+import { generateCSV } from "@server/routers/auditLogs/generateCSV";
+import { MAX_EXPORT_LIMIT } from "@server/routers/auditLogs";
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/logs/connection/export",
+    description: "Export the connection audit log for an organization as CSV",
+    tags: [OpenAPITags.Logs],
+    request: {
+        query: queryConnectionAuditLogsQuery,
+        params: queryConnectionAuditLogsParams
+    },
+    responses: {}
+});
+
+export async function exportConnectionAuditLogs(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const data = { ...parsedQuery.data, ...parsedParams.data };
+        const [{ count }] = await countConnectionQuery(data);
+        if (count > MAX_EXPORT_LIMIT) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Export limit exceeded. Your selection contains ${count} rows, but the maximum is ${MAX_EXPORT_LIMIT} rows. Please select a shorter time range to reduce the data.`
+                )
+            );
+        }
+
+        const baseQuery = queryConnection(data);
+
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
+
+        const csvData = generateCSV(log);
+
+        res.setHeader("Content-Type", "text/csv");
+        res.setHeader(
+            "Content-Disposition",
+            `attachment; filename="connection-audit-logs-${data.orgId}-${Date.now()}.csv"`
+        );
+
+        return res.send(csvData);
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/auditLogs/index.ts b/server/private/routers/auditLogs/index.ts
index e1849a617..122455fea 100644
--- a/server/private/routers/auditLogs/index.ts
+++ b/server/private/routers/auditLogs/index.ts
@@ -15,3 +15,5 @@ export * from "./queryActionAuditLog";
 export * from "./exportActionAuditLog";
 export * from "./queryAccessAuditLog";
 export * from "./exportAccessAuditLog";
+export * from "./queryConnectionAuditLog";
+export * from "./exportConnectionAuditLog";
diff --git a/server/private/routers/auditLogs/queryConnectionAuditLog.ts b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
new file mode 100644
index 000000000..f321444cd
--- /dev/null
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -0,0 +1,378 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    connectionAuditLog,
+    logsDb,
+    siteResources,
+    sites,
+    clients,
+    primaryDb
+} from "@server/db";
+import { registry } from "@server/openApi";
+import { NextFunction } from "express";
+import { Request, Response } from "express";
+import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { OpenAPITags } from "@server/openApi";
+import { z } from "zod";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import { QueryConnectionAuditLogResponse } from "@server/routers/auditLogs/types";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
+
+export const queryConnectionAuditLogsQuery = z.object({
+    // iso string just validate its a parseable date
+    timeStart: z
+        .string()
+        .refine((val) => !isNaN(Date.parse(val)), {
+            error: "timeStart must be a valid ISO date string"
+        })
+        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
+        .prefault(() => getSevenDaysAgo().toISOString())
+        .openapi({
+            type: "string",
+            format: "date-time",
+            description:
+                "Start time as ISO date string (defaults to 7 days ago)"
+        }),
+    timeEnd: z
+        .string()
+        .refine((val) => !isNaN(Date.parse(val)), {
+            error: "timeEnd must be a valid ISO date string"
+        })
+        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
+        .optional()
+        .prefault(() => new Date().toISOString())
+        .openapi({
+            type: "string",
+            format: "date-time",
+            description:
+                "End time as ISO date string (defaults to current time)"
+        }),
+    protocol: z.string().optional(),
+    sourceAddr: z.string().optional(),
+    destAddr: z.string().optional(),
+    clientId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    siteId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    siteResourceId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    userId: z.string().optional(),
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+export const queryConnectionAuditLogsParams = z.object({
+    orgId: z.string()
+});
+
+export const queryConnectionAuditLogsCombined =
+    queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
+type Q = z.infer<typeof queryConnectionAuditLogsCombined>;
+
+function getWhere(data: Q) {
+    return and(
+        gt(connectionAuditLog.startedAt, data.timeStart),
+        lt(connectionAuditLog.startedAt, data.timeEnd),
+        eq(connectionAuditLog.orgId, data.orgId),
+        data.protocol
+            ? eq(connectionAuditLog.protocol, data.protocol)
+            : undefined,
+        data.sourceAddr
+            ? eq(connectionAuditLog.sourceAddr, data.sourceAddr)
+            : undefined,
+        data.destAddr
+            ? eq(connectionAuditLog.destAddr, data.destAddr)
+            : undefined,
+        data.clientId
+            ? eq(connectionAuditLog.clientId, data.clientId)
+            : undefined,
+        data.siteId
+            ? eq(connectionAuditLog.siteId, data.siteId)
+            : undefined,
+        data.siteResourceId
+            ? eq(connectionAuditLog.siteResourceId, data.siteResourceId)
+            : undefined,
+        data.userId
+            ? eq(connectionAuditLog.userId, data.userId)
+            : undefined
+    );
+}
+
+export function queryConnection(data: Q) {
+    return logsDb
+        .select({
+            sessionId: connectionAuditLog.sessionId,
+            siteResourceId: connectionAuditLog.siteResourceId,
+            orgId: connectionAuditLog.orgId,
+            siteId: connectionAuditLog.siteId,
+            clientId: connectionAuditLog.clientId,
+            userId: connectionAuditLog.userId,
+            sourceAddr: connectionAuditLog.sourceAddr,
+            destAddr: connectionAuditLog.destAddr,
+            protocol: connectionAuditLog.protocol,
+            startedAt: connectionAuditLog.startedAt,
+            endedAt: connectionAuditLog.endedAt,
+            bytesTx: connectionAuditLog.bytesTx,
+            bytesRx: connectionAuditLog.bytesRx
+        })
+        .from(connectionAuditLog)
+        .where(getWhere(data))
+        .orderBy(
+            desc(connectionAuditLog.startedAt),
+            desc(connectionAuditLog.id)
+        );
+}
+
+export function countConnectionQuery(data: Q) {
+    const countQuery = logsDb
+        .select({ count: count() })
+        .from(connectionAuditLog)
+        .where(getWhere(data));
+    return countQuery;
+}
+
+async function enrichWithDetails(
+    logs: Awaited<ReturnType<typeof queryConnection>>
+) {
+    // Collect unique IDs from logs
+    const siteResourceIds = [
+        ...new Set(
+            logs
+                .map((log) => log.siteResourceId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+    const siteIds = [
+        ...new Set(
+            logs
+                .map((log) => log.siteId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+    const clientIds = [
+        ...new Set(
+            logs
+                .map((log) => log.clientId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+
+    // Fetch resource details from main database
+    const resourceMap = new Map<
+        number,
+        { name: string; niceId: string }
+    >();
+    if (siteResourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name,
+                niceId: siteResources.niceId
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        for (const r of resourceDetails) {
+            resourceMap.set(r.siteResourceId, {
+                name: r.name,
+                niceId: r.niceId
+            });
+        }
+    }
+
+    // Fetch site details from main database
+    const siteMap = new Map<number, { name: string; niceId: string }>();
+    if (siteIds.length > 0) {
+        const siteDetails = await primaryDb
+            .select({
+                siteId: sites.siteId,
+                name: sites.name,
+                niceId: sites.niceId
+            })
+            .from(sites)
+            .where(inArray(sites.siteId, siteIds));
+
+        for (const s of siteDetails) {
+            siteMap.set(s.siteId, { name: s.name, niceId: s.niceId });
+        }
+    }
+
+    // Fetch client details from main database
+    const clientMap = new Map<number, { name: string }>();
+    if (clientIds.length > 0) {
+        const clientDetails = await primaryDb
+            .select({
+                clientId: clients.clientId,
+                name: clients.name
+            })
+            .from(clients)
+            .where(inArray(clients.clientId, clientIds));
+
+        for (const c of clientDetails) {
+            clientMap.set(c.clientId, { name: c.name });
+        }
+    }
+
+    // Enrich logs with details
+    return logs.map((log) => ({
+        ...log,
+        resourceName: log.siteResourceId
+            ? resourceMap.get(log.siteResourceId)?.name ?? null
+            : null,
+        resourceNiceId: log.siteResourceId
+            ? resourceMap.get(log.siteResourceId)?.niceId ?? null
+            : null,
+        siteName: log.siteId
+            ? siteMap.get(log.siteId)?.name ?? null
+            : null,
+        siteNiceId: log.siteId
+            ? siteMap.get(log.siteId)?.niceId ?? null
+            : null,
+        clientName: log.clientId
+            ? clientMap.get(log.clientId)?.name ?? null
+            : null
+    }));
+}
+
+async function queryUniqueFilterAttributes(
+    timeStart: number,
+    timeEnd: number,
+    orgId: string
+) {
+    const baseConditions = and(
+        gt(connectionAuditLog.startedAt, timeStart),
+        lt(connectionAuditLog.startedAt, timeEnd),
+        eq(connectionAuditLog.orgId, orgId)
+    );
+
+    // Get unique protocols
+    const uniqueProtocols = await logsDb
+        .selectDistinct({
+            protocol: connectionAuditLog.protocol
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    return {
+        protocols: uniqueProtocols
+            .map((row) => row.protocol)
+            .filter((protocol): protocol is string => protocol !== null)
+    };
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/logs/connection",
+    description: "Query the connection audit log for an organization",
+    tags: [OpenAPITags.Logs],
+    request: {
+        query: queryConnectionAuditLogsQuery,
+        params: queryConnectionAuditLogsParams
+    },
+    responses: {}
+});
+
+export async function queryConnectionAuditLogs(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const data = { ...parsedQuery.data, ...parsedParams.data };
+
+        const baseQuery = queryConnection(data);
+
+        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+
+        // Enrich with resource, site, and client details
+        const log = await enrichWithDetails(logsRaw);
+
+        const totalCountResult = await countConnectionQuery(data);
+        const totalCount = totalCountResult[0].count;
+
+        const filterAttributes = await queryUniqueFilterAttributes(
+            data.timeStart,
+            data.timeEnd,
+            data.orgId
+        );
+
+        return response<QueryConnectionAuditLogResponse>(res, {
+            data: {
+                log: log,
+                pagination: {
+                    total: totalCount,
+                    limit: data.limit,
+                    offset: data.offset
+                },
+                filterAttributes
+            },
+            success: true,
+            error: false,
+            message: "Connection audit logs retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index df8ea8cbb..f06ad4517 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -478,6 +478,25 @@ authenticated.get(
     logs.exportAccessAuditLogs
 );
 
+authenticated.get(
+    "/org/:orgId/logs/connection",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.connectionLogs),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.exportLogs),
+    logs.queryConnectionAuditLogs
+);
+
+authenticated.get(
+    "/org/:orgId/logs/connection/export",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.logExport),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.exportLogs),
+    logActionAudit(ActionsEnum.exportLogs),
+    logs.exportConnectionAuditLogs
+);
+
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
     verifyClientAccess, // this is first to set the org id
diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts
index 97b1adade..c17835025 100644
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -91,6 +91,25 @@ authenticated.get(
     logs.exportAccessAuditLogs
 );
 
+authenticated.get(
+    "/org/:orgId/logs/connection",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.connectionLogs),
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.exportLogs),
+    logs.queryConnectionAuditLogs
+);
+
+authenticated.get(
+    "/org/:orgId/logs/connection/export",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.logExport),
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.exportLogs),
+    logActionAudit(ActionsEnum.exportLogs),
+    logs.exportConnectionAuditLogs
+);
+
 authenticated.put(
     "/org/:orgId/idp/oidc",
     verifyValidLicense,
diff --git a/server/routers/auditLogs/types.ts b/server/routers/auditLogs/types.ts
index 474aa9261..20e11e17b 100644
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -91,3 +91,34 @@ export type QueryAccessAuditLogResponse = {
         locations: string[];
     };
 };
+
+export type QueryConnectionAuditLogResponse = {
+    log: {
+        sessionId: string;
+        siteResourceId: number | null;
+        orgId: string | null;
+        siteId: number | null;
+        clientId: number | null;
+        userId: string | null;
+        sourceAddr: string;
+        destAddr: string;
+        protocol: string;
+        startedAt: number;
+        endedAt: number | null;
+        bytesTx: number | null;
+        bytesRx: number | null;
+        resourceName: string | null;
+        resourceNiceId: string | null;
+        siteName: string | null;
+        siteNiceId: string | null;
+        clientName: string | null;
+    }[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+    filterAttributes: {
+        protocols: string[];
+    };
+};
diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
new file mode 100644
index 000000000..737b1efd7
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -0,0 +1,630 @@
+"use client";
+import { ColumnFilter } from "@app/components/ColumnFilter";
+import { DateTimeValue } from "@app/components/DateTimePicker";
+import { LogDataTable } from "@app/components/LogDataTable";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { useStoredPageSize } from "@app/hooks/useStoredPageSize";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient } from "@app/lib/api";
+import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
+import { build } from "@server/build";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { ColumnDef } from "@tanstack/react-table";
+import axios from "axios";
+import { Cable, Monitor, Server } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useParams, useRouter, useSearchParams } from "next/navigation";
+import { useEffect, useState, useTransition } from "react";
+
+function formatBytes(bytes: number | null): string {
+    if (bytes === null || bytes === undefined) return "—";
+    if (bytes === 0) return "0 B";
+    const units = ["B", "KB", "MB", "GB", "TB"];
+    const i = Math.floor(Math.log(bytes) / Math.log(1024));
+    const value = bytes / Math.pow(1024, i);
+    return `${value.toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
+}
+
+function formatDuration(startedAt: number, endedAt: number | null): string {
+    if (endedAt === null || endedAt === undefined) return "Active";
+    const durationSec = endedAt - startedAt;
+    if (durationSec < 0) return "—";
+    if (durationSec < 60) return `${durationSec}s`;
+    if (durationSec < 3600) {
+        const m = Math.floor(durationSec / 60);
+        const s = durationSec % 60;
+        return `${m}m ${s}s`;
+    }
+    const h = Math.floor(durationSec / 3600);
+    const m = Math.floor((durationSec % 3600) / 60);
+    return `${h}h ${m}m`;
+}
+
+export default function ConnectionLogsPage() {
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+    const { orgId } = useParams();
+    const searchParams = useSearchParams();
+
+    const { isPaidUser } = usePaidStatus();
+
+    const [rows, setRows] = useState<any[]>([]);
+    const [isRefreshing, setIsRefreshing] = useState(false);
+    const [isExporting, startTransition] = useTransition();
+    const [filterAttributes, setFilterAttributes] = useState<{
+        protocols: string[];
+    }>({
+        protocols: []
+    });
+
+    // Filter states - unified object for all filters
+    const [filters, setFilters] = useState<{
+        protocol?: string;
+    }>({
+        protocol: searchParams.get("protocol") || undefined
+    });
+
+    // Pagination state
+    const [totalCount, setTotalCount] = useState<number>(0);
+    const [currentPage, setCurrentPage] = useState<number>(0);
+    const [isLoading, setIsLoading] = useState(false);
+
+    // Initialize page size from storage or default
+    const [pageSize, setPageSize] = useStoredPageSize(
+        "connection-audit-logs",
+        20
+    );
+
+    // Set default date range to last 7 days
+    const getDefaultDateRange = () => {
+        // if the time is in the url params, use that instead
+        const startParam = searchParams.get("start");
+        const endParam = searchParams.get("end");
+        if (startParam && endParam) {
+            return {
+                startDate: {
+                    date: new Date(startParam)
+                },
+                endDate: {
+                    date: new Date(endParam)
+                }
+            };
+        }
+
+        const now = new Date();
+        const lastWeek = getSevenDaysAgo();
+
+        return {
+            startDate: {
+                date: lastWeek
+            },
+            endDate: {
+                date: now
+            }
+        };
+    };
+
+    const [dateRange, setDateRange] = useState<{
+        startDate: DateTimeValue;
+        endDate: DateTimeValue;
+    }>(getDefaultDateRange());
+
+    // Trigger search with default values on component mount
+    useEffect(() => {
+        if (build === "oss") {
+            return;
+        }
+        const defaultRange = getDefaultDateRange();
+        queryDateTime(
+            defaultRange.startDate,
+            defaultRange.endDate,
+            0,
+            pageSize
+        );
+    }, [orgId]); // Re-run if orgId changes
+
+    const handleDateRangeChange = (
+        startDate: DateTimeValue,
+        endDate: DateTimeValue
+    ) => {
+        setDateRange({ startDate, endDate });
+        setCurrentPage(0); // Reset to first page when filtering
+        // put the search params in the url for the time
+        updateUrlParamsForAllFilters({
+            start: startDate.date?.toISOString() || "",
+            end: endDate.date?.toISOString() || ""
+        });
+
+        queryDateTime(startDate, endDate, 0, pageSize);
+    };
+
+    // Handle page changes
+    const handlePageChange = (newPage: number) => {
+        setCurrentPage(newPage);
+        queryDateTime(
+            dateRange.startDate,
+            dateRange.endDate,
+            newPage,
+            pageSize
+        );
+    };
+
+    // Handle page size changes
+    const handlePageSizeChange = (newPageSize: number) => {
+        setPageSize(newPageSize);
+        setCurrentPage(0); // Reset to first page when changing page size
+        queryDateTime(dateRange.startDate, dateRange.endDate, 0, newPageSize);
+    };
+
+    // Handle filter changes generically
+    const handleFilterChange = (
+        filterType: keyof typeof filters,
+        value: string | undefined
+    ) => {
+        // Create new filters object with updated value
+        const newFilters = {
+            ...filters,
+            [filterType]: value
+        };
+
+        setFilters(newFilters);
+        setCurrentPage(0); // Reset to first page when filtering
+
+        // Update URL params
+        updateUrlParamsForAllFilters(newFilters);
+
+        // Trigger new query with updated filters (pass directly to avoid async state issues)
+        queryDateTime(
+            dateRange.startDate,
+            dateRange.endDate,
+            0,
+            pageSize,
+            newFilters
+        );
+    };
+
+    const updateUrlParamsForAllFilters = (
+        newFilters:
+            | typeof filters
+            | {
+                  start: string;
+                  end: string;
+              }
+    ) => {
+        const params = new URLSearchParams(searchParams);
+        Object.entries(newFilters).forEach(([key, value]) => {
+            if (value) {
+                params.set(key, value);
+            } else {
+                params.delete(key);
+            }
+        });
+        router.replace(`?${params.toString()}`, { scroll: false });
+    };
+
+    const queryDateTime = async (
+        startDate: DateTimeValue,
+        endDate: DateTimeValue,
+        page: number = currentPage,
+        size: number = pageSize,
+        filtersParam?: {
+            protocol?: string;
+        }
+    ) => {
+        console.log("Date range changed:", { startDate, endDate, page, size });
+        if (!isPaidUser(tierMatrix.connectionLogs)) {
+            console.log(
+                "Access denied: subscription inactive or license locked"
+            );
+            return;
+        }
+        setIsLoading(true);
+
+        try {
+            // Use the provided filters or fall back to current state
+            const activeFilters = filtersParam || filters;
+
+            // Convert the date/time values to API parameters
+            const params: any = {
+                limit: size,
+                offset: page * size,
+                ...activeFilters
+            };
+
+            if (startDate?.date) {
+                const startDateTime = new Date(startDate.date);
+                if (startDate.time) {
+                    const [hours, minutes, seconds] = startDate.time
+                        .split(":")
+                        .map(Number);
+                    startDateTime.setHours(hours, minutes, seconds || 0);
+                }
+                params.timeStart = startDateTime.toISOString();
+            }
+
+            if (endDate?.date) {
+                const endDateTime = new Date(endDate.date);
+                if (endDate.time) {
+                    const [hours, minutes, seconds] = endDate.time
+                        .split(":")
+                        .map(Number);
+                    endDateTime.setHours(hours, minutes, seconds || 0);
+                } else {
+                    // If no time is specified, set to NOW
+                    const now = new Date();
+                    endDateTime.setHours(
+                        now.getHours(),
+                        now.getMinutes(),
+                        now.getSeconds(),
+                        now.getMilliseconds()
+                    );
+                }
+                params.timeEnd = endDateTime.toISOString();
+            }
+
+            const res = await api.get(`/org/${orgId}/logs/connection`, {
+                params
+            });
+            if (res.status === 200) {
+                setRows(res.data.data.log || []);
+                setTotalCount(res.data.data.pagination?.total || 0);
+                setFilterAttributes(res.data.data.filterAttributes);
+                console.log("Fetched connection logs:", res.data);
+            }
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("Failed to filter logs"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsLoading(false);
+        }
+    };
+
+    const refreshData = async () => {
+        console.log("Data refreshed");
+        setIsRefreshing(true);
+        try {
+            // Refresh data with current date range and pagination
+            await queryDateTime(
+                dateRange.startDate,
+                dateRange.endDate,
+                currentPage,
+                pageSize
+            );
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("refreshError"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsRefreshing(false);
+        }
+    };
+
+    const exportData = async () => {
+        try {
+            // Prepare query params for export
+            const params: any = {
+                timeStart: dateRange.startDate?.date
+                    ? new Date(dateRange.startDate.date).toISOString()
+                    : undefined,
+                timeEnd: dateRange.endDate?.date
+                    ? new Date(dateRange.endDate.date).toISOString()
+                    : undefined,
+                ...filters
+            };
+
+            const response = await api.get(
+                `/org/${orgId}/logs/connection/export`,
+                {
+                    responseType: "blob",
+                    params
+                }
+            );
+
+            // Create a URL for the blob and trigger a download
+            const url = window.URL.createObjectURL(new Blob([response.data]));
+            const link = document.createElement("a");
+            link.href = url;
+            const epoch = Math.floor(Date.now() / 1000);
+            link.setAttribute(
+                "download",
+                `connection-audit-logs-${orgId}-${epoch}.csv`
+            );
+            document.body.appendChild(link);
+            link.click();
+            link.parentNode?.removeChild(link);
+        } catch (error) {
+            let apiErrorMessage: string | null = null;
+            if (axios.isAxiosError(error) && error.response) {
+                const data = error.response.data;
+
+                if (data instanceof Blob && data.type === "application/json") {
+                    // Parse the Blob as JSON
+                    const text = await data.text();
+                    const errorData = JSON.parse(text);
+                    apiErrorMessage = errorData.message;
+                }
+            }
+            toast({
+                title: t("error"),
+                description: apiErrorMessage ?? t("exportError"),
+                variant: "destructive"
+            });
+        }
+    };
+
+    const columns: ColumnDef<any>[] = [
+        {
+            accessorKey: "startedAt",
+            header: ({ column }) => {
+                return t("timestamp");
+            },
+            cell: ({ row }) => {
+                return (
+                    <div className="whitespace-nowrap">
+                        {new Date(
+                            row.original.startedAt * 1000
+                        ).toLocaleString()}
+                    </div>
+                );
+            }
+        },
+        {
+            accessorKey: "protocol",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("protocol")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.protocols.map(
+                                (protocol) => ({
+                                    label: protocol.toUpperCase(),
+                                    value: protocol
+                                })
+                            )}
+                            selectedValue={filters.protocol}
+                            onValueChange={(value) =>
+                                handleFilterChange("protocol", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.protocol?.toUpperCase()}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "resourceName",
+            header: ({ column }) => {
+                return t("resource");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap">
+                        {row.original.resourceName ?? "—"}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "sourceAddr",
+            header: ({ column }) => {
+                return t("sourceAddress");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.sourceAddr}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "destAddr",
+            header: ({ column }) => {
+                return t("destinationAddress");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.destAddr}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "duration",
+            header: ({ column }) => {
+                return t("duration");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap">
+                        {formatDuration(
+                            row.original.startedAt,
+                            row.original.endedAt
+                        )}
+                    </span>
+                );
+            }
+        }
+    ];
+
+    const renderExpandedRow = (row: any) => {
+        return (
+            <div className="space-y-4">
+                <div className="grid grid-cols-1 md:grid-cols-3 gap-4 text-xs">
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Cable className="h-4 w-4" />
+                            Connection Details
+                        </div>
+                        <div>
+                            <strong>Session ID:</strong>{" "}
+                            <span className="font-mono">
+                                {row.sessionId ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Protocol:</strong>{" "}
+                            {row.protocol?.toUpperCase() ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Source:</strong>{" "}
+                            <span className="font-mono">
+                                {row.sourceAddr ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Destination:</strong>{" "}
+                            <span className="font-mono">
+                                {row.destAddr ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Started At:</strong>{" "}
+                            {row.startedAt
+                                ? new Date(
+                                      row.startedAt * 1000
+                                  ).toLocaleString()
+                                : "—"}
+                        </div>
+                        <div>
+                            <strong>Ended At:</strong>{" "}
+                            {row.endedAt
+                                ? new Date(
+                                      row.endedAt * 1000
+                                  ).toLocaleString()
+                                : "Active"}
+                        </div>
+                        <div>
+                            <strong>Duration:</strong>{" "}
+                            {formatDuration(row.startedAt, row.endedAt)}
+                        </div>
+                    </div>
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Server className="h-4 w-4" />
+                            Resource & Site
+                        </div>
+                        <div>
+                            <strong>Resource:</strong>{" "}
+                            {row.resourceName ?? "—"}
+                            {row.resourceNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.resourceNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site:</strong> {row.siteName ?? "—"}
+                            {row.siteNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.siteNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site ID:</strong> {row.siteId ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Resource ID:</strong>{" "}
+                            {row.siteResourceId ?? "—"}
+                        </div>
+                    </div>
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Monitor className="h-4 w-4" />
+                            Client & Transfer
+                        </div>
+                        <div>
+                            <strong>Client:</strong> {row.clientName ?? "—"}
+                            {row.clientId && (
+                                <span className="text-muted-foreground ml-1">
+                                    (ID: {row.clientId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>User ID:</strong> {row.userId ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Bytes Sent (TX):</strong>{" "}
+                            {formatBytes(row.bytesTx)}
+                        </div>
+                        <div>
+                            <strong>Bytes Received (RX):</strong>{" "}
+                            {formatBytes(row.bytesRx)}
+                        </div>
+                        <div>
+                            <strong>Total Transfer:</strong>{" "}
+                            {formatBytes(
+                                (row.bytesTx ?? 0) + (row.bytesRx ?? 0)
+                            )}
+                        </div>
+                    </div>
+                </div>
+            </div>
+        );
+    };
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("connectionLogs")}
+                description={t("connectionLogsDescription")}
+            />
+
+            <PaidFeaturesAlert tiers={tierMatrix.connectionLogs} />
+
+            <LogDataTable
+                columns={columns}
+                data={rows}
+                title={t("connectionLogs")}
+                searchPlaceholder={t("searchLogs")}
+                searchColumn="protocol"
+                onRefresh={refreshData}
+                isRefreshing={isRefreshing}
+                onExport={() => startTransition(exportData)}
+                isExporting={isExporting}
+                onDateRangeChange={handleDateRangeChange}
+                dateRange={{
+                    start: dateRange.startDate,
+                    end: dateRange.endDate
+                }}
+                defaultSort={{
+                    id: "startedAt",
+                    desc: true
+                }}
+                // Server-side pagination props
+                totalCount={totalCount}
+                currentPage={currentPage}
+                pageSize={pageSize}
+                onPageChange={handlePageChange}
+                onPageSizeChange={handlePageSizeChange}
+                isLoading={isLoading}
+                // Row expansion props
+                expandable={true}
+                renderExpandedRow={renderExpandedRow}
+                disabled={
+                    !isPaidUser(tierMatrix.connectionLogs) || build === "oss"
+                }
+            />
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 0066721db..0a09214e3 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -3,6 +3,7 @@ import { Env } from "@app/lib/types/env";
 import { build } from "@server/build";
 import {
     Building2,
+    Cable,
     ChartLine,
     Combine,
     CreditCard,
@@ -189,6 +190,11 @@ export const orgNavSections = (
                                   title: "sidebarLogsAction",
                                   href: "/{orgId}/settings/logs/action",
                                   icon: <Logs className="size-4 flex-none" />
+                              },
+                              {
+                                  title: "sidebarLogsConnection",
+                                  href: "/{orgId}/settings/logs/connection",
+                                  icon: <Cable className="size-4 flex-none" />
                               }
                           ]
                         : [])

From 2c6e9507b55efdedcf88f77a054475b8dd9daa51 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 21:41:53 -0700
Subject: [PATCH 096/314] Connection log page working

---
 server/lib/ip.ts                              |  10 +-
 .../auditLogs/queryConnectionAuditLog.ts      | 156 ++++++++++++++-
 .../newt/handleConnectionLogMessage.ts        |  16 +-
 server/routers/auditLogs/types.ts             |  16 ++
 .../[orgId]/settings/logs/connection/page.tsx | 180 ++++++++++++++++--
 5 files changed, 349 insertions(+), 29 deletions(-)

diff --git a/server/lib/ip.ts b/server/lib/ip.ts
index 3a29b8661..7f829bcef 100644
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -581,6 +581,7 @@ export type SubnetProxyTargetV2 = {
         max: number;
         protocol: "tcp" | "udp";
     }[];
+    resourceId?: number;
 };
 
 export function generateSubnetProxyTargetV2(
@@ -617,7 +618,8 @@ export function generateSubnetProxyTargetV2(
                 sourcePrefixes: [],
                 destPrefix: destination,
                 portRange,
-                disableIcmp
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
             };
         }
 
@@ -628,7 +630,8 @@ export function generateSubnetProxyTargetV2(
                 destPrefix: `${siteResource.aliasAddress}/32`,
                 rewriteTo: destination,
                 portRange,
-                disableIcmp
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
             };
         }
     } else if (siteResource.mode == "cidr") {
@@ -636,7 +639,8 @@ export function generateSubnetProxyTargetV2(
             sourcePrefixes: [],
             destPrefix: siteResource.destination,
             portRange,
-            disableIcmp
+            disableIcmp,
+            resourceId: siteResource.siteResourceId,
         };
     }
 
diff --git a/server/private/routers/auditLogs/queryConnectionAuditLog.ts b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
index f321444cd..b638ed488 100644
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -17,6 +17,7 @@ import {
     siteResources,
     sites,
     clients,
+    users,
     primaryDb
 } from "@server/db";
 import { registry } from "@server/openApi";
@@ -193,6 +194,13 @@ async function enrichWithDetails(
                 .filter((id): id is number => id !== null && id !== undefined)
         )
     ];
+    const userIds = [
+        ...new Set(
+            logs
+                .map((log) => log.userId)
+                .filter((id): id is string => id !== null && id !== undefined)
+        )
+    ];
 
     // Fetch resource details from main database
     const resourceMap = new Map<
@@ -235,18 +243,46 @@ async function enrichWithDetails(
     }
 
     // Fetch client details from main database
-    const clientMap = new Map<number, { name: string }>();
+    const clientMap = new Map<
+        number,
+        { name: string; niceId: string; type: string }
+    >();
     if (clientIds.length > 0) {
         const clientDetails = await primaryDb
             .select({
                 clientId: clients.clientId,
-                name: clients.name
+                name: clients.name,
+                niceId: clients.niceId,
+                type: clients.type
             })
             .from(clients)
             .where(inArray(clients.clientId, clientIds));
 
         for (const c of clientDetails) {
-            clientMap.set(c.clientId, { name: c.name });
+            clientMap.set(c.clientId, {
+                name: c.name,
+                niceId: c.niceId,
+                type: c.type
+            });
+        }
+    }
+
+    // Fetch user details from main database
+    const userMap = new Map<
+        string,
+        { email: string | null }
+    >();
+    if (userIds.length > 0) {
+        const userDetails = await primaryDb
+            .select({
+                userId: users.userId,
+                email: users.email
+            })
+            .from(users)
+            .where(inArray(users.userId, userIds));
+
+        for (const u of userDetails) {
+            userMap.set(u.userId, { email: u.email });
         }
     }
 
@@ -267,6 +303,15 @@ async function enrichWithDetails(
             : null,
         clientName: log.clientId
             ? clientMap.get(log.clientId)?.name ?? null
+            : null,
+        clientNiceId: log.clientId
+            ? clientMap.get(log.clientId)?.niceId ?? null
+            : null,
+        clientType: log.clientId
+            ? clientMap.get(log.clientId)?.type ?? null
+            : null,
+        userEmail: log.userId
+            ? userMap.get(log.userId)?.email ?? null
             : null
     }));
 }
@@ -290,10 +335,111 @@ async function queryUniqueFilterAttributes(
         .from(connectionAuditLog)
         .where(baseConditions);
 
+    // Get unique destination addresses
+    const uniqueDestAddrs = await logsDb
+        .selectDistinct({
+            destAddr: connectionAuditLog.destAddr
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique client IDs
+    const uniqueClients = await logsDb
+        .selectDistinct({
+            clientId: connectionAuditLog.clientId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique resource IDs
+    const uniqueResources = await logsDb
+        .selectDistinct({
+            siteResourceId: connectionAuditLog.siteResourceId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique user IDs
+    const uniqueUsers = await logsDb
+        .selectDistinct({
+            userId: connectionAuditLog.userId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Enrich client IDs with names from main database
+    const clientIds = uniqueClients
+        .map((row) => row.clientId)
+        .filter((id): id is number => id !== null);
+
+    let clientsWithNames: Array<{ id: number; name: string }> = [];
+    if (clientIds.length > 0) {
+        const clientDetails = await primaryDb
+            .select({
+                clientId: clients.clientId,
+                name: clients.name
+            })
+            .from(clients)
+            .where(inArray(clients.clientId, clientIds));
+
+        clientsWithNames = clientDetails.map((c) => ({
+            id: c.clientId,
+            name: c.name
+        }));
+    }
+
+    // Enrich resource IDs with names from main database
+    const resourceIds = uniqueResources
+        .map((row) => row.siteResourceId)
+        .filter((id): id is number => id !== null);
+
+    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, resourceIds));
+
+        resourcesWithNames = resourceDetails.map((r) => ({
+            id: r.siteResourceId,
+            name: r.name
+        }));
+    }
+
+    // Enrich user IDs with emails from main database
+    const userIdsList = uniqueUsers
+        .map((row) => row.userId)
+        .filter((id): id is string => id !== null);
+
+    let usersWithEmails: Array<{ id: string; email: string | null }> = [];
+    if (userIdsList.length > 0) {
+        const userDetails = await primaryDb
+            .select({
+                userId: users.userId,
+                email: users.email
+            })
+            .from(users)
+            .where(inArray(users.userId, userIdsList));
+
+        usersWithEmails = userDetails.map((u) => ({
+            id: u.userId,
+            email: u.email
+        }));
+    }
+
     return {
         protocols: uniqueProtocols
             .map((row) => row.protocol)
-            .filter((protocol): protocol is string => protocol !== null)
+            .filter((protocol): protocol is string => protocol !== null),
+        destAddrs: uniqueDestAddrs
+            .map((row) => row.destAddr)
+            .filter((addr): addr is string => addr !== null),
+        clients: clientsWithNames,
+        resources: resourcesWithNames,
+        users: usersWithEmails
     };
 }
 
@@ -342,7 +488,7 @@ export async function queryConnectionAuditLogs(
 
         const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
 
-        // Enrich with resource, site, and client details
+        // Enrich with resource, site, client, and user details
         const log = await enrichWithDetails(logsRaw);
 
         const totalCountResult = await countConnectionQuery(data);
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 164c14488..2ac7153b5 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -277,6 +277,8 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
+    logger.debug(`Sessions: ${JSON.stringify(sessions)}`)
+
     // Build a map from sourceAddr → { clientId, userId } by querying clients
     // whose subnet field matches exactly. Client subnets are stored with the
     // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
@@ -295,9 +297,15 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         if (uniqueSourceAddrs.size > 0) {
             // Construct the exact subnet strings as stored in the DB
             const subnetQueries = Array.from(uniqueSourceAddrs).map(
-                (addr) => `${addr}${cidrSuffix}`
+                (addr) => {
+                    // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+                    const ip = addr.includes(":") ? addr.split(":")[0] : addr;
+                    return `${ip}${cidrSuffix}`;
+                }
             );
 
+            logger.debug(`Subnet queries: ${JSON.stringify(subnetQueries)}`);
+
             const matchedClients = await db
                 .select({
                     clientId: clients.clientId,
@@ -314,6 +322,7 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
             for (const c of matchedClients) {
                 const ip = c.subnet.split("/")[0];
+                logger.debug(`Client ${c.clientId} subnet ${c.subnet} matches ${ip}`);
                 ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
             }
         }
@@ -346,7 +355,10 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         // Match the source address to a client. The sourceAddr is the
         // client's IP on the WireGuard network, which corresponds to the IP
         // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
-        const clientInfo = ipToClient.get(session.sourceAddr) ?? null;
+        // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+        const sourceIp = session.sourceAddr.includes(":") ? session.sourceAddr.split(":")[0] : session.sourceAddr;
+        const clientInfo = ipToClient.get(sourceIp) ?? null;
+
 
         buffer.push({
             sessionId: session.sessionId,
diff --git a/server/routers/auditLogs/types.ts b/server/routers/auditLogs/types.ts
index 20e11e17b..4c278cba5 100644
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -112,6 +112,9 @@ export type QueryConnectionAuditLogResponse = {
         siteName: string | null;
         siteNiceId: string | null;
         clientName: string | null;
+        clientNiceId: string | null;
+        clientType: string | null;
+        userEmail: string | null;
     }[];
     pagination: {
         total: number;
@@ -120,5 +123,18 @@ export type QueryConnectionAuditLogResponse = {
     };
     filterAttributes: {
         protocols: string[];
+        destAddrs: string[];
+        clients: {
+            id: number;
+            name: string;
+        }[];
+        resources: {
+            id: number;
+            name: string | null;
+        }[];
+        users: {
+            id: string;
+            email: string | null;
+        }[];
     };
 };
diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 737b1efd7..7ac137467 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -1,4 +1,5 @@
 "use client";
+import { Button } from "@app/components/ui/button";
 import { ColumnFilter } from "@app/components/ColumnFilter";
 import { DateTimeValue } from "@app/components/DateTimePicker";
 import { LogDataTable } from "@app/components/LogDataTable";
@@ -14,7 +15,8 @@ import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ColumnDef } from "@tanstack/react-table";
 import axios from "axios";
-import { Cable, Monitor, Server } from "lucide-react";
+import { ArrowUpRight, Laptop, User } from "lucide-react";
+import Link from "next/link";
 import { useTranslations } from "next-intl";
 import { useParams, useRouter, useSearchParams } from "next/navigation";
 import { useEffect, useState, useTransition } from "react";
@@ -57,15 +59,31 @@ export default function ConnectionLogsPage() {
     const [isExporting, startTransition] = useTransition();
     const [filterAttributes, setFilterAttributes] = useState<{
         protocols: string[];
+        destAddrs: string[];
+        clients: { id: number; name: string }[];
+        resources: { id: number; name: string | null }[];
+        users: { id: string; email: string | null }[];
     }>({
-        protocols: []
+        protocols: [],
+        destAddrs: [],
+        clients: [],
+        resources: [],
+        users: []
     });
 
     // Filter states - unified object for all filters
     const [filters, setFilters] = useState<{
         protocol?: string;
+        destAddr?: string;
+        clientId?: string;
+        siteResourceId?: string;
+        userId?: string;
     }>({
-        protocol: searchParams.get("protocol") || undefined
+        protocol: searchParams.get("protocol") || undefined,
+        destAddr: searchParams.get("destAddr") || undefined,
+        clientId: searchParams.get("clientId") || undefined,
+        siteResourceId: searchParams.get("siteResourceId") || undefined,
+        userId: searchParams.get("userId") || undefined
     });
 
     // Pagination state
@@ -211,9 +229,7 @@ export default function ConnectionLogsPage() {
         endDate: DateTimeValue,
         page: number = currentPage,
         size: number = pageSize,
-        filtersParam?: {
-            protocol?: string;
-        }
+        filtersParam?: typeof filters
     ) => {
         console.log("Date range changed:", { startDate, endDate, page, size });
         if (!isPaidUser(tierMatrix.connectionLogs)) {
@@ -411,9 +427,41 @@ export default function ConnectionLogsPage() {
         {
             accessorKey: "resourceName",
             header: ({ column }) => {
-                return t("resource");
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("resource")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.resources.map((res) => ({
+                                value: res.id.toString(),
+                                label: res.name || "Unnamed Resource"
+                            }))}
+                            selectedValue={filters.siteResourceId}
+                            onValueChange={(value) =>
+                                handleFilterChange("siteResourceId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
             },
             cell: ({ row }) => {
+                if (row.original.resourceName && row.original.resourceNiceId) {
+                    return (
+                        <Link
+                            href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                        >
+                            <Button
+                                variant="outline"
+                                size="sm"
+                                className="text-xs h-6"
+                            >
+                                {row.original.resourceName}
+                                <ArrowUpRight className="ml-2 h-3 w-3" />
+                            </Button>
+                        </Link>
+                    );
+                }
                 return (
                     <span className="whitespace-nowrap">
                         {row.original.resourceName ?? "—"}
@@ -421,6 +469,86 @@ export default function ConnectionLogsPage() {
                 );
             }
         },
+        {
+            accessorKey: "clientName",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("client")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.clients.map((c) => ({
+                                value: c.id.toString(),
+                                label: c.name
+                            }))}
+                            selectedValue={filters.clientId}
+                            onValueChange={(value) =>
+                                handleFilterChange("clientId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                const clientType = row.original.clientType === "olm" ? "machine" : "user";
+                if (row.original.clientName && row.original.clientNiceId) {
+                    return (
+                        <Link
+                            href={`/${row.original.orgId}/settings/clients/${clientType}/${row.original.clientNiceId}`}
+                        >
+                            <Button
+                                variant="outline"
+                                size="sm"
+                                className="text-xs h-6"
+                            >
+                                <Laptop className="mr-1 h-3 w-3" />
+                                {row.original.clientName}
+                                <ArrowUpRight className="ml-2 h-3 w-3" />
+                            </Button>
+                        </Link>
+                    );
+                }
+                return (
+                    <span className="whitespace-nowrap">
+                        {row.original.clientName ?? "—"}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "userEmail",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("user")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.users.map((u) => ({
+                                value: u.id,
+                                label: u.email || u.id
+                            }))}
+                            selectedValue={filters.userId}
+                            onValueChange={(value) =>
+                                handleFilterChange("userId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                if (row.original.userEmail || row.original.userId) {
+                    return (
+                        <span className="flex items-center gap-1 whitespace-nowrap">
+                            <User className="h-4 w-4" />
+                            {row.original.userEmail ?? row.original.userId}
+                        </span>
+                    );
+                }
+                return <span>—</span>;
+            }
+        },
         {
             accessorKey: "sourceAddr",
             header: ({ column }) => {
@@ -437,7 +565,23 @@ export default function ConnectionLogsPage() {
         {
             accessorKey: "destAddr",
             header: ({ column }) => {
-                return t("destinationAddress");
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("destinationAddress")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.destAddrs.map((addr) => ({
+                                value: addr,
+                                label: addr
+                            }))}
+                            selectedValue={filters.destAddr}
+                            onValueChange={(value) =>
+                                handleFilterChange("destAddr", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
             },
             cell: ({ row }) => {
                 return (
@@ -470,10 +614,9 @@ export default function ConnectionLogsPage() {
             <div className="space-y-4">
                 <div className="grid grid-cols-1 md:grid-cols-3 gap-4 text-xs">
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Cable className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Connection Details
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Session ID:</strong>{" "}
                             <span className="font-mono">
@@ -518,10 +661,9 @@ export default function ConnectionLogsPage() {
                         </div>
                     </div>
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Server className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Resource & Site
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Resource:</strong>{" "}
                             {row.resourceName ?? "—"}
@@ -548,10 +690,9 @@ export default function ConnectionLogsPage() {
                         </div>
                     </div>
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Monitor className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Client & Transfer
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Client:</strong> {row.clientName ?? "—"}
                             {row.clientId && (
@@ -561,7 +702,8 @@ export default function ConnectionLogsPage() {
                             )}
                         </div>
                         <div>
-                            <strong>User ID:</strong> {row.userId ?? "—"}
+                            <strong>User:</strong>{" "}
+                            {row.userEmail ?? row.userId ?? "—"}
                         </div>
                         <div>
                             <strong>Bytes Sent (TX):</strong>{" "}
@@ -627,4 +769,4 @@ export default function ConnectionLogsPage() {
             />
         </>
     );
-}
\ No newline at end of file
+}

From f9bff5954f190ce697b9d4ed6ed3b3992343e854 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 21:49:22 -0700
Subject: [PATCH 097/314] Add filters and refine table and query

---
 .../[orgId]/settings/logs/connection/page.tsx | 78 ++++++++-----------
 1 file changed, 33 insertions(+), 45 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 7ac137467..1d93e0658 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -639,6 +639,31 @@ export default function ConnectionLogsPage() {
                                 {row.destAddr ?? "—"}
                             </span>
                         </div>
+                    </div>
+                    <div className="space-y-2">
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            Resource & Site
+                        </div>*/}
+                        {/*<div>
+                            <strong>Resource:</strong>{" "}
+                            {row.resourceName ?? "—"}
+                            {row.resourceNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.resourceNiceId})
+                                </span>
+                            )}
+                        </div>*/}
+                        <div>
+                            <strong>Site:</strong> {row.siteName ?? "—"}
+                            {row.siteNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.siteNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site ID:</strong> {row.siteId ?? "—"}
+                        </div>
                         <div>
                             <strong>Started At:</strong>{" "}
                             {row.startedAt
@@ -659,66 +684,29 @@ export default function ConnectionLogsPage() {
                             <strong>Duration:</strong>{" "}
                             {formatDuration(row.startedAt, row.endedAt)}
                         </div>
-                    </div>
-                    <div className="space-y-2">
-                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            Resource & Site
-                        </div>*/}
-                        <div>
-                            <strong>Resource:</strong>{" "}
-                            {row.resourceName ?? "—"}
-                            {row.resourceNiceId && (
-                                <span className="text-muted-foreground ml-1">
-                                    ({row.resourceNiceId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>Site:</strong> {row.siteName ?? "—"}
-                            {row.siteNiceId && (
-                                <span className="text-muted-foreground ml-1">
-                                    ({row.siteNiceId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>Site ID:</strong> {row.siteId ?? "—"}
-                        </div>
-                        <div>
+                        {/*<div>
                             <strong>Resource ID:</strong>{" "}
                             {row.siteResourceId ?? "—"}
-                        </div>
+                        </div>*/}
                     </div>
                     <div className="space-y-2">
                         {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Client & Transfer
                         </div>*/}
-                        <div>
-                            <strong>Client:</strong> {row.clientName ?? "—"}
-                            {row.clientId && (
-                                <span className="text-muted-foreground ml-1">
-                                    (ID: {row.clientId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>User:</strong>{" "}
-                            {row.userEmail ?? row.userId ?? "—"}
-                        </div>
-                        <div>
+                        {/*<div>
                             <strong>Bytes Sent (TX):</strong>{" "}
                             {formatBytes(row.bytesTx)}
-                        </div>
-                        <div>
+                        </div>*/}
+                        {/*<div>
                             <strong>Bytes Received (RX):</strong>{" "}
                             {formatBytes(row.bytesRx)}
-                        </div>
-                        <div>
+                        </div>*/}
+                        {/*<div>
                             <strong>Total Transfer:</strong>{" "}
                             {formatBytes(
                                 (row.bytesTx ?? 0) + (row.bytesRx ?? 0)
                             )}
-                        </div>
+                        </div>*/}
                     </div>
                 </div>
             </div>

From 7b78b914493cb1bf2f5066a05296b787f1dd7517 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 22:00:53 -0700
Subject: [PATCH 098/314] Fix resource link

---
 src/app/[orgId]/settings/logs/connection/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 1d93e0658..dff42faac 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -449,7 +449,7 @@ export default function ConnectionLogsPage() {
                 if (row.original.resourceName && row.original.resourceNiceId) {
                     return (
                         <Link
-                            href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                            href={`/${row.original.orgId}/settings/resources/client/?query=${row.original.resourceNiceId}`}
                         >
                             <Button
                                 variant="outline"

From 84925f724d8e6d0b068e1c20c87868fd68ee6f45 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 24 Mar 2026 23:43:01 +0100
Subject: [PATCH 099/314] =?UTF-8?q?=F0=9F=92=84=20update=20UI?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 0cf86a8eb..4486b05fe 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -543,7 +543,7 @@ export function InternalResourceForm({
                 className="space-y-6"
                 id={formId}
             >
-                <div className="grid gap-4">
+                <div className="grid grid-cols-2 gap-4">
                     <FormField
                         control={form.control}
                         name="name"

From 5b894e8682a0aa4db18c714da06db19cd19abe87 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:01:54 -0700
Subject: [PATCH 100/314] Disable everything if not paid

---
 src/app/[orgId]/settings/(private)/idp/create/page.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..fc2c6c382 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

From 5a2a97b23a5034c92e57179571d5485888fe001a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:12:13 -0700
Subject: [PATCH 101/314] Add better pooling controls

---
 server/db/pg/driver.ts     | 35 ++++++++++++---------
 server/db/pg/logsDriver.ts | 35 ++++++++++++---------
 server/db/pg/poolConfig.ts | 63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 28 deletions(-)
 create mode 100644 server/db/pg/poolConfig.ts

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 5b357d060..9366e32e1 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];
\ No newline at end of file
diff --git a/server/db/pg/logsDriver.ts b/server/db/pg/logsDriver.ts
index 49e26f89f..146b8fb2f 100644
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
\ No newline at end of file
diff --git a/server/db/pg/poolConfig.ts b/server/db/pg/poolConfig.ts
new file mode 100644
index 000000000..f753121c1
--- /dev/null
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
\ No newline at end of file

From 7db58f920c9b410b2e1401ee4e90b2cb928a6171 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 16:19:00 -0700
Subject: [PATCH 102/314] add site provisioning key crud

---
 server/auth/actions.ts                        |   3 +
 server/db/pg/schema/privateSchema.ts          |  42 +++++-
 server/db/sqlite/schema/privateSchema.ts      |  29 +++-
 server/middlewares/index.ts                   |   1 +
 .../verifySiteProvisioningKeyAccess.ts        | 131 ++++++++++++++++++
 server/routers/external.ts                    |  29 +++-
 .../createSiteProvisioningKey.ts              | 108 +++++++++++++++
 .../deleteSiteProvisioningKey.ts              | 116 ++++++++++++++++
 server/routers/siteProvisioning/index.ts      |   3 +
 .../listSiteProvisioningKeys.ts               | 115 +++++++++++++++
 10 files changed, 571 insertions(+), 6 deletions(-)
 create mode 100644 server/middlewares/verifySiteProvisioningKeyAccess.ts
 create mode 100644 server/routers/siteProvisioning/createSiteProvisioningKey.ts
 create mode 100644 server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
 create mode 100644 server/routers/siteProvisioning/index.ts
 create mode 100644 server/routers/siteProvisioning/listSiteProvisioningKeys.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 450e3f42b..6cdc4fa0a 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -109,6 +109,9 @@ export enum ActionsEnum {
     listApiKeyActions = "listApiKeyActions",
     listApiKeys = "listApiKeys",
     getApiKey = "getApiKey",
+    createSiteProvisioningKey = "createSiteProvisioningKey",
+    listSiteProvisioningKeys = "listSiteProvisioningKeys",
+    deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
     getCertificate = "getCertificate",
     restartCertificate = "restartCertificate",
     billing = "billing",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index c9d7cc907..63d6bcd60 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -7,7 +7,8 @@ import {
     bigint,
     real,
     text,
-    index
+    index,
+    primaryKey
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -89,7 +90,9 @@ export const subscriptions = pgTable("subscriptions", {
 
 export const subscriptionItems = pgTable("subscriptionItems", {
     subscriptionItemId: serial("subscriptionItemId").primaryKey(),
-    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
+        length: 255
+    }),
     subscriptionId: varchar("subscriptionId", { length: 255 })
         .notNull()
         .references(() => subscriptions.subscriptionId, {
@@ -329,13 +332,44 @@ export const approvals = pgTable("approvals", {
 });
 
 export const bannedEmails = pgTable("bannedEmails", {
-    email: varchar("email", { length: 255 }).primaryKey(),
+    email: varchar("email", { length: 255 }).primaryKey()
 });
 
 export const bannedIps = pgTable("bannedIps", {
-    ip: varchar("ip", { length: 255 }).primaryKey(),
+    ip: varchar("ip", { length: 255 }).primaryKey()
 });
 
+export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+        length: 255
+    }).primaryKey(),
+    name: varchar("name", { length: 255 }).notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: varchar("lastChars", { length: 4 }).notNull(),
+    createdAt: varchar("dateCreated", { length: 255 }).notNull()
+});
+
+export const siteProvisioningKeyOrg = pgTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+            length: 255
+        })
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 8baeb5220..ac2662e27 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,6 +2,7 @@ import { InferSelectModel } from "drizzle-orm";
 import {
     index,
     integer,
+    primaryKey,
     real,
     sqliteTable,
     text
@@ -318,7 +319,6 @@ export const approvals = sqliteTable("approvals", {
         .notNull()
 });
 
-
 export const bannedEmails = sqliteTable("bannedEmails", {
     email: text("email").primaryKey()
 });
@@ -327,6 +327,33 @@ export const bannedIps = sqliteTable("bannedIps", {
     ip: text("ip").primaryKey()
 });
 
+export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
+    name: text("name").notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: text("lastChars").notNull(),
+    createdAt: text("dateCreated").notNull()
+});
+
+export const siteProvisioningKeyOrg = sqliteTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: text("siteProvisioningKeyId")
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 6437c90e2..0f485e637 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -24,6 +24,7 @@ export * from "./verifyClientAccess";
 export * from "./integration";
 export * from "./verifyUserHasAction";
 export * from "./verifyApiKeyAccess";
+export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
diff --git a/server/middlewares/verifySiteProvisioningKeyAccess.ts b/server/middlewares/verifySiteProvisioningKeyAccess.ts
new file mode 100644
index 000000000..e0d446de6
--- /dev/null
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -0,0 +1,131 @@
+import { Request, Response, NextFunction } from "express";
+import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+
+export async function verifySiteProvisioningKeyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const userId = req.user!.userId;
+        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
+        const orgId = req.params.orgId;
+
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!siteProvisioningKeyId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
+            );
+        }
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!row?.siteProvisioningKeys) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        if (!row.siteProvisioningKeyOrg.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} does not have an organization ID`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRole = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(
+                            userOrgs.orgId,
+                            row.siteProvisioningKeyOrg.orgId
+                        )
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRole[0];
+        }
+
+        if (!req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying site provisioning key access"
+            )
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..90f208863 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -15,6 +15,7 @@ import * as accessToken from "./accessToken";
 import * as idp from "./idp";
 import * as blueprints from "./blueprints";
 import * as apiKeys from "./apiKeys";
+import * as siteProvisioning from "./siteProvisioning";
 import * as logs from "./auditLogs";
 import * as newt from "./newt";
 import * as olm from "./olm";
@@ -42,7 +43,8 @@ import {
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
-    verifyLimits
+    verifyLimits,
+    verifySiteProvisioningKeyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
@@ -986,6 +988,31 @@ authenticated.get(
     apiKeys.listRootApiKeys
 );
 
+authenticated.put(
+    `/org/:orgId/site-provisioning-key`,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
+    logActionAudit(ActionsEnum.createSiteProvisioningKey),
+    siteProvisioning.createSiteProvisioningKey
+);
+
+authenticated.get(
+    `/org/:orgId/site-provisioning-keys`,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
+    siteProvisioning.listSiteProvisioningKeys
+);
+
+authenticated.delete(
+    `/org/:orgId/site-provisioning-key/:siteProvisioningKeyId`,
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
+    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
+    siteProvisioning.deleteSiteProvisioningKey
+);
+
 authenticated.get(
     `/api-key/:apiKeyId/actions`,
     verifyUserIsServerAdmin,
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
new file mode 100644
index 000000000..9bb298966
--- /dev/null
+++ b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -0,0 +1,108 @@
+import { NextFunction, Request, Response } from "express";
+import { db, siteProvisioningKeyOrg, siteProvisioningKeys } from "@server/db";
+import HttpCode from "@server/types/HttpCode";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import moment from "moment";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.strictObject({
+    name: z.string().min(1).max(255)
+});
+
+export type CreateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export type CreateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    siteProvisioningKey: string;
+    lastChars: string;
+    createdAt: string;
+};
+
+export async function createSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    const parsedParams = paramsSchema.safeParse(req.params);
+    if (!parsedParams.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedParams.error).toString()
+            )
+        );
+    }
+
+    const parsedBody = bodySchema.safeParse(req.body);
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString()
+            )
+        );
+    }
+
+    const { orgId } = parsedParams.data;
+    const { name } = parsedBody.data;
+
+    const siteProvisioningKeyId = `spk-${generateId(15)}`;
+    const siteProvisioningKey = generateIdFromEntropySize(25);
+    const siteProvisioningKeyHash = await hashPassword(siteProvisioningKey);
+    const lastChars = siteProvisioningKey.slice(-4);
+    const createdAt = moment().toISOString();
+
+    await db.transaction(async (trx) => {
+        await trx.insert(siteProvisioningKeys).values({
+            siteProvisioningKeyId,
+            name,
+            siteProvisioningKeyHash,
+            createdAt,
+            lastChars
+        });
+
+        await trx.insert(siteProvisioningKeyOrg).values({
+            siteProvisioningKeyId,
+            orgId
+        });
+    });
+
+    try {
+        return response<CreateSiteProvisioningKeyResponse>(res, {
+            data: {
+                siteProvisioningKeyId,
+                orgId,
+                name,
+                siteProvisioningKey,
+                lastChars,
+                createdAt
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning key created",
+            status: HttpCode.CREATED
+        });
+    } catch (e) {
+        logger.error(e);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create site provisioning key"
+            )
+        );
+    }
+}
diff --git a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts b/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
new file mode 100644
index 000000000..d1da01d97
--- /dev/null
+++ b/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
@@ -0,0 +1,116 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import { and, eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.object({
+    siteProvisioningKeyId: z.string().nonempty(),
+    orgId: z.string().nonempty()
+});
+
+export async function deleteSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { siteProvisioningKeyId, orgId } = parsedParams.data;
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!row) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(siteProvisioningKeyOrg)
+                .where(
+                    and(
+                        eq(
+                            siteProvisioningKeyOrg.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        ),
+                        eq(siteProvisioningKeyOrg.orgId, orgId)
+                    )
+                );
+
+            const siteProvisioningKeyOrgs = await trx
+                .select()
+                .from(siteProvisioningKeyOrg)
+                .where(
+                    eq(
+                        siteProvisioningKeyOrg.siteProvisioningKeyId,
+                        siteProvisioningKeyId
+                    )
+                );
+
+            if (siteProvisioningKeyOrgs.length === 0) {
+                await trx
+                    .delete(siteProvisioningKeys)
+                    .where(
+                        eq(
+                            siteProvisioningKeys.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        )
+                    );
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Site provisioning key deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/siteProvisioning/index.ts b/server/routers/siteProvisioning/index.ts
new file mode 100644
index 000000000..b3f69f100
--- /dev/null
+++ b/server/routers/siteProvisioning/index.ts
@@ -0,0 +1,3 @@
+export * from "./createSiteProvisioningKey";
+export * from "./listSiteProvisioningKeys";
+export * from "./deleteSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
new file mode 100644
index 000000000..65360625c
--- /dev/null
+++ b/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -0,0 +1,115 @@
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import response from "@server/lib/response";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import { eq } from "drizzle-orm";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+function querySiteProvisioningKeys(orgId: string) {
+    return db
+        .select({
+            siteProvisioningKeyId:
+                siteProvisioningKeys.siteProvisioningKeyId,
+            orgId: siteProvisioningKeyOrg.orgId,
+            lastChars: siteProvisioningKeys.lastChars,
+            createdAt: siteProvisioningKeys.createdAt,
+            name: siteProvisioningKeys.name
+        })
+        .from(siteProvisioningKeyOrg)
+        .innerJoin(
+            siteProvisioningKeys,
+            eq(
+                siteProvisioningKeys.siteProvisioningKeyId,
+                siteProvisioningKeyOrg.siteProvisioningKeyId
+            )
+        )
+        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
+}
+
+export type ListSiteProvisioningKeysResponse = {
+    siteProvisioningKeys: Awaited<
+        ReturnType<typeof querySiteProvisioningKeys>
+    >;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listSiteProvisioningKeys(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+        const { limit, offset } = parsedQuery.data;
+
+        const siteProvisioningKeysList = await querySiteProvisioningKeys(orgId)
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListSiteProvisioningKeysResponse>(res, {
+            data: {
+                siteProvisioningKeys: siteProvisioningKeysList,
+                pagination: {
+                    total: siteProvisioningKeysList.length,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning keys retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

From fff38aac85eae7205417e302c7a16aeff2f7a1ce Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:26:56 -0700
Subject: [PATCH 103/314] Add ssh access log

---
 server/private/routers/ssh/signSshKey.ts      | 19 +++++++++++++++++++
 src/app/[orgId]/settings/logs/access/page.tsx | 16 ++++++++--------
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index 5cffb4a34..c39d2e0ae 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -24,6 +24,7 @@ import {
     sites,
     userOrgs
 } from "@server/db";
+import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -463,6 +464,24 @@ export async function signSshKey(
             })
         });
 
+        await logAccessAudit({
+            action: true,
+            type: "ssh",
+            orgId: orgId,
+            resourceId: resource.siteResourceId,
+            user: req.user
+                ? { username: req.user.username ?? "", userId: req.user.userId }
+                : undefined,
+            metadata: {
+                resourceName: resource.name,
+                siteId: resource.siteId,
+                sshUsername: usernameToUse,
+                sshHost: sshHost
+            },
+            userAgent: req.headers["user-agent"],
+            requestIp: req.ip
+        });
+
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index 810022b98..dbb7b6708 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -493,7 +493,8 @@ export default function GeneralPage() {
                                 {
                                     value: "whitelistedEmail",
                                     label: "Whitelisted Email"
-                                }
+                                },
+                                { value: "ssh", label: "SSH" }
                             ]}
                             selectedValue={filters.type}
                             onValueChange={(value) =>
@@ -507,13 +508,12 @@ export default function GeneralPage() {
                 );
             },
             cell: ({ row }) => {
-                // should be capitalized first letter
-                return (
-                    <span>
-                        {row.original.type.charAt(0).toUpperCase() +
-                            row.original.type.slice(1) || "-"}
-                    </span>
-                );
+                const typeLabel =
+                    row.original.type === "ssh"
+                        ? "SSH"
+                        : row.original.type.charAt(0).toUpperCase() +
+                          row.original.type.slice(1);
+                return <span>{typeLabel || "-"}</span>;
             }
         },
         {

From 985e1bb9abae7ca24d746431b3d2f2d5418f4a6a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:01:54 -0700
Subject: [PATCH 104/314] Disable everything if not paid

---
 src/app/[orgId]/settings/(private)/idp/create/page.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..fc2c6c382 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

From cf2dfdea5b667090f3034a5a5bbbb9ad212d7843 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:12:13 -0700
Subject: [PATCH 105/314] Add better pooling controls

---
 server/db/pg/driver.ts     | 35 ++++++++++++---------
 server/db/pg/logsDriver.ts | 35 ++++++++++++---------
 server/db/pg/poolConfig.ts | 63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 28 deletions(-)
 create mode 100644 server/db/pg/poolConfig.ts

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 5b357d060..9366e32e1 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];
\ No newline at end of file
diff --git a/server/db/pg/logsDriver.ts b/server/db/pg/logsDriver.ts
index 49e26f89f..146b8fb2f 100644
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
\ No newline at end of file
diff --git a/server/db/pg/poolConfig.ts b/server/db/pg/poolConfig.ts
new file mode 100644
index 000000000..f753121c1
--- /dev/null
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
\ No newline at end of file

From d21dfb750e004a59a0229cb9cea827dfaa734b3d Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 17:01:20 -0700
Subject: [PATCH 106/314] ui for provisioning key

---
 messages/en-US.json                           |  20 ++
 .../settings/provisioning/create/page.tsx     |  10 +
 .../[orgId]/settings/provisioning/page.tsx    |  50 ++++
 src/app/navigation.tsx                        |   6 +
 .../CreateSiteProvisioningKeyCredenza.tsx     | 195 ++++++++++++++++
 src/components/SiteProvisioningKeysTable.tsx  | 216 ++++++++++++++++++
 6 files changed, 497 insertions(+)
 create mode 100644 src/app/[orgId]/settings/provisioning/create/page.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/page.tsx
 create mode 100644 src/components/CreateSiteProvisioningKeyCredenza.tsx
 create mode 100644 src/components/SiteProvisioningKeysTable.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..5cb3721ef 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -323,6 +323,25 @@
     "apiKeysDelete": "Delete API Key",
     "apiKeysManage": "Manage API Keys",
     "apiKeysDescription": "API keys are used to authenticate with the integration API",
+    "provisioningKeysTitle": "Provisioning Key",
+    "provisioningKeysManage": "Manage Provisioning Keys",
+    "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
+    "provisioningKeys": "Provisioning Keys",
+    "searchProvisioningKeys": "Search provisioning keys...",
+    "provisioningKeysAdd": "Generate Provisioning Key",
+    "provisioningKeysErrorDelete": "Error deleting provisioning key",
+    "provisioningKeysErrorDeleteMessage": "Error deleting provisioning key",
+    "provisioningKeysQuestionRemove": "Are you sure you want to remove this provisioning key from the organization?",
+    "provisioningKeysMessageRemove": "Once removed, the key can no longer be used for site provisioning.",
+    "provisioningKeysDeleteConfirm": "Confirm Delete Provisioning Key",
+    "provisioningKeysDelete": "Delete Provisioning key",
+    "provisioningKeysCreate": "Generate Provisioning Key",
+    "provisioningKeysCreateDescription": "Generate a new provisioning key for the organization",
+    "provisioningKeysSeeAll": "See all provisioning keys",
+    "provisioningKeysSave": "Save the provisioning key",
+    "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
+    "provisioningKeysErrorCreate": "Error creating provisioning key",
+    "provisioningKeysList": "New provisioning key",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
@@ -1266,6 +1285,7 @@
     "sidebarRoles": "Roles",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "API Keys",
+    "sidebarProvisioning": "Provisioning",
     "sidebarSettings": "Settings",
     "sidebarAllUsers": "All Users",
     "sidebarIdentityProviders": "Identity Providers",
diff --git a/src/app/[orgId]/settings/provisioning/create/page.tsx b/src/app/[orgId]/settings/provisioning/create/page.tsx
new file mode 100644
index 000000000..98573147a
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/create/page.tsx
@@ -0,0 +1,10 @@
+import { redirect } from "next/navigation";
+
+type PageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export default async function ProvisioningCreateRedirect(props: PageProps) {
+    const params = await props.params;
+    redirect(`/${params.orgId}/settings/provisioning`);
+}
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
new file mode 100644
index 000000000..f8a30b86f
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -0,0 +1,50 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { AxiosResponse } from "axios";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import SiteProvisioningKeysTable, {
+    SiteProvisioningKeyRow
+} from "../../../../components/SiteProvisioningKeysTable";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/listSiteProvisioningKeys";
+import { getTranslations } from "next-intl/server";
+
+type ProvisioningPageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function ProvisioningPage(props: ProvisioningPageProps) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
+        [];
+    try {
+        const res = await internal.get<
+            AxiosResponse<ListSiteProvisioningKeysResponse>
+        >(
+            `/org/${params.orgId}/site-provisioning-keys`,
+            await authCookieHeader()
+        );
+        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
+    } catch (e) {}
+
+    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
+        name: k.name,
+        id: k.siteProvisioningKeyId,
+        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
+        createdAt: k.createdAt
+    }));
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("provisioningKeysManage")}
+                description={t("provisioningKeysDescription")}
+            />
+
+            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
+        </>
+    );
+}
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 0066721db..c90b211a3 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -2,6 +2,7 @@ import { SidebarNavItem } from "@app/components/SidebarNav";
 import { Env } from "@app/lib/types/env";
 import { build } from "@server/build";
 import {
+    Boxes,
     Building2,
     ChartLine,
     Combine,
@@ -203,6 +204,11 @@ export const orgNavSections = (
                         href: "/{orgId}/settings/api-keys",
                         icon: <KeyRound className="size-4 flex-none" />
                     },
+                    {
+                        title: "sidebarProvisioning",
+                        href: "/{orgId}/settings/provisioning",
+                        icon: <Boxes className="size-4 flex-none" />
+                    },
                     {
                         title: "sidebarBluePrints",
                         href: "/{orgId}/settings/blueprints",
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
new file mode 100644
index 000000000..456731ed6
--- /dev/null
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -0,0 +1,195 @@
+"use client";
+
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/createSiteProvisioningKey";
+import { AxiosResponse } from "axios";
+import { InfoIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import CopyTextBox from "@app/components/CopyTextBox";
+
+const FORM_ID = "create-site-provisioning-key-form";
+
+type CreateSiteProvisioningKeyCredenzaProps = {
+    open: boolean;
+    setOpen: (open: boolean) => void;
+    orgId: string;
+};
+
+export default function CreateSiteProvisioningKeyCredenza({
+    open,
+    setOpen,
+    orgId
+}: CreateSiteProvisioningKeyCredenzaProps) {
+    const t = useTranslations();
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const [loading, setLoading] = useState(false);
+    const [created, setCreated] =
+        useState<CreateSiteProvisioningKeyResponse | null>(null);
+
+    const createFormSchema = z.object({
+        name: z
+            .string()
+            .min(1, {
+                message: t("nameMin", { len: 1 })
+            })
+            .max(255, {
+                message: t("nameMax", { len: 255 })
+            })
+    });
+
+    type CreateFormValues = z.infer<typeof createFormSchema>;
+
+    const form = useForm<CreateFormValues>({
+        resolver: zodResolver(createFormSchema),
+        defaultValues: {
+            name: ""
+        }
+    });
+
+    useEffect(() => {
+        if (!open) {
+            setCreated(null);
+            form.reset({ name: "" });
+        }
+    }, [open, form]);
+
+    async function onSubmit(data: CreateFormValues) {
+        setLoading(true);
+        try {
+            const res = await api
+                .put<
+                    AxiosResponse<CreateSiteProvisioningKeyResponse>
+                >(`/org/${orgId}/site-provisioning-key`, { name: data.name })
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("provisioningKeysErrorCreate"),
+                        description: formatAxiosError(e)
+                    });
+                });
+
+            if (res && res.status === 201) {
+                setCreated(res.data.data);
+                router.refresh();
+            }
+        } finally {
+            setLoading(false);
+        }
+    }
+
+    const credential =
+        created &&
+        `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
+
+    return (
+        <Credenza open={open} onOpenChange={setOpen}>
+            <CredenzaContent>
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {created
+                            ? t("provisioningKeysList")
+                            : t("provisioningKeysCreate")}
+                    </CredenzaTitle>
+                    {!created && (
+                        <CredenzaDescription>
+                            {t("provisioningKeysCreateDescription")}
+                        </CredenzaDescription>
+                    )}
+                </CredenzaHeader>
+                <CredenzaBody>
+                    {!created && (
+                        <Form {...form}>
+                            <form
+                                id={FORM_ID}
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                            >
+                                <FormField
+                                    control={form.control}
+                                    name="name"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("name")}</FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    )}
+
+                    {created && credential && (
+                        <div className="space-y-4">
+                            <Alert variant="neutral">
+                                <InfoIcon className="h-4 w-4" />
+                                <AlertTitle className="font-semibold">
+                                    {t("provisioningKeysSave")}
+                                </AlertTitle>
+                                <AlertDescription>
+                                    {t("provisioningKeysSaveDescription")}
+                                </AlertDescription>
+                            </Alert>
+                            <CopyTextBox text={credential} />
+                        </div>
+                    )}
+                </CredenzaBody>
+                <CredenzaFooter>
+                    {!created ? (
+                        <>
+                            <CredenzaClose asChild>
+                                <Button variant="outline">{t("close")}</Button>
+                            </CredenzaClose>
+                            <Button
+                                type="submit"
+                                form={FORM_ID}
+                                loading={loading}
+                                disabled={loading}
+                            >
+                                {t("generate")}
+                            </Button>
+                        </>
+                    ) : (
+                        <CredenzaClose asChild>
+                            <Button variant="default">{t("done")}</Button>
+                        </CredenzaClose>
+                    )}
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
new file mode 100644
index 000000000..3fb3eb872
--- /dev/null
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -0,0 +1,216 @@
+"use client";
+
+import {
+    DataTable,
+    ExtendedColumnDef
+} from "@app/components/ui/data-table";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
+import { Button } from "@app/components/ui/button";
+import { ArrowUpDown, MoreHorizontal } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import CreateSiteProvisioningKeyCredenza from "@app/components/CreateSiteProvisioningKeyCredenza";
+import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
+import { toast } from "@app/hooks/useToast";
+import { formatAxiosError } from "@app/lib/api";
+import { createApiClient } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import moment from "moment";
+import { useTranslations } from "next-intl";
+
+export type SiteProvisioningKeyRow = {
+    id: string;
+    key: string;
+    name: string;
+    createdAt: string;
+};
+
+type SiteProvisioningKeysTableProps = {
+    keys: SiteProvisioningKeyRow[];
+    orgId: string;
+};
+
+export default function SiteProvisioningKeysTable({
+    keys,
+    orgId
+}: SiteProvisioningKeysTableProps) {
+    const router = useRouter();
+    const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [selected, setSelected] = useState<SiteProvisioningKeyRow | null>(
+        null
+    );
+    const [rows, setRows] = useState<SiteProvisioningKeyRow[]>(keys);
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+    const [isRefreshing, setIsRefreshing] = useState(false);
+    const [createOpen, setCreateOpen] = useState(false);
+
+    useEffect(() => {
+        setRows(keys);
+    }, [keys]);
+
+    const refreshData = async () => {
+        setIsRefreshing(true);
+        try {
+            await new Promise((resolve) => setTimeout(resolve, 200));
+            router.refresh();
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("refreshError"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsRefreshing(false);
+        }
+    };
+
+    const deleteKey = async (siteProvisioningKeyId: string) => {
+        try {
+            await api.delete(
+                `/org/${orgId}/site-provisioning-key/${siteProvisioningKeyId}`
+            );
+            router.refresh();
+            setIsDeleteModalOpen(false);
+            setSelected(null);
+            setRows((prev) => prev.filter((row) => row.id !== siteProvisioningKeyId));
+        } catch (e) {
+            console.error(t("provisioningKeysErrorDelete"), e);
+            toast({
+                variant: "destructive",
+                title: t("provisioningKeysErrorDelete"),
+                description: formatAxiosError(
+                    e,
+                    t("provisioningKeysErrorDeleteMessage")
+                )
+            });
+            throw e;
+        }
+    };
+
+    const columns: ExtendedColumnDef<SiteProvisioningKeyRow>[] = [
+        {
+            accessorKey: "name",
+            enableHiding: false,
+            friendlyName: t("name"),
+            header: ({ column }) => {
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() =>
+                            column.toggleSorting(column.getIsSorted() === "asc")
+                        }
+                    >
+                        {t("name")}
+                        <ArrowUpDown className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "key",
+            friendlyName: t("key"),
+            header: () => <span className="p-3">{t("key")}</span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span className="font-mono">{r.key}</span>;
+            }
+        },
+        {
+            accessorKey: "createdAt",
+            friendlyName: t("createdAt"),
+            header: () => <span className="p-3">{t("createdAt")}</span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span>{moment(r.createdAt).format("lll")}</span>;
+            }
+        },
+        {
+            id: "actions",
+            enableHiding: false,
+            header: () => <span className="p-3"></span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <div className="flex items-center gap-2 justify-end">
+                        <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                                <Button variant="ghost" className="h-8 w-8 p-0">
+                                    <span className="sr-only">
+                                        {t("openMenu")}
+                                    </span>
+                                    <MoreHorizontal className="h-4 w-4" />
+                                </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                                <DropdownMenuItem
+                                    onClick={() => {
+                                        setSelected(r);
+                                        setIsDeleteModalOpen(true);
+                                    }}
+                                >
+                                    <span className="text-red-500">
+                                        {t("delete")}
+                                    </span>
+                                </DropdownMenuItem>
+                            </DropdownMenuContent>
+                        </DropdownMenu>
+                    </div>
+                );
+            }
+        }
+    ];
+
+    return (
+        <>
+            <CreateSiteProvisioningKeyCredenza
+                open={createOpen}
+                setOpen={setCreateOpen}
+                orgId={orgId}
+            />
+
+            {selected && (
+                <ConfirmDeleteDialog
+                    open={isDeleteModalOpen}
+                    setOpen={(val) => {
+                        setIsDeleteModalOpen(val);
+                        if (!val) {
+                            setSelected(null);
+                        }
+                    }}
+                    dialog={
+                        <div className="space-y-2">
+                            <p>{t("provisioningKeysQuestionRemove")}</p>
+                            <p>{t("provisioningKeysMessageRemove")}</p>
+                        </div>
+                    }
+                    buttonText={t("provisioningKeysDeleteConfirm")}
+                    onConfirm={async () => deleteKey(selected.id)}
+                    string={selected.name}
+                    title={t("provisioningKeysDelete")}
+                />
+            )}
+
+            <DataTable
+                columns={columns}
+                data={rows}
+                persistPageSize="Org-provisioning-keys-table"
+                title={t("provisioningKeys")}
+                searchPlaceholder={t("searchProvisioningKeys")}
+                searchColumn="name"
+                onAdd={() => setCreateOpen(true)}
+                onRefresh={refreshData}
+                isRefreshing={isRefreshing}
+                addButtonText={t("provisioningKeysAdd")}
+                enableColumnVisibility={true}
+                stickyLeftColumn="name"
+                stickyRightColumn="actions"
+            />
+        </>
+    );
+}

From d17ec6dc1fe0b20fe92ebabe1dd64db72e8d2707 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:39:43 -0700
Subject: [PATCH 107/314] Try to solve th problem

---
 server/cleanup.ts                            |   2 +
 server/private/cleanup.ts                    |   2 +
 server/private/routers/ws/ws.ts              |  37 +-
 server/routers/newt/getNewtToken.ts          |  22 +-
 server/routers/newt/handleNewtPingMessage.ts |  19 +-
 server/routers/newt/pingAccumulator.ts       | 382 +++++++++++++++++++
 server/routers/olm/getOlmToken.ts            |   4 +-
 server/routers/olm/handleOlmPingMessage.ts   |  23 +-
 server/routers/ws/messageHandlers.ts         |   5 +
 server/routers/ws/ws.ts                      |  23 +-
 10 files changed, 446 insertions(+), 73 deletions(-)
 create mode 100644 server/routers/newt/pingAccumulator.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 137654827..3c462f3f2 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,8 +1,10 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushSiteBandwidthToDb();
     await wsCleanup();
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 0bd9822dd..5321fbc9e 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -15,8 +15,10 @@ import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushSiteBandwidthToDb();
     await rateLimitService.cleanup();
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 4bfda5da8..d96c55c91 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -30,6 +30,7 @@ import {
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import logger from "@server/logger";
@@ -197,11 +198,7 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
 
-// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
-// DB for a given siteId. Resets on server restart which is fine – the first
-// ping after startup will always write, re-establishing the online state.
-const lastPingDbWrite: Map<number, number> = new Map();
-const PING_DB_WRITE_INTERVAL = 45; // seconds
+
 
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -853,32 +850,16 @@ const setupConnection = async (
         );
     });
 
-    // Handle WebSocket protocol-level pings from older newt clients that do
-    // not send application-level "newt/ping" messages. Update the site's
-    // online state and lastPing timestamp so the offline checker treats them
-    // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            const now = Math.floor(Date.now() / 1000);
-            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
-            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
-            lastPingDbWrite.set(newtClient.siteId, now);
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: now
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 637973582..bc3cca9fc 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,5 +1,5 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
-import { db } from "@server/db";
+import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
@@ -92,6 +92,26 @@ export async function getNewtToken(
             );
         }
 
+        const [existingSession] = await db
+            .select()
+            .from(newtSessions)
+            .where(eq(newtSessions.newtId, existingNewt.newtId));
+
+        // if the session still has time in the expires, reuse it
+        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
+            return response<{ token: string; serverVersion: string }>(res, {
+                data: {
+                    token: existingSession.sessionId,
+                    serverVersion: APP_VERSION
+                },
+                success: true,
+                error: false,
+                message: "Token created successfully",
+                status: HttpCode.OK
+            });
+        }
+
+        // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
 
diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index 319647b83..da25852a0 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -5,6 +5,7 @@ import { Newt } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
+import { recordPing } from "./pingAccumulator";
 
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -114,18 +115,12 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
         return;
     }
 
-    try {
-        // Mark the site as online and record the ping timestamp.
-        await db
-            .update(sites)
-            .set({
-                online: true,
-                lastPing: Math.floor(Date.now() / 1000)
-            })
-            .where(eq(sites.siteId, newt.siteId));
-    } catch (error) {
-        logger.error("Error updating online state on newt ping", { error });
-    }
+    // Record the ping in memory; it will be flushed to the database
+    // periodically by the ping accumulator (every ~10s) in a single
+    // batched UPDATE instead of one query per ping. This prevents
+    // connection pool exhaustion under load, especially with
+    // cross-region latency to the database.
+    recordPing(newt.siteId);
 
     // Check config version and sync if stale.
     const configVersion = await getClientConfigVersion(newt.newtId);
diff --git a/server/routers/newt/pingAccumulator.ts b/server/routers/newt/pingAccumulator.ts
new file mode 100644
index 000000000..83afd613e
--- /dev/null
+++ b/server/routers/newt/pingAccumulator.ts
@@ -0,0 +1,382 @@
+import { db } from "@server/db";
+import { sites, clients, olms } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import logger from "@server/logger";
+
+/**
+ * Ping Accumulator
+ *
+ * Instead of writing to the database on every single newt/olm ping (which
+ * causes pool exhaustion under load, especially with cross-region latency),
+ * we accumulate pings in memory and flush them to the database periodically
+ * in a single batch.
+ *
+ * This is the same pattern used for bandwidth flushing in
+ * receiveBandwidth.ts and handleReceiveBandwidthMessage.ts.
+ *
+ * Supports two kinds of pings:
+ *   - **Site pings** (from newts): update `sites.online` and `sites.lastPing`
+ *   - **Client pings** (from OLMs): update `clients.online`, `clients.lastPing`,
+ *     `clients.archived`, and optionally reset `olms.archived`
+ */
+
+const FLUSH_INTERVAL_MS = 10_000; // Flush every 10 seconds
+const MAX_RETRIES = 2;
+const BASE_DELAY_MS = 50;
+
+// ── Site (newt) pings ──────────────────────────────────────────────────
+// Map of siteId -> latest ping timestamp (unix seconds)
+const pendingSitePings: Map<number, number> = new Map();
+
+// ── Client (OLM) pings ────────────────────────────────────────────────
+// Map of clientId -> latest ping timestamp (unix seconds)
+const pendingClientPings: Map<number, number> = new Map();
+// Set of olmIds whose `archived` flag should be reset to false
+const pendingOlmArchiveResets: Set<string> = new Set();
+
+let flushTimer: NodeJS.Timeout | null = null;
+
+// ── Public API ─────────────────────────────────────────────────────────
+
+/**
+ * Record a ping for a newt site. This does NOT write to the database
+ * immediately. Instead it stores the latest ping timestamp in memory,
+ * to be flushed periodically by the background timer.
+ */
+export function recordSitePing(siteId: number): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingSitePings.set(siteId, now);
+}
+
+/** @deprecated Use `recordSitePing` instead. Alias kept for existing call-sites. */
+export const recordPing = recordSitePing;
+
+/**
+ * Record a ping for an OLM client. Batches the `clients` table update
+ * (`online`, `lastPing`, `archived`) and, when `olmArchived` is true,
+ * also queues an `olms` table update to clear the archived flag.
+ */
+export function recordClientPing(
+    clientId: number,
+    olmId: string,
+    olmArchived: boolean
+): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingClientPings.set(clientId, now);
+    if (olmArchived) {
+        pendingOlmArchiveResets.add(olmId);
+    }
+}
+
+// ── Flush Logic ────────────────────────────────────────────────────────
+
+/**
+ * Flush all accumulated site pings to the database.
+ */
+async function flushSitePingsToDb(): Promise<void> {
+    if (pendingSitePings.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear so new pings arriving during the flush go into a
+    // fresh map for the next cycle.
+    const pingsToFlush = new Map(pendingSitePings);
+    pendingSitePings.clear();
+
+    // Sort by siteId for consistent lock ordering (prevents deadlocks)
+    const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+        ([a], [b]) => a - b
+    );
+
+    const BATCH_SIZE = 50;
+    for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+        const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+        try {
+            await withRetry(async () => {
+                // Group by timestamp for efficient bulk updates
+                const byTimestamp = new Map<number, number[]>();
+                for (const [siteId, timestamp] of batch) {
+                    const group = byTimestamp.get(timestamp) || [];
+                    group.push(siteId);
+                    byTimestamp.set(timestamp, group);
+                }
+
+                if (byTimestamp.size === 1) {
+                    const [timestamp, siteIds] = Array.from(
+                        byTimestamp.entries()
+                    )[0];
+                    await db
+                        .update(sites)
+                        .set({
+                            online: true,
+                            lastPing: timestamp
+                        })
+                        .where(inArray(sites.siteId, siteIds));
+                } else {
+                    await db.transaction(async (tx) => {
+                        for (const [timestamp, siteIds] of byTimestamp) {
+                            await tx
+                                .update(sites)
+                                .set({
+                                    online: true,
+                                    lastPing: timestamp
+                                })
+                                .where(inArray(sites.siteId, siteIds));
+                        }
+                    });
+                }
+            }, "flushSitePingsToDb");
+        } catch (error) {
+            logger.error(
+                `Failed to flush site ping batch (${batch.length} sites), re-queuing for next cycle`,
+                { error }
+            );
+            for (const [siteId, timestamp] of batch) {
+                const existing = pendingSitePings.get(siteId);
+                if (!existing || existing < timestamp) {
+                    pendingSitePings.set(siteId, timestamp);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush all accumulated client (OLM) pings to the database.
+ */
+async function flushClientPingsToDb(): Promise<void> {
+    if (pendingClientPings.size === 0 && pendingOlmArchiveResets.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear
+    const pingsToFlush = new Map(pendingClientPings);
+    pendingClientPings.clear();
+
+    const olmResetsToFlush = new Set(pendingOlmArchiveResets);
+    pendingOlmArchiveResets.clear();
+
+    // ── Flush client pings ─────────────────────────────────────────────
+    if (pingsToFlush.size > 0) {
+        const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+            ([a], [b]) => a - b
+        );
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+            const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    const byTimestamp = new Map<number, number[]>();
+                    for (const [clientId, timestamp] of batch) {
+                        const group = byTimestamp.get(timestamp) || [];
+                        group.push(clientId);
+                        byTimestamp.set(timestamp, group);
+                    }
+
+                    if (byTimestamp.size === 1) {
+                        const [timestamp, clientIds] = Array.from(
+                            byTimestamp.entries()
+                        )[0];
+                        await db
+                            .update(clients)
+                            .set({
+                                lastPing: timestamp,
+                                online: true,
+                                archived: false
+                            })
+                            .where(inArray(clients.clientId, clientIds));
+                    } else {
+                        await db.transaction(async (tx) => {
+                            for (const [timestamp, clientIds] of byTimestamp) {
+                                await tx
+                                    .update(clients)
+                                    .set({
+                                        lastPing: timestamp,
+                                        online: true,
+                                        archived: false
+                                    })
+                                    .where(
+                                        inArray(clients.clientId, clientIds)
+                                    );
+                            }
+                        });
+                    }
+                }, "flushClientPingsToDb");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush client ping batch (${batch.length} clients), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const [clientId, timestamp] of batch) {
+                    const existing = pendingClientPings.get(clientId);
+                    if (!existing || existing < timestamp) {
+                        pendingClientPings.set(clientId, timestamp);
+                    }
+                }
+            }
+        }
+    }
+
+    // ── Flush OLM archive resets ───────────────────────────────────────
+    if (olmResetsToFlush.size > 0) {
+        const olmIds = Array.from(olmResetsToFlush).sort();
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < olmIds.length; i += BATCH_SIZE) {
+            const batch = olmIds.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    await db
+                        .update(olms)
+                        .set({ archived: false })
+                        .where(inArray(olms.olmId, batch));
+                }, "flushOlmArchiveResets");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush OLM archive reset batch (${batch.length} olms), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const olmId of batch) {
+                    pendingOlmArchiveResets.add(olmId);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush everything — called by the interval timer and during shutdown.
+ */
+export async function flushPingsToDb(): Promise<void> {
+    await flushSitePingsToDb();
+    await flushClientPingsToDb();
+}
+
+// ── Retry / Error Helpers ──────────────────────────────────────────────
+
+/**
+ * Simple retry wrapper with exponential backoff for transient errors
+ * (connection timeouts, unexpected disconnects).
+ */
+async function withRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isTransientError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Detect transient connection errors that are safe to retry.
+ */
+function isTransientError(error: any): boolean {
+    if (!error) return false;
+
+    const message = (error.message || "").toLowerCase();
+    const causeMessage = (error.cause?.message || "").toLowerCase();
+    const code = error.code || "";
+
+    // Connection timeout / terminated
+    if (
+        message.includes("connection timeout") ||
+        message.includes("connection terminated") ||
+        message.includes("timeout exceeded when trying to connect") ||
+        causeMessage.includes("connection terminated unexpectedly") ||
+        causeMessage.includes("connection timeout")
+    ) {
+        return true;
+    }
+
+    // PostgreSQL deadlock
+    if (code === "40P01" || message.includes("deadlock")) {
+        return true;
+    }
+
+    // ECONNRESET, ECONNREFUSED, EPIPE
+    if (
+        code === "ECONNRESET" ||
+        code === "ECONNREFUSED" ||
+        code === "EPIPE" ||
+        code === "ETIMEDOUT"
+    ) {
+        return true;
+    }
+
+    return false;
+}
+
+// ── Lifecycle ──────────────────────────────────────────────────────────
+
+/**
+ * Start the background flush timer. Call this once at server startup.
+ */
+export function startPingAccumulator(): void {
+    if (flushTimer) {
+        return; // Already running
+    }
+
+    flushTimer = setInterval(async () => {
+        try {
+            await flushPingsToDb();
+        } catch (error) {
+            logger.error("Unhandled error in ping accumulator flush", {
+                error
+            });
+        }
+    }, FLUSH_INTERVAL_MS);
+
+    // Don't prevent the process from exiting
+    flushTimer.unref();
+
+    logger.info(
+        `Ping accumulator started (flush interval: ${FLUSH_INTERVAL_MS}ms)`
+    );
+}
+
+/**
+ * Stop the background flush timer and perform a final flush.
+ * Call this during graceful shutdown.
+ */
+export async function stopPingAccumulator(): Promise<void> {
+    if (flushTimer) {
+        clearInterval(flushTimer);
+        flushTimer = null;
+    }
+
+    // Final flush to persist any remaining pings
+    try {
+        await flushPingsToDb();
+    } catch (error) {
+        logger.error("Error during final ping accumulator flush", { error });
+    }
+
+    logger.info("Ping accumulator stopped");
+}
+
+/**
+ * Get the number of pending (unflushed) pings. Useful for monitoring.
+ */
+export function getPendingPingCount(): number {
+    return pendingSitePings.size + pendingClientPings.size;
+}
\ No newline at end of file
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 2734a63bc..027e7ec15 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -8,7 +8,9 @@ import {
     ExitNode,
     exitNodes,
     sites,
-    clientSitesAssociationsCache
+    clientSitesAssociationsCache,
+    olmSessions,
+    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
diff --git a/server/routers/olm/handleOlmPingMessage.ts b/server/routers/olm/handleOlmPingMessage.ts
index efcbf1696..0f520b234 100644
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -3,6 +3,7 @@ import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
+import { recordClientPing } from "@server/routers/newt/pingAccumulator";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
@@ -201,22 +202,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             await sendOlmSyncMessage(olm, client);
         }
 
-        // Update the client's last ping timestamp
-        await db
-            .update(clients)
-            .set({
-                lastPing: Math.floor(Date.now() / 1000),
-                online: true,
-                archived: false
-            })
-            .where(eq(clients.clientId, olm.clientId));
-
-        if (olm.archived) {
-            await db
-                .update(olms)
-                .set({ archived: false })
-                .where(eq(olms.olmId, olm.olmId));
-        }
+        // Record the ping in memory; it will be flushed to the database
+        // periodically by the ping accumulator (every ~10s) in a single
+        // batched UPDATE instead of one query per ping. This prevents
+        // connection pool exhaustion under load, especially with
+        // cross-region latency to the database.
+        recordClientPing(olm.clientId, olm.olmId, !!olm.archived);
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
diff --git a/server/routers/ws/messageHandlers.ts b/server/routers/ws/messageHandlers.ts
index 628caafd5..143e4d516 100644
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -11,6 +11,7 @@ import {
     startNewtOfflineChecker,
     handleNewtDisconnectingMessage
 } from "../newt";
+import { startPingAccumulator } from "../newt/pingAccumulator";
 import {
     handleOlmRegisterMessage,
     handleOlmRelayMessage,
@@ -46,6 +47,10 @@ export const messageHandlers: Record<string, MessageHandler> = {
     "ws/round-trip/complete": handleRoundTripMessage
 };
 
+// Start the ping accumulator for all builds — it batches per-site online/lastPing
+// updates into periodic bulk writes, preventing connection pool exhaustion.
+startPingAccumulator();
+
 if (build != "saas") {
     startOlmOfflineChecker(); // this is to handle the offline check for olms
     startNewtOfflineChecker(); // this is to handle the offline check for newts
diff --git a/server/routers/ws/ws.ts b/server/routers/ws/ws.ts
index 08a7dbd4c..6e6312715 100644
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -6,6 +6,7 @@ import { Socket } from "net";
 import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import { messageHandlers } from "./messageHandlers";
@@ -386,22 +387,14 @@ const setupConnection = async (
     // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: Math.floor(Date.now() / 1000)
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 

From 6f71e9f0f21719e050cd9a48da278f402bef4c5c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:54:51 -0700
Subject: [PATCH 108/314] Clean up

---
 server/private/routers/ws/ws.ts     |  5 -----
 server/routers/newt/getNewtToken.ts | 19 -------------------
 server/routers/olm/getOlmToken.ts   |  2 --
 3 files changed, 26 deletions(-)

diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index d96c55c91..67b83f931 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -19,14 +19,9 @@ import { Socket } from "net";
 import {
     Newt,
     newts,
-    NewtSession,
-    olms,
     Olm,
-    OlmSession,
     RemoteExitNode,
-    RemoteExitNodeSession,
     remoteExitNodes,
-    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index bc3cca9fc..9d3da7e97 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -92,25 +92,6 @@ export async function getNewtToken(
             );
         }
 
-        const [existingSession] = await db
-            .select()
-            .from(newtSessions)
-            .where(eq(newtSessions.newtId, existingNewt.newtId));
-
-        // if the session still has time in the expires, reuse it
-        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
-            return response<{ token: string; serverVersion: string }>(res, {
-                data: {
-                    token: existingSession.sessionId,
-                    serverVersion: APP_VERSION
-                },
-                success: true,
-                error: false,
-                message: "Token created successfully",
-                status: HttpCode.OK
-            });
-        }
-
         // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 027e7ec15..741b29f0a 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -9,8 +9,6 @@ import {
     exitNodes,
     sites,
     clientSitesAssociationsCache,
-    olmSessions,
-    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";

From c96c5e8ae8f556f541be24bb7755f93b2897428a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:12:51 -0700
Subject: [PATCH 109/314] Cache token for thundering hurd

---
 server/lib/tokenCache.ts                      | 22 ++++++
 server/private/lib/cache.ts                   | 13 ++++
 server/private/lib/tokenCache.ts              | 77 +++++++++++++++++++
 .../remoteExitNode/getRemoteExitNodeToken.ts  | 25 ++++--
 server/routers/newt/getNewtToken.ts           | 18 ++++-
 server/routers/olm/getOlmToken.ts             | 19 ++++-
 6 files changed, 161 insertions(+), 13 deletions(-)
 create mode 100644 server/lib/tokenCache.ts
 create mode 100644 server/private/lib/tokenCache.ts

diff --git a/server/lib/tokenCache.ts b/server/lib/tokenCache.ts
new file mode 100644
index 000000000..022f46c15
--- /dev/null
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    const token = await createSession();
+    return token;
+}
diff --git a/server/private/lib/cache.ts b/server/private/lib/cache.ts
index e8c03ba3d..1a2006d46 100644
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
new file mode 100644
index 000000000..bb6645688
--- /dev/null
+++ b/server/private/lib/tokenCache.ts
@@ -0,0 +1,77 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import redisManager from "#dynamic/lib/redis";
+import { encrypt, decrypt } from "@server/lib/crypto";
+import logger from "@server/logger";
+
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const cached = await redisManager.get(cacheKey);
+            if (cached) {
+                const token = decrypt(cached, secret);
+                if (token) {
+                    logger.debug(`Token cache hit for key: ${cacheKey}`);
+                    return token;
+                }
+                // Decryption produced an empty string – treat as a miss
+                logger.warn(
+                    `Token cache decryption returned empty string for key: ${cacheKey}, treating as miss`
+                );
+            }
+        } catch (e) {
+            logger.warn(
+                `Token cache read/decrypt failed for key ${cacheKey}, falling through to session creation:`,
+                e
+            );
+        }
+    }
+
+    const token = await createSession();
+
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const encrypted = encrypt(token, secret);
+            await redisManager.set(cacheKey, encrypted, ttlSeconds);
+            logger.debug(
+                `Token cached in Redis for key: ${cacheKey} (TTL ${ttlSeconds}s)`
+            );
+        } catch (e) {
+            logger.warn(
+                `Token cache write failed for key ${cacheKey} (session was still created):`,
+                e
+            );
+        }
+    }
+
+    return token;
+}
diff --git a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
index 24f0de159..025e2d34e 100644
--- a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
+++ b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
@@ -23,8 +23,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createRemoteExitNodeSession,
-    validateRemoteExitNodeSessionToken
+    validateRemoteExitNodeSessionToken,
+    EXPIRES
 } from "#private/auth/sessions/remoteExitNode";
+import { getOrCreateCachedToken } from "@server/private/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -103,14 +105,23 @@ export async function getRemoteExitNodeToken(
             );
         }
 
-        const resToken = generateSessionToken();
-        await createRemoteExitNodeSession(
-            resToken,
-            existingRemoteExitNode.remoteExitNodeId
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `remote_exit_node:token_cache:${existingRemoteExitNode.remoteExitNodeId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createRemoteExitNodeSession(
+                    token,
+                    existingRemoteExitNode.remoteExitNodeId
+                );
+                return token;
+            }
         );
 
-        // logger.debug(`Created RemoteExitNode token response: ${JSON.stringify(resToken)}`);
-
         return response<{ token: string }>(res, {
             data: {
                 token: resToken
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 9d3da7e97..c5abb9968 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,6 +1,8 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
 import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
+import { EXPIRES } from "@server/auth/sessions/newt";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -92,9 +94,19 @@ export async function getNewtToken(
             );
         }
 
-        // otherwise generate a new one
-        const resToken = generateSessionToken();
-        await createNewtSession(resToken, existingNewt.newtId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `newt:token_cache:${existingNewt.newtId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createNewtSession(token, existingNewt.newtId);
+                return token;
+            }
+        );
 
         return response<{ token: string; serverVersion: string }>(res, {
             data: {
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 741b29f0a..5b8411eb7 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -20,8 +20,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createOlmSession,
-    validateOlmSessionToken
+    validateOlmSessionToken,
+    EXPIRES
 } from "@server/auth/sessions/olm";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -132,8 +134,19 @@ export async function getOlmToken(
 
         logger.debug("Creating new olm session token");
 
-        const resToken = generateSessionToken();
-        await createOlmSession(resToken, existingOlm.olmId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `olm:token_cache:${existingOlm.olmId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createOlmSession(token, existingOlm.olmId);
+                return token;
+            }
+        );
 
         let clientIdToUse;
         if (orgId) {

From 38d30b0214d25a77c731b2ddd72dba611692371e Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:13:57 -0700
Subject: [PATCH 110/314] Add license script

---
 license.py | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 license.py

diff --git a/license.py b/license.py
new file mode 100644
index 000000000..865dfad7a
--- /dev/null
+++ b/license.py
@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))

From b2eab95a3b724ea947cecb9a6c57411f021b2271 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:17:33 -0700
Subject: [PATCH 111/314] Pass at first endpoints

---
 server/routers/external.ts                    |  23 ++
 .../routers/newt/createNewtProvisioningKey.ts | 108 ++++++++
 server/routers/newt/index.ts                  |   2 +
 server/routers/newt/registerNewt.ts           | 240 ++++++++++++++++++
 4 files changed, 373 insertions(+)
 create mode 100644 server/routers/newt/createNewtProvisioningKey.ts
 create mode 100644 server/routers/newt/registerNewt.ts

diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..c32a7a8e9 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -102,6 +102,13 @@ authenticated.put(
     logActionAudit(ActionsEnum.createSite),
     site.createSite
 );
+
+authenticated.put(
+    "/org/:orgId/newt/provisioning-key",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.createSite),
+    newt.createNewtProvisioningKey
+);
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
@@ -1202,6 +1209,22 @@ authRouter.post(
     }),
     newt.getNewtToken
 );
+
+authRouter.post(
+    "/newt/register",
+    rateLimit({
+        windowMs: 15 * 60 * 1000,
+        max: 30,
+        keyGenerator: (req) =>
+            `newtRegister:${req.body.provisioningKey?.split(".")[0] || ipKeyGenerator(req.ip || "")}`,
+        handler: (req, res, next) => {
+            const message = `You can only register a newt ${30} times every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        },
+        store: createStore()
+    }),
+    newt.registerNewt
+);
 authRouter.post(
     "/olm/get-token",
     rateLimit({
diff --git a/server/routers/newt/createNewtProvisioningKey.ts b/server/routers/newt/createNewtProvisioningKey.ts
new file mode 100644
index 000000000..2af4d166d
--- /dev/null
+++ b/server/routers/newt/createNewtProvisioningKey.ts
@@ -0,0 +1,108 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { newtProvisioningKeys, orgs } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { eq } from "drizzle-orm";
+import { fromError } from "zod-validation-error";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import { hashPassword } from "@server/auth/password";
+import moment from "moment";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.object({
+    expiresAt: z.number().int().positive().optional() // optional Unix timestamp (ms)
+});
+
+export type CreateNewtProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export type CreateNewtProvisioningKeyResponse = {
+    provisioningKeyId: string;
+    provisioningKey: string; // returned only once: "id.secret"
+    lastChars: string;
+    createdAt: string;
+    expiresAt: number | null;
+};
+
+export async function createNewtProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+        const { expiresAt } = parsedBody.data;
+
+        // Verify org exists
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, `Organization with ID ${orgId} not found`)
+            );
+        }
+
+        const provisioningKeyId = generateId(15);
+        const secret = generateIdFromEntropySize(25);
+        const keyHash = await hashPassword(secret);
+        const lastChars = secret.slice(-4);
+        const createdAt = moment().toISOString();
+        const provisioningKey = `${provisioningKeyId}.${secret}`;
+
+        await db.insert(newtProvisioningKeys).values({
+            provisioningKeyId,
+            orgId,
+            keyHash,
+            lastChars,
+            createdAt,
+            expiresAt: expiresAt ?? null
+        });
+
+        return response<CreateNewtProvisioningKeyResponse>(res, {
+            data: {
+                provisioningKeyId,
+                provisioningKey,
+                lastChars,
+                createdAt,
+                expiresAt: expiresAt ?? null
+            },
+            success: true,
+            error: false,
+            message: "Provisioning key created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index 63d1e1068..76207e8d4 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -9,3 +9,5 @@ export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
 export * from "./handleConnectionLogMessage";
+export * from "./registerNewt";
+export * from "./createNewtProvisioningKey";
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
new file mode 100644
index 000000000..f301b452a
--- /dev/null
+++ b/server/routers/newt/registerNewt.ts
@@ -0,0 +1,240 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import {
+    newtProvisioningKeys,
+    newts,
+    orgs,
+    roles,
+    roleSites,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { eq, and } from "drizzle-orm";
+import { fromError } from "zod-validation-error";
+import { verifyPassword, hashPassword } from "@server/auth/password";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import { getUniqueSiteName } from "@server/db/names";
+import moment from "moment";
+import { build } from "@server/build";
+import { usageService } from "@server/lib/billing/usageService";
+import { FeatureId } from "@server/lib/billing";
+
+const bodySchema = z.object({
+    provisioningKey: z.string().nonempty()
+});
+
+export type RegisterNewtBody = z.infer<typeof bodySchema>;
+
+export type RegisterNewtResponse = {
+    newtId: string;
+    secret: string;
+};
+
+export async function registerNewt(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { provisioningKey } = parsedBody.data;
+
+        // Keys are in the format "id.secret"
+        const dotIndex = provisioningKey.indexOf(".");
+        if (dotIndex === -1) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid provisioning key format"
+                )
+            );
+        }
+
+        const provisioningKeyId = provisioningKey.substring(0, dotIndex);
+        const provisioningKeySecret = provisioningKey.substring(dotIndex + 1);
+
+        // Look up the provisioning key by ID
+        const [keyRecord] = await db
+            .select()
+            .from(newtProvisioningKeys)
+            .where(
+                eq(newtProvisioningKeys.provisioningKeyId, provisioningKeyId)
+            )
+            .limit(1);
+
+        if (!keyRecord) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
+            );
+        }
+
+        // Verify the secret
+        const validSecret = await verifyPassword(
+            provisioningKeySecret,
+            keyRecord.keyHash
+        );
+        if (!validSecret) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
+            );
+        }
+
+        // Check if key has already been used
+        if (keyRecord.siteId !== null) {
+            return next(
+                createHttpError(
+                    HttpCode.CONFLICT,
+                    "Provisioning key has already been used"
+                )
+            );
+        }
+
+        // Check expiry
+        if (keyRecord.expiresAt !== null && keyRecord.expiresAt < Date.now()) {
+            return next(
+                createHttpError(HttpCode.GONE, "Provisioning key has expired")
+            );
+        }
+
+        const { orgId } = keyRecord;
+
+        // Verify the org exists
+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
+        }
+
+        // SaaS billing check
+        if (build == "saas") {
+            const usage = await usageService.getUsage(orgId, FeatureId.SITES);
+            if (!usage) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "No usage data found for this organization"
+                    )
+                );
+            }
+            const rejectSites = await usageService.checkLimitSet(
+                orgId,
+                FeatureId.SITES,
+                {
+                    ...usage,
+                    instantaneousValue: (usage.instantaneousValue || 0) + 1
+                }
+            );
+            if (rejectSites) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Site limit exceeded. Please upgrade your plan."
+                    )
+                );
+            }
+        }
+
+        const niceId = await getUniqueSiteName(orgId);
+        const newtId = generateId(15);
+        const newtSecret = generateIdFromEntropySize(25);
+        const secretHash = await hashPassword(newtSecret);
+
+        let newSiteId: number | undefined;
+
+        await db.transaction(async (trx) => {
+            // Create the site (type "newt", name = niceId)
+            const [newSite] = await trx
+                .insert(sites)
+                .values({
+                    orgId,
+                    name: niceId,
+                    niceId,
+                    type: "newt",
+                    dockerSocketEnabled: true
+                })
+                .returning();
+
+            newSiteId = newSite.siteId;
+
+            // Grant admin role access to the new site
+            const [adminRole] = await trx
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+
+            if (!adminRole) {
+                throw new Error(`Admin role not found for org ${orgId}`);
+            }
+
+            await trx.insert(roleSites).values({
+                roleId: adminRole.roleId,
+                siteId: newSite.siteId
+            });
+
+            // Create the newt for this site
+            await trx.insert(newts).values({
+                newtId,
+                secretHash,
+                siteId: newSite.siteId,
+                dateCreated: moment().toISOString()
+            });
+
+            // Mark the provisioning key as used
+            await trx
+                .update(newtProvisioningKeys)
+                .set({ siteId: newSite.siteId })
+                .where(
+                    eq(
+                        newtProvisioningKeys.provisioningKeyId,
+                        provisioningKeyId
+                    )
+                );
+
+            await usageService.add(orgId, FeatureId.SITES, 1, trx);
+        });
+
+        logger.info(
+            `Provisioned new site (ID: ${newSiteId}) and newt (ID: ${newtId}) for org ${orgId} via provisioning key ${provisioningKeyId}`
+        );
+
+        return response<RegisterNewtResponse>(res, {
+            data: {
+                newtId,
+                secret: newtSecret
+            },
+            success: true,
+            error: false,
+            message: "Newt registered successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred"
+            )
+        );
+    }
+}
\ No newline at end of file

From 0b5b6ed5a37c49c311fc2dcb520aba3e21a65e47 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:26:10 -0700
Subject: [PATCH 112/314] Adjust register endpoint

---
 server/routers/external.ts                    |   7 +-
 .../routers/newt/createNewtProvisioningKey.ts | 108 ------------------
 server/routers/newt/index.ts                  |   1 -
 server/routers/newt/registerNewt.ts           |  71 ++++++------
 .../createSiteProvisioningKey.ts              |   3 +
 5 files changed, 42 insertions(+), 148 deletions(-)
 delete mode 100644 server/routers/newt/createNewtProvisioningKey.ts

diff --git a/server/routers/external.ts b/server/routers/external.ts
index a658fa811..297cb2894 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -105,12 +105,7 @@ authenticated.put(
     site.createSite
 );
 
-authenticated.put(
-    "/org/:orgId/newt/provisioning-key",
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.createSite),
-    newt.createNewtProvisioningKey
-);
+
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
diff --git a/server/routers/newt/createNewtProvisioningKey.ts b/server/routers/newt/createNewtProvisioningKey.ts
deleted file mode 100644
index 2af4d166d..000000000
--- a/server/routers/newt/createNewtProvisioningKey.ts
+++ /dev/null
@@ -1,108 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { newtProvisioningKeys, orgs } from "@server/db";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { eq } from "drizzle-orm";
-import { fromError } from "zod-validation-error";
-import {
-    generateId,
-    generateIdFromEntropySize
-} from "@server/auth/sessions/app";
-import { hashPassword } from "@server/auth/password";
-import moment from "moment";
-
-const paramsSchema = z.object({
-    orgId: z.string().nonempty()
-});
-
-const bodySchema = z.object({
-    expiresAt: z.number().int().positive().optional() // optional Unix timestamp (ms)
-});
-
-export type CreateNewtProvisioningKeyBody = z.infer<typeof bodySchema>;
-
-export type CreateNewtProvisioningKeyResponse = {
-    provisioningKeyId: string;
-    provisioningKey: string; // returned only once: "id.secret"
-    lastChars: string;
-    createdAt: string;
-    expiresAt: number | null;
-};
-
-export async function createNewtProvisioningKey(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const parsedBody = bodySchema.safeParse(req.body);
-        if (!parsedBody.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedBody.error).toString()
-                )
-            );
-        }
-
-        const { orgId } = parsedParams.data;
-        const { expiresAt } = parsedBody.data;
-
-        // Verify org exists
-        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
-        if (!org) {
-            return next(
-                createHttpError(HttpCode.NOT_FOUND, `Organization with ID ${orgId} not found`)
-            );
-        }
-
-        const provisioningKeyId = generateId(15);
-        const secret = generateIdFromEntropySize(25);
-        const keyHash = await hashPassword(secret);
-        const lastChars = secret.slice(-4);
-        const createdAt = moment().toISOString();
-        const provisioningKey = `${provisioningKeyId}.${secret}`;
-
-        await db.insert(newtProvisioningKeys).values({
-            provisioningKeyId,
-            orgId,
-            keyHash,
-            lastChars,
-            createdAt,
-            expiresAt: expiresAt ?? null
-        });
-
-        return response<CreateNewtProvisioningKeyResponse>(res, {
-            data: {
-                provisioningKeyId,
-                provisioningKey,
-                lastChars,
-                createdAt,
-                expiresAt: expiresAt ?? null
-            },
-            success: true,
-            error: false,
-            message: "Provisioning key created successfully",
-            status: HttpCode.CREATED
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
-        );
-    }
-}
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index 76207e8d4..33b5caf7c 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -10,4 +10,3 @@ export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
 export * from "./handleConnectionLogMessage";
 export * from "./registerNewt";
-export * from "./createNewtProvisioningKey";
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index f301b452a..b999eb35c 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -2,7 +2,8 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import {
-    newtProvisioningKeys,
+    siteProvisioningKeys,
+    siteProvisioningKeyOrg,
     newts,
     orgs,
     roles,
@@ -55,7 +56,7 @@ export async function registerNewt(
 
         const { provisioningKey } = parsedBody.data;
 
-        // Keys are in the format "id.secret"
+        // Keys are in the format "siteProvisioningKeyId.secret"
         const dotIndex = provisioningKey.indexOf(".");
         if (dotIndex === -1) {
             return next(
@@ -69,46 +70,51 @@ export async function registerNewt(
         const provisioningKeyId = provisioningKey.substring(0, dotIndex);
         const provisioningKeySecret = provisioningKey.substring(dotIndex + 1);
 
-        // Look up the provisioning key by ID
+        // Look up the provisioning key by ID, joining to get the orgId
         const [keyRecord] = await db
-            .select()
-            .from(newtProvisioningKeys)
+            .select({
+                siteProvisioningKeyId:
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                siteProvisioningKeyHash:
+                    siteProvisioningKeys.siteProvisioningKeyHash,
+                orgId: siteProvisioningKeyOrg.orgId
+            })
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyOrg.siteProvisioningKeyId
+                )
+            )
             .where(
-                eq(newtProvisioningKeys.provisioningKeyId, provisioningKeyId)
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    provisioningKeyId
+                )
             )
             .limit(1);
 
         if (!keyRecord) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
-            );
-        }
-
-        // Verify the secret
-        const validSecret = await verifyPassword(
-            provisioningKeySecret,
-            keyRecord.keyHash
-        );
-        if (!validSecret) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
-            );
-        }
-
-        // Check if key has already been used
-        if (keyRecord.siteId !== null) {
             return next(
                 createHttpError(
-                    HttpCode.CONFLICT,
-                    "Provisioning key has already been used"
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
                 )
             );
         }
 
-        // Check expiry
-        if (keyRecord.expiresAt !== null && keyRecord.expiresAt < Date.now()) {
+        // Verify the secret portion against the stored hash
+        const validSecret = await verifyPassword(
+            provisioningKeySecret,
+            keyRecord.siteProvisioningKeyHash
+        );
+        if (!validSecret) {
             return next(
-                createHttpError(HttpCode.GONE, "Provisioning key has expired")
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
+                )
             );
         }
 
@@ -200,13 +206,12 @@ export async function registerNewt(
                 dateCreated: moment().toISOString()
             });
 
-            // Mark the provisioning key as used
+            // Consume the provisioning key — cascade removes siteProvisioningKeyOrg
             await trx
-                .update(newtProvisioningKeys)
-                .set({ siteId: newSite.siteId })
+                .delete(siteProvisioningKeys)
                 .where(
                     eq(
-                        newtProvisioningKeys.provisioningKeyId,
+                        siteProvisioningKeys.siteProvisioningKeyId,
                         provisioningKeyId
                     )
                 );
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
index 9bb298966..a10df65a6 100644
--- a/server/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -28,6 +28,7 @@ export type CreateSiteProvisioningKeyResponse = {
     orgId: string;
     name: string;
     siteProvisioningKey: string;
+    provisioningKey: string; // combined "siteProvisioningKeyId.siteProvisioningKey" — put this in your newt config
     lastChars: string;
     createdAt: string;
 };
@@ -65,6 +66,7 @@ export async function createSiteProvisioningKey(
     const siteProvisioningKeyHash = await hashPassword(siteProvisioningKey);
     const lastChars = siteProvisioningKey.slice(-4);
     const createdAt = moment().toISOString();
+    const provisioningKey = `${siteProvisioningKeyId}.${siteProvisioningKey}`;
 
     await db.transaction(async (trx) => {
         await trx.insert(siteProvisioningKeys).values({
@@ -88,6 +90,7 @@ export async function createSiteProvisioningKey(
                 orgId,
                 name,
                 siteProvisioningKey,
+                provisioningKey,
                 lastChars,
                 createdAt
             },

From 3525b367b332eedcf689b0700ed47c6108120d11 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 20:27:15 -0700
Subject: [PATCH 113/314] move to private routes

---
 messages/en-US.json                           |  16 +
 server/auth/actions.ts                        |   1 +
 server/db/pg/schema/privateSchema.ts          |   6 +-
 server/db/sqlite/schema/privateSchema.ts      |   6 +-
 server/lib/billing/tierMatrix.ts              |   6 +-
 .../routers/billing/featureLifecycle.ts       |  59 +++-
 server/private/routers/external.ts            |  46 ++-
 .../createSiteProvisioningKey.ts              |  67 +++-
 .../deleteSiteProvisioningKey.ts              |  13 +
 .../private/routers/siteProvisioning/index.ts |  17 +
 .../listSiteProvisioningKeys.ts               |  27 +-
 .../updateSiteProvisioningKey.ts              | 199 ++++++++++++
 server/routers/external.ts                    |  29 +-
 server/routers/siteProvisioning/index.ts      |   3 -
 server/routers/siteProvisioning/types.ts      |  41 +++
 .../settings/provisioning/create/page.tsx     |  10 -
 .../[orgId]/settings/provisioning/page.tsx    |  14 +-
 .../CreateSiteProvisioningKeyCredenza.tsx     | 162 +++++++++-
 .../EditSiteProvisioningKeyCredenza.tsx       | 297 ++++++++++++++++++
 src/components/LayoutMobileMenu.tsx           |   2 +-
 src/components/LayoutSidebar.tsx              |  18 +-
 src/components/ProductUpdates.tsx             |   8 +-
 src/components/SiteProvisioningKeysTable.tsx  | 106 ++++++-
 src/components/ui/data-table.tsx              |   4 +-
 24 files changed, 1054 insertions(+), 103 deletions(-)
 rename server/{ => private}/routers/siteProvisioning/createSiteProvisioningKey.ts (62%)
 rename server/{ => private}/routers/siteProvisioning/deleteSiteProvisioningKey.ts (90%)
 create mode 100644 server/private/routers/siteProvisioning/index.ts
 rename server/{ => private}/routers/siteProvisioning/listSiteProvisioningKeys.ts (80%)
 create mode 100644 server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
 delete mode 100644 server/routers/siteProvisioning/index.ts
 create mode 100644 server/routers/siteProvisioning/types.ts
 delete mode 100644 src/app/[orgId]/settings/provisioning/create/page.tsx
 create mode 100644 src/components/EditSiteProvisioningKeyCredenza.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 1785f0491..a7d16f30f 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -342,6 +342,22 @@
     "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
     "provisioningKeysErrorCreate": "Error creating provisioning key",
     "provisioningKeysList": "New provisioning key",
+    "provisioningKeysMaxBatchSize": "Max batch size",
+    "provisioningKeysUnlimitedBatchSize": "Unlimited batch size (no limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unlimited",
+    "provisioningKeysMaxBatchSizeInvalid": "Enter a valid max batch size (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valid until",
+    "provisioningKeysValidUntilHint": "Leave empty for no expiration.",
+    "provisioningKeysValidUntilInvalid": "Enter a valid date and time.",
+    "provisioningKeysNumUsed": "Times used",
+    "provisioningKeysLastUsed": "Last used",
+    "provisioningKeysNoExpiry": "No expiration",
+    "provisioningKeysNeverUsed": "Never",
+    "provisioningKeysEdit": "Edit Provisioning Key",
+    "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
+    "provisioningKeysUpdateError": "Error updating provisioning key",
+    "provisioningKeysUpdated": "Provisioning key updated",
+    "provisioningKeysUpdatedDescription": "Your changes have been saved.",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 6cdc4fa0a..20f1fe795 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -111,6 +111,7 @@ export enum ActionsEnum {
     getApiKey = "getApiKey",
     createSiteProvisioningKey = "createSiteProvisioningKey",
     listSiteProvisioningKeys = "listSiteProvisioningKeys",
+    updateSiteProvisioningKey = "updateSiteProvisioningKey",
     deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
     getCertificate = "getCertificate",
     restartCertificate = "restartCertificate",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index b1dc98253..bb1e866c4 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -387,7 +387,11 @@ export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
     name: varchar("name", { length: 255 }).notNull(),
     siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
     lastChars: varchar("lastChars", { length: 4 }).notNull(),
-    createdAt: varchar("dateCreated", { length: 255 }).notNull()
+    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
+    lastUsed: varchar("lastUsed", { length: 255 }),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: varchar("validUntil", { length: 255 })
 });
 
 export const siteProvisioningKeyOrg = pgTable(
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index e78343d6d..5913497b3 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -371,7 +371,11 @@ export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
     name: text("name").notNull(),
     siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
     lastChars: text("lastChars").notNull(),
-    createdAt: text("dateCreated").notNull()
+    createdAt: text("dateCreated").notNull(),
+    lastUsed: text("lastUsed"),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: text("validUntil")
 });
 
 export const siteProvisioningKeyOrg = sqliteTable(
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index f8a0cd2f5..8c41be5bf 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -16,7 +16,8 @@ export enum TierFeature {
     SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
     PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
+    SiteProvisioningKeys = "siteProvisioningKeys" // handle downgrade by revoking keys if needed
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -50,5 +51,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
         "enterprise"
     ],
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.SiteProvisioningKeys]: ["enterprise"]
 };
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index 9536a87f0..32e81784b 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -26,9 +26,11 @@ import {
     orgs,
     resources,
     roles,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys,
     siteResources
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 /**
  * Get the maximum allowed retention days for a given tier
@@ -291,6 +293,10 @@ async function disableFeature(
                 await disableSshPam(orgId);
                 break;
 
+            case TierFeature.SiteProvisioningKeys:
+                await disableSiteProvisioningKeys(orgId);
+                break;
+
             default:
                 logger.warn(
                     `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -326,6 +332,57 @@ async function disableSshPam(orgId: string): Promise<void> {
     );
 }
 
+async function disableSiteProvisioningKeys(orgId: string): Promise<void> {
+    const rows = await db
+        .select({
+            siteProvisioningKeyId:
+                siteProvisioningKeyOrg.siteProvisioningKeyId
+        })
+        .from(siteProvisioningKeyOrg)
+        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
+
+    for (const { siteProvisioningKeyId } of rows) {
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(siteProvisioningKeyOrg)
+                .where(
+                    and(
+                        eq(
+                            siteProvisioningKeyOrg.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        ),
+                        eq(siteProvisioningKeyOrg.orgId, orgId)
+                    )
+                );
+
+            const remaining = await trx
+                .select()
+                .from(siteProvisioningKeyOrg)
+                .where(
+                    eq(
+                        siteProvisioningKeyOrg.siteProvisioningKeyId,
+                        siteProvisioningKeyId
+                    )
+                );
+
+            if (remaining.length === 0) {
+                await trx
+                    .delete(siteProvisioningKeys)
+                    .where(
+                        eq(
+                            siteProvisioningKeys.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        )
+                    );
+            }
+        });
+    }
+
+    logger.info(
+        `Removed site provisioning keys for org ${orgId} after tier downgrade`
+    );
+}
+
 async function disableLoginPageBranding(orgId: string): Promise<void> {
     const [existingBranding] = await db
         .select()
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index f06ad4517..6cac25e20 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -26,6 +26,7 @@ import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
+import * as siteProvisioning from "#private/routers/siteProvisioning";
 
 import {
     verifyOrgAccess,
@@ -33,7 +34,8 @@ import {
     verifyUserIsServerAdmin,
     verifySiteAccess,
     verifyClientAccess,
-    verifyLimits
+    verifyLimits,
+    verifySiteProvisioningKeyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -537,3 +539,45 @@ authenticated.post(
     // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
     ssh.signSshKey
 );
+
+authenticated.put(
+    "/org/:orgId/site-provisioning-key",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
+    logActionAudit(ActionsEnum.createSiteProvisioningKey),
+    siteProvisioning.createSiteProvisioningKey
+);
+
+authenticated.get(
+    "/org/:orgId/site-provisioning-keys",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
+    siteProvisioning.listSiteProvisioningKeys
+);
+
+authenticated.delete(
+    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
+    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
+    siteProvisioning.deleteSiteProvisioningKey
+);
+
+authenticated.patch(
+    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.updateSiteProvisioningKey),
+    logActionAudit(ActionsEnum.updateSiteProvisioningKey),
+    siteProvisioning.updateSiteProvisioningKey
+);
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
similarity index 62%
rename from server/routers/siteProvisioning/createSiteProvisioningKey.ts
rename to server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
index 9bb298966..45d980810 100644
--- a/server/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { NextFunction, Request, Response } from "express";
 import { db, siteProvisioningKeyOrg, siteProvisioningKeys } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
@@ -12,26 +25,37 @@ import {
 } from "@server/auth/sessions/app";
 import logger from "@server/logger";
 import { hashPassword } from "@server/auth/password";
+import type { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 
 const paramsSchema = z.object({
     orgId: z.string().nonempty()
 });
 
-const bodySchema = z.strictObject({
-    name: z.string().min(1).max(255)
-});
+const bodySchema = z
+    .strictObject({
+        name: z.string().min(1).max(255),
+        maxBatchSize: z.union([
+            z.null(),
+            z.coerce.number().int().positive().max(1_000_000)
+        ]),
+        validUntil: z.string().max(255).optional()
+    })
+    .superRefine((data, ctx) => {
+        const v = data.validUntil;
+        if (v == null || v.trim() === "") {
+            return;
+        }
+        if (Number.isNaN(Date.parse(v))) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Invalid validUntil",
+                path: ["validUntil"]
+            });
+        }
+    });
 
 export type CreateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
 
-export type CreateSiteProvisioningKeyResponse = {
-    siteProvisioningKeyId: string;
-    orgId: string;
-    name: string;
-    siteProvisioningKey: string;
-    lastChars: string;
-    createdAt: string;
-};
-
 export async function createSiteProvisioningKey(
     req: Request,
     res: Response,
@@ -58,7 +82,12 @@ export async function createSiteProvisioningKey(
     }
 
     const { orgId } = parsedParams.data;
-    const { name } = parsedBody.data;
+    const { name, maxBatchSize } = parsedBody.data;
+    const vuRaw = parsedBody.data.validUntil;
+    const validUntil =
+        vuRaw == null || vuRaw.trim() === ""
+            ? null
+            : new Date(Date.parse(vuRaw)).toISOString();
 
     const siteProvisioningKeyId = `spk-${generateId(15)}`;
     const siteProvisioningKey = generateIdFromEntropySize(25);
@@ -72,7 +101,11 @@ export async function createSiteProvisioningKey(
             name,
             siteProvisioningKeyHash,
             createdAt,
-            lastChars
+            lastChars,
+            lastUsed: null,
+            maxBatchSize,
+            numUsed: 0,
+            validUntil
         });
 
         await trx.insert(siteProvisioningKeyOrg).values({
@@ -89,7 +122,11 @@ export async function createSiteProvisioningKey(
                 name,
                 siteProvisioningKey,
                 lastChars,
-                createdAt
+                createdAt,
+                lastUsed: null,
+                maxBatchSize,
+                numUsed: 0,
+                validUntil
             },
             success: true,
             error: false,
diff --git a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
similarity index 90%
rename from server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
rename to server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
index d1da01d97..fc8b05e60 100644
--- a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
diff --git a/server/private/routers/siteProvisioning/index.ts b/server/private/routers/siteProvisioning/index.ts
new file mode 100644
index 000000000..d143274f6
--- /dev/null
+++ b/server/private/routers/siteProvisioning/index.ts
@@ -0,0 +1,17 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createSiteProvisioningKey";
+export * from "./listSiteProvisioningKeys";
+export * from "./deleteSiteProvisioningKey";
+export * from "./updateSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
similarity index 80%
rename from server/routers/siteProvisioning/listSiteProvisioningKeys.ts
rename to server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
index 65360625c..5f7531a2c 100644
--- a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
+++ b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import {
     db,
     siteProvisioningKeyOrg,
@@ -11,6 +24,7 @@ import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
+import type { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 
 const paramsSchema = z.object({
     orgId: z.string().nonempty()
@@ -39,7 +53,11 @@ function querySiteProvisioningKeys(orgId: string) {
             orgId: siteProvisioningKeyOrg.orgId,
             lastChars: siteProvisioningKeys.lastChars,
             createdAt: siteProvisioningKeys.createdAt,
-            name: siteProvisioningKeys.name
+            name: siteProvisioningKeys.name,
+            lastUsed: siteProvisioningKeys.lastUsed,
+            maxBatchSize: siteProvisioningKeys.maxBatchSize,
+            numUsed: siteProvisioningKeys.numUsed,
+            validUntil: siteProvisioningKeys.validUntil
         })
         .from(siteProvisioningKeyOrg)
         .innerJoin(
@@ -52,13 +70,6 @@ function querySiteProvisioningKeys(orgId: string) {
         .where(eq(siteProvisioningKeyOrg.orgId, orgId));
 }
 
-export type ListSiteProvisioningKeysResponse = {
-    siteProvisioningKeys: Awaited<
-        ReturnType<typeof querySiteProvisioningKeys>
-    >;
-    pagination: { total: number; limit: number; offset: number };
-};
-
 export async function listSiteProvisioningKeys(
     req: Request,
     res: Response,
diff --git a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
new file mode 100644
index 000000000..526d8bfb8
--- /dev/null
+++ b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
@@ -0,0 +1,199 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import { and, eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import type { UpdateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
+
+const paramsSchema = z.object({
+    siteProvisioningKeyId: z.string().nonempty(),
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z
+    .strictObject({
+        maxBatchSize: z
+            .union([
+                z.null(),
+                z.coerce.number().int().positive().max(1_000_000)
+            ])
+            .optional(),
+        validUntil: z.string().max(255).optional()
+    })
+    .superRefine((data, ctx) => {
+        if (
+            data.maxBatchSize === undefined &&
+            data.validUntil === undefined
+        ) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Provide maxBatchSize and/or validUntil",
+                path: ["maxBatchSize"]
+            });
+        }
+        const v = data.validUntil;
+        if (v == null || v.trim() === "") {
+            return;
+        }
+        if (Number.isNaN(Date.parse(v))) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Invalid validUntil",
+                path: ["validUntil"]
+            });
+        }
+    });
+
+export type UpdateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export async function updateSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteProvisioningKeyId, orgId } = parsedParams.data;
+        const body = parsedBody.data;
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!row) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        const setValues: {
+            maxBatchSize?: number | null;
+            validUntil?: string | null;
+        } = {};
+        if (body.maxBatchSize !== undefined) {
+            setValues.maxBatchSize = body.maxBatchSize;
+        }
+        if (body.validUntil !== undefined) {
+            setValues.validUntil =
+                body.validUntil.trim() === ""
+                    ? null
+                    : new Date(Date.parse(body.validUntil)).toISOString();
+        }
+
+        await db
+            .update(siteProvisioningKeys)
+            .set(setValues)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            );
+
+        const [updated] = await db
+            .select({
+                siteProvisioningKeyId:
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                name: siteProvisioningKeys.name,
+                lastChars: siteProvisioningKeys.lastChars,
+                createdAt: siteProvisioningKeys.createdAt,
+                lastUsed: siteProvisioningKeys.lastUsed,
+                maxBatchSize: siteProvisioningKeys.maxBatchSize,
+                numUsed: siteProvisioningKeys.numUsed,
+                validUntil: siteProvisioningKeys.validUntil
+            })
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!updated) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to load updated site provisioning key"
+                )
+            );
+        }
+
+        return response<UpdateSiteProvisioningKeyResponse>(res, {
+            data: {
+                ...updated,
+                orgId
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning key updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 90f208863..45ab58bba 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -15,7 +15,6 @@ import * as accessToken from "./accessToken";
 import * as idp from "./idp";
 import * as blueprints from "./blueprints";
 import * as apiKeys from "./apiKeys";
-import * as siteProvisioning from "./siteProvisioning";
 import * as logs from "./auditLogs";
 import * as newt from "./newt";
 import * as olm from "./olm";
@@ -43,8 +42,7 @@ import {
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
-    verifyLimits,
-    verifySiteProvisioningKeyAccess
+    verifyLimits
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
@@ -988,31 +986,6 @@ authenticated.get(
     apiKeys.listRootApiKeys
 );
 
-authenticated.put(
-    `/org/:orgId/site-provisioning-key`,
-    verifyOrgAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
-    logActionAudit(ActionsEnum.createSiteProvisioningKey),
-    siteProvisioning.createSiteProvisioningKey
-);
-
-authenticated.get(
-    `/org/:orgId/site-provisioning-keys`,
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
-    siteProvisioning.listSiteProvisioningKeys
-);
-
-authenticated.delete(
-    `/org/:orgId/site-provisioning-key/:siteProvisioningKeyId`,
-    verifyOrgAccess,
-    verifySiteProvisioningKeyAccess,
-    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
-    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
-    siteProvisioning.deleteSiteProvisioningKey
-);
-
 authenticated.get(
     `/api-key/:apiKeyId/actions`,
     verifyUserIsServerAdmin,
diff --git a/server/routers/siteProvisioning/index.ts b/server/routers/siteProvisioning/index.ts
deleted file mode 100644
index b3f69f100..000000000
--- a/server/routers/siteProvisioning/index.ts
+++ /dev/null
@@ -1,3 +0,0 @@
-export * from "./createSiteProvisioningKey";
-export * from "./listSiteProvisioningKeys";
-export * from "./deleteSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/types.ts b/server/routers/siteProvisioning/types.ts
new file mode 100644
index 000000000..d06c1fe26
--- /dev/null
+++ b/server/routers/siteProvisioning/types.ts
@@ -0,0 +1,41 @@
+export type SiteProvisioningKeyListItem = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    lastChars: string;
+    createdAt: string;
+    name: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type ListSiteProvisioningKeysResponse = {
+    siteProvisioningKeys: SiteProvisioningKeyListItem[];
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export type CreateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    siteProvisioningKey: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type UpdateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
diff --git a/src/app/[orgId]/settings/provisioning/create/page.tsx b/src/app/[orgId]/settings/provisioning/create/page.tsx
deleted file mode 100644
index 98573147a..000000000
--- a/src/app/[orgId]/settings/provisioning/create/page.tsx
+++ /dev/null
@@ -1,10 +0,0 @@
-import { redirect } from "next/navigation";
-
-type PageProps = {
-    params: Promise<{ orgId: string }>;
-};
-
-export default async function ProvisioningCreateRedirect(props: PageProps) {
-    const params = await props.params;
-    redirect(`/${params.orgId}/settings/provisioning`);
-}
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
index f8a30b86f..e8b53104f 100644
--- a/src/app/[orgId]/settings/provisioning/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -1,12 +1,14 @@
 import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import SiteProvisioningKeysTable, {
     SiteProvisioningKeyRow
 } from "../../../../components/SiteProvisioningKeysTable";
-import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/listSiteProvisioningKeys";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 type ProvisioningPageProps = {
     params: Promise<{ orgId: string }>;
@@ -34,7 +36,11 @@ export default async function ProvisioningPage(props: ProvisioningPageProps) {
         name: k.name,
         id: k.siteProvisioningKeyId,
         key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
-        createdAt: k.createdAt
+        createdAt: k.createdAt,
+        lastUsed: k.lastUsed,
+        maxBatchSize: k.maxBatchSize,
+        numUsed: k.numUsed,
+        validUntil: k.validUntil
     }));
 
     return (
@@ -44,6 +50,10 @@ export default async function ProvisioningPage(props: ProvisioningPageProps) {
                 description={t("provisioningKeysDescription")}
             />
 
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
             <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
         </>
     );
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 456731ed6..70c48ff08 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -13,18 +13,20 @@ import {
 import {
     Form,
     FormControl,
+    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
 import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
 import { Input } from "@app/components/ui/input";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
-import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/createSiteProvisioningKey";
+import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 import { AxiosResponse } from "axios";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
@@ -55,30 +57,61 @@ export default function CreateSiteProvisioningKeyCredenza({
     const [created, setCreated] =
         useState<CreateSiteProvisioningKeyResponse | null>(null);
 
-    const createFormSchema = z.object({
-        name: z
-            .string()
-            .min(1, {
-                message: t("nameMin", { len: 1 })
-            })
-            .max(255, {
-                message: t("nameMax", { len: 255 })
-            })
-    });
+    const createFormSchema = z
+        .object({
+            name: z
+                .string()
+                .min(1, {
+                    message: t("nameMin", { len: 1 })
+                })
+                .max(255, {
+                    message: t("nameMax", { len: 255 })
+                }),
+            unlimitedBatchSize: z.boolean(),
+            maxBatchSize: z
+                .number()
+                .int()
+                .min(1, { message: t("provisioningKeysMaxBatchSizeInvalid") })
+                .max(1_000_000, {
+                    message: t("provisioningKeysMaxBatchSizeInvalid")
+                }),
+            validUntil: z.string().optional()
+        })
+        .superRefine((data, ctx) => {
+            const v = data.validUntil;
+            if (v == null || v.trim() === "") {
+                return;
+            }
+            if (Number.isNaN(Date.parse(v))) {
+                ctx.addIssue({
+                    code: "custom",
+                    message: t("provisioningKeysValidUntilInvalid"),
+                    path: ["validUntil"]
+                });
+            }
+        });
 
     type CreateFormValues = z.infer<typeof createFormSchema>;
 
     const form = useForm<CreateFormValues>({
         resolver: zodResolver(createFormSchema),
         defaultValues: {
-            name: ""
+            name: "",
+            unlimitedBatchSize: false,
+            maxBatchSize: 100,
+            validUntil: ""
         }
     });
 
     useEffect(() => {
         if (!open) {
             setCreated(null);
-            form.reset({ name: "" });
+            form.reset({
+                name: "",
+                unlimitedBatchSize: false,
+                maxBatchSize: 100,
+                validUntil: ""
+            });
         }
     }, [open, form]);
 
@@ -88,7 +121,16 @@ export default function CreateSiteProvisioningKeyCredenza({
             const res = await api
                 .put<
                     AxiosResponse<CreateSiteProvisioningKeyResponse>
-                >(`/org/${orgId}/site-provisioning-key`, { name: data.name })
+                >(`/org/${orgId}/site-provisioning-key`, {
+                    name: data.name,
+                    maxBatchSize: data.unlimitedBatchSize
+                        ? null
+                        : data.maxBatchSize,
+                    validUntil:
+                        data.validUntil == null || data.validUntil.trim() === ""
+                            ? undefined
+                            : data.validUntil
+                })
                 .catch((e) => {
                     toast({
                         variant: "destructive",
@@ -110,6 +152,8 @@ export default function CreateSiteProvisioningKeyCredenza({
         created &&
         `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
 
+    const unlimitedBatchSize = form.watch("unlimitedBatchSize");
+
     return (
         <Credenza open={open} onOpenChange={setOpen}>
             <CredenzaContent>
@@ -149,6 +193,96 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         </FormItem>
                                     )}
                                 />
+                                <FormField
+                                    control={form.control}
+                                    name="maxBatchSize"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t(
+                                                    "provisioningKeysMaxBatchSize"
+                                                )}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    type="number"
+                                                    min={1}
+                                                    max={1_000_000}
+                                                    autoComplete="off"
+                                                    disabled={
+                                                        unlimitedBatchSize
+                                                    }
+                                                    name={field.name}
+                                                    ref={field.ref}
+                                                    onBlur={field.onBlur}
+                                                    onChange={(e) => {
+                                                        const v =
+                                                            e.target.value;
+                                                        field.onChange(
+                                                            v === ""
+                                                                ? 100
+                                                                : Number(v)
+                                                        );
+                                                    }}
+                                                    value={field.value}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="unlimitedBatchSize"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-row items-center gap-3 space-y-0">
+                                            <FormControl>
+                                                <Checkbox
+                                                    id="provisioning-unlimited-batch"
+                                                    checked={field.value}
+                                                    onCheckedChange={(c) =>
+                                                        field.onChange(
+                                                            c === true
+                                                        )
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <FormLabel
+                                                htmlFor="provisioning-unlimited-batch"
+                                                className="cursor-pointer font-normal !mt-0"
+                                            >
+                                                {t(
+                                                    "provisioningKeysUnlimitedBatchSize"
+                                                )}
+                                            </FormLabel>
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="validUntil"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t(
+                                                    "provisioningKeysValidUntil"
+                                                )}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    type="datetime-local"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t(
+                                                    "provisioningKeysValidUntilHint"
+                                                )}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                     )}
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
new file mode 100644
index 000000000..9603374d5
--- /dev/null
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -0,0 +1,297 @@
+"use client";
+
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import {
+    Form,
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Input } from "@app/components/ui/input";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { UpdateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
+import { AxiosResponse } from "axios";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import moment from "moment";
+
+const FORM_ID = "edit-site-provisioning-key-form";
+
+export type EditableSiteProvisioningKey = {
+    id: string;
+    name: string;
+    maxBatchSize: number | null;
+    validUntil: string | null;
+};
+
+type EditSiteProvisioningKeyCredenzaProps = {
+    open: boolean;
+    setOpen: (open: boolean) => void;
+    orgId: string;
+    provisioningKey: EditableSiteProvisioningKey | null;
+};
+
+export default function EditSiteProvisioningKeyCredenza({
+    open,
+    setOpen,
+    orgId,
+    provisioningKey
+}: EditSiteProvisioningKeyCredenzaProps) {
+    const t = useTranslations();
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const [loading, setLoading] = useState(false);
+
+    const editFormSchema = z
+        .object({
+            name: z.string(),
+            unlimitedBatchSize: z.boolean(),
+            maxBatchSize: z
+                .number()
+                .int()
+                .min(1, { message: t("provisioningKeysMaxBatchSizeInvalid") })
+                .max(1_000_000, {
+                    message: t("provisioningKeysMaxBatchSizeInvalid")
+                }),
+            validUntil: z.string().optional()
+        })
+        .superRefine((data, ctx) => {
+            const v = data.validUntil;
+            if (v == null || v.trim() === "") {
+                return;
+            }
+            if (Number.isNaN(Date.parse(v))) {
+                ctx.addIssue({
+                    code: "custom",
+                    message: t("provisioningKeysValidUntilInvalid"),
+                    path: ["validUntil"]
+                });
+            }
+        });
+
+    type EditFormValues = z.infer<typeof editFormSchema>;
+
+    const form = useForm<EditFormValues>({
+        resolver: zodResolver(editFormSchema),
+        defaultValues: {
+            name: "",
+            unlimitedBatchSize: false,
+            maxBatchSize: 100,
+            validUntil: ""
+        }
+    });
+
+    useEffect(() => {
+        if (!open || !provisioningKey) {
+            return;
+        }
+        form.reset({
+            name: provisioningKey.name,
+            unlimitedBatchSize: provisioningKey.maxBatchSize == null,
+            maxBatchSize: provisioningKey.maxBatchSize ?? 100,
+            validUntil: provisioningKey.validUntil
+                ? moment(provisioningKey.validUntil).format("YYYY-MM-DDTHH:mm")
+                : ""
+        });
+    }, [open, provisioningKey, form]);
+
+    async function onSubmit(data: EditFormValues) {
+        if (!provisioningKey) {
+            return;
+        }
+        setLoading(true);
+        try {
+            const res = await api
+                .patch<
+                    AxiosResponse<UpdateSiteProvisioningKeyResponse>
+                >(
+                    `/org/${orgId}/site-provisioning-key/${provisioningKey.id}`,
+                    {
+                        maxBatchSize: data.unlimitedBatchSize
+                            ? null
+                            : data.maxBatchSize,
+                        validUntil:
+                            data.validUntil == null ||
+                            data.validUntil.trim() === ""
+                                ? ""
+                                : data.validUntil
+                    }
+                )
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("provisioningKeysUpdateError"),
+                        description: formatAxiosError(e)
+                    });
+                });
+
+            if (res && res.status === 200) {
+                toast({
+                    title: t("provisioningKeysUpdated"),
+                    description: t("provisioningKeysUpdatedDescription")
+                });
+                setOpen(false);
+                router.refresh();
+            }
+        } finally {
+            setLoading(false);
+        }
+    }
+
+    const unlimitedBatchSize = form.watch("unlimitedBatchSize");
+
+    if (!provisioningKey) {
+        return null;
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={setOpen}>
+            <CredenzaContent>
+                <CredenzaHeader>
+                    <CredenzaTitle>{t("provisioningKeysEdit")}</CredenzaTitle>
+                    <CredenzaDescription>
+                        {t("provisioningKeysEditDescription")}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+                <CredenzaBody>
+                    <Form {...form}>
+                        <form
+                            id={FORM_ID}
+                            onSubmit={form.handleSubmit(onSubmit)}
+                            className="space-y-4"
+                        >
+                            <FormField
+                                control={form.control}
+                                name="name"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>{t("name")}</FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                autoComplete="off"
+                                                disabled
+                                                {...field}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="maxBatchSize"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            {t("provisioningKeysMaxBatchSize")}
+                                        </FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                type="number"
+                                                min={1}
+                                                max={1_000_000}
+                                                autoComplete="off"
+                                                disabled={unlimitedBatchSize}
+                                                name={field.name}
+                                                ref={field.ref}
+                                                onBlur={field.onBlur}
+                                                onChange={(e) => {
+                                                    const v = e.target.value;
+                                                    field.onChange(
+                                                        v === ""
+                                                            ? 100
+                                                            : Number(v)
+                                                    );
+                                                }}
+                                                value={field.value}
+                                            />
+                                        </FormControl>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="unlimitedBatchSize"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center gap-3 space-y-0">
+                                        <FormControl>
+                                            <Checkbox
+                                                id="provisioning-edit-unlimited-batch"
+                                                checked={field.value}
+                                                onCheckedChange={(c) =>
+                                                    field.onChange(c === true)
+                                                }
+                                            />
+                                        </FormControl>
+                                        <FormLabel
+                                            htmlFor="provisioning-edit-unlimited-batch"
+                                            className="cursor-pointer font-normal !mt-0"
+                                        >
+                                            {t(
+                                                "provisioningKeysUnlimitedBatchSize"
+                                            )}
+                                        </FormLabel>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="validUntil"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            {t("provisioningKeysValidUntil")}
+                                        </FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                type="datetime-local"
+                                                {...field}
+                                            />
+                                        </FormControl>
+                                        <FormDescription>
+                                            {t("provisioningKeysValidUntilHint")}
+                                        </FormDescription>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                        </form>
+                    </Form>
+                </CredenzaBody>
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button variant="outline">{t("close")}</Button>
+                    </CredenzaClose>
+                    <Button
+                        type="submit"
+                        form={FORM_ID}
+                        loading={loading}
+                        disabled={loading}
+                    >
+                        {t("save")}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index e1c883a2b..854cad6db 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -93,7 +93,7 @@ export function LayoutMobileMenu({
                                                                 )
                                                             }
                                                         >
-                                                            <span className="flex-shrink-0 mr-2">
+                                                            <span className="flex-shrink-0 w-5 h-5 flex items-center justify-center text-muted-foreground mr-3">
                                                                 <Server className="h-4 w-4" />
                                                             </span>
                                                             <span className="flex-1">
diff --git a/src/components/LayoutSidebar.tsx b/src/components/LayoutSidebar.tsx
index e9e2d61eb..1cd2131f7 100644
--- a/src/components/LayoutSidebar.tsx
+++ b/src/components/LayoutSidebar.tsx
@@ -169,8 +169,8 @@ export function LayoutSidebar({
                             >
                                 <span
                                     className={cn(
-                                        "shrink-0",
-                                        !isSidebarCollapsed && "mr-2"
+                                        "flex-shrink-0 w-5 h-5 flex items-center justify-center text-muted-foreground",
+                                        !isSidebarCollapsed && "mr-3"
                                     )}
                                 >
                                     <Server className="h-4 w-4" />
@@ -222,36 +222,34 @@ export function LayoutSidebar({
                 </div>
             )}
 
-            <div className="w-full border-t border-border mb-3" />
-
-            <div className="p-4 pt-1 flex flex-col shrink-0">
+            <div className="pt-1 flex flex-col shrink-0 gap-2 w-full border-t border-border">
                 {canShowProductUpdates && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <ProductUpdates isCollapsed={isSidebarCollapsed} />
                     </div>
                 )}
 
                 {build === "enterprise" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SidebarLicenseButton
                             isCollapsed={isSidebarCollapsed}
                         />
                     </div>
                 )}
                 {build === "oss" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SupporterStatus isCollapsed={isSidebarCollapsed} />
                     </div>
                 )}
                 {build === "saas" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SidebarSupportButton
                             isCollapsed={isSidebarCollapsed}
                         />
                     </div>
                 )}
                 {!isSidebarCollapsed && (
-                    <div className="space-y-2">
+                    <div className="px-4 space-y-2 pb-4">
                         {loadFooterLinks() ? (
                             <>
                                 {loadFooterLinks()!.map((link, index) => (
diff --git a/src/components/ProductUpdates.tsx b/src/components/ProductUpdates.tsx
index 01689d9d7..76ab0252d 100644
--- a/src/components/ProductUpdates.tsx
+++ b/src/components/ProductUpdates.tsx
@@ -192,13 +192,13 @@ function ProductUpdatesListPopup({
                     <div
                         className={cn(
                             "relative z-1 cursor-pointer block group",
-                            "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                            "rounded-md border bg-secondary p-2 py-3 w-full flex flex-col gap-2 text-sm",
                             "transition duration-300 ease-in-out",
                             "data-closed:opacity-0 data-closed:translate-y-full"
                         )}
                     >
                         <div className="flex items-center gap-2">
-                            <BellIcon className="flex-none size-4 text-primary" />
+                            <BellIcon className="flex-none size-4" />
                             <div className="flex justify-between items-center flex-1">
                                 <p className="font-medium text-start">
                                     {t("productUpdateWhatsNew")}
@@ -346,13 +346,13 @@ function NewVersionAvailable({
                     rel="noopener noreferrer"
                     className={cn(
                         "relative z-2 group cursor-pointer block",
-                        "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                        "rounded-md border bg-secondary p-2 py-3 w-full flex flex-col gap-2 text-sm",
                         "transition duration-300 ease-in-out",
                         "data-closed:opacity-0 data-closed:translate-y-full"
                     )}
                 >
                     <div className="flex items-center gap-2">
-                        <RocketIcon className="flex-none size-4 text-primary" />
+                        <RocketIcon className="flex-none size-4" />
                         <p className="font-medium flex-1">
                             {t("pangolinUpdateAvailable")}
                         </p>
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index 3fb3eb872..df7fd241c 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -15,19 +15,27 @@ import { ArrowUpDown, MoreHorizontal } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import CreateSiteProvisioningKeyCredenza from "@app/components/CreateSiteProvisioningKeyCredenza";
+import EditSiteProvisioningKeyCredenza from "@app/components/EditSiteProvisioningKeyCredenza";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { toast } from "@app/hooks/useToast";
 import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import moment from "moment";
 import { useTranslations } from "next-intl";
+import { build } from "@server/build";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 export type SiteProvisioningKeyRow = {
     id: string;
     key: string;
     name: string;
     createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
 };
 
 type SiteProvisioningKeysTableProps = {
@@ -47,8 +55,15 @@ export default function SiteProvisioningKeysTable({
     const [rows, setRows] = useState<SiteProvisioningKeyRow[]>(keys);
     const api = createApiClient(useEnvContext());
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const canUseSiteProvisioning =
+        isPaidUser(tierMatrix[TierFeature.SiteProvisioningKeys]) &&
+        build !== "oss";
     const [isRefreshing, setIsRefreshing] = useState(false);
     const [createOpen, setCreateOpen] = useState(false);
+    const [editOpen, setEditOpen] = useState(false);
+    const [editingKey, setEditingKey] =
+        useState<SiteProvisioningKeyRow | null>(null);
 
     useEffect(() => {
         setRows(keys);
@@ -121,6 +136,68 @@ export default function SiteProvisioningKeysTable({
                 return <span className="font-mono">{r.key}</span>;
             }
         },
+        {
+            accessorKey: "maxBatchSize",
+            friendlyName: t("provisioningKeysMaxBatchSize"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysMaxBatchSize")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.maxBatchSize == null
+                            ? t("provisioningKeysMaxBatchUnlimited")
+                            : r.maxBatchSize}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "numUsed",
+            friendlyName: t("provisioningKeysNumUsed"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysNumUsed")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span>{r.numUsed}</span>;
+            }
+        },
+        {
+            accessorKey: "validUntil",
+            friendlyName: t("provisioningKeysValidUntil"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysValidUntil")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.validUntil
+                            ? moment(r.validUntil).format("lll")
+                            : t("provisioningKeysNoExpiry")}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "lastUsed",
+            friendlyName: t("provisioningKeysLastUsed"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysLastUsed")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.lastUsed
+                            ? moment(r.lastUsed).format("lll")
+                            : t("provisioningKeysNeverUsed")}
+                    </span>
+                );
+            }
+        },
         {
             accessorKey: "createdAt",
             friendlyName: t("createdAt"),
@@ -149,6 +226,16 @@ export default function SiteProvisioningKeysTable({
                             </DropdownMenuTrigger>
                             <DropdownMenuContent align="end">
                                 <DropdownMenuItem
+                                    disabled={!canUseSiteProvisioning}
+                                    onClick={() => {
+                                        setEditingKey(r);
+                                        setEditOpen(true);
+                                    }}
+                                >
+                                    {t("edit")}
+                                </DropdownMenuItem>
+                                <DropdownMenuItem
+                                    disabled={!canUseSiteProvisioning}
                                     onClick={() => {
                                         setSelected(r);
                                         setIsDeleteModalOpen(true);
@@ -174,6 +261,18 @@ export default function SiteProvisioningKeysTable({
                 orgId={orgId}
             />
 
+            <EditSiteProvisioningKeyCredenza
+                open={editOpen}
+                setOpen={(v) => {
+                    setEditOpen(v);
+                    if (!v) {
+                        setEditingKey(null);
+                    }
+                }}
+                orgId={orgId}
+                provisioningKey={editingKey}
+            />
+
             {selected && (
                 <ConfirmDeleteDialog
                     open={isDeleteModalOpen}
@@ -203,7 +302,12 @@ export default function SiteProvisioningKeysTable({
                 title={t("provisioningKeys")}
                 searchPlaceholder={t("searchProvisioningKeys")}
                 searchColumn="name"
-                onAdd={() => setCreateOpen(true)}
+                onAdd={() => {
+                    if (canUseSiteProvisioning) {
+                        setCreateOpen(true);
+                    }
+                }}
+                addButtonDisabled={!canUseSiteProvisioning}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing}
                 addButtonText={t("provisioningKeysAdd")}
diff --git a/src/components/ui/data-table.tsx b/src/components/ui/data-table.tsx
index 834c56e88..a0c11ffdf 100644
--- a/src/components/ui/data-table.tsx
+++ b/src/components/ui/data-table.tsx
@@ -171,6 +171,7 @@ type DataTableProps<TData, TValue> = {
     title?: string;
     addButtonText?: string;
     onAdd?: () => void;
+    addButtonDisabled?: boolean;
     onRefresh?: () => void;
     isRefreshing?: boolean;
     searchPlaceholder?: string;
@@ -203,6 +204,7 @@ export function DataTable<TData, TValue>({
     title,
     addButtonText,
     onAdd,
+    addButtonDisabled = false,
     onRefresh,
     isRefreshing,
     searchPlaceholder = "Search...",
@@ -635,7 +637,7 @@ export function DataTable<TData, TValue>({
                         )}
                         {onAdd && addButtonText && (
                             <div>
-                                <Button onClick={onAdd}>
+                                <Button onClick={onAdd} disabled={addButtonDisabled}>
                                     <Plus className="mr-2 h-4 w-4" />
                                     {addButtonText}
                                 </Button>

From dfd604c78105e2bdf0ed8943e2fd2f34365e7192 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 20:27:34 -0700
Subject: [PATCH 114/314] Fix import problems

---
 server/private/lib/tokenCache.ts | 2 +-
 server/private/routers/ws/ws.ts  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
index bb6645688..284f1d698 100644
--- a/server/private/lib/tokenCache.ts
+++ b/server/private/lib/tokenCache.ts
@@ -11,7 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import redisManager from "#dynamic/lib/redis";
+import redisManager from "#private/lib/redis";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 67b83f931..21f4fad37 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -20,6 +20,7 @@ import {
     Newt,
     newts,
     Olm,
+    olms,
     RemoteExitNode,
     remoteExitNodes,
 } from "@server/db";

From 395cab795c3d23f182651cd5d3bbe1316cb2ff5b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 20:33:58 -0700
Subject: [PATCH 115/314] Batch set bandwidth

---
 server/routers/gerbil/receiveBandwidth.ts | 146 +++++++++++++---------
 1 file changed, 84 insertions(+), 62 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b73ce986d..042c844aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
-import { sites } from "@server/db";
+import { sql } from "drizzle-orm";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
+
+// Maximum number of sites to include in a single batch UPDATE statement
+const BATCH_CHUNK_SIZE = 250;
 
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
     }
 }
 
+/**
+ * Execute a raw SQL query that returns rows, in a way that works across both
+ * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
+ * exposes `all`).  Drizzle's typed query builder doesn't support bulk
+ * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
+ */
+async function dbQueryRows<T extends Record<string, unknown>>(
+    query: Parameters<(typeof sql)["join"]>[0][number]
+): Promise<T[]> {
+    const anyDb = db as any;
+    if (typeof anyDb.execute === "function") {
+        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
+        const result = await anyDb.execute(query);
+        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
+    }
+    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
+    return (await anyDb.all(query)) as T[];
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
  * Swaps out the accumulator before writing so that any bandwidth messages
  * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
- * back into the accumulator so they will be retried on the next flush.
+ * being lost or causing contention. Sites are updated in chunks via a single
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
+ * accuracy is not critical and re-queuing is not worth the added complexity.
  *
  * This function is exported so that the application's graceful-shutdown
  * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
     );
 
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
+    const snapshotMap = new Map(sortedEntries);
+
+    // Aggregate billing usage by org across all chunks.
     const orgUsageMap = new Map<string, number>();
 
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
+    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
+        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
+        const chunkEnd = i + chunk.length - 1;
+
+        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
+        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
+        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
+        // in a single query instead of N individual round-trips.
+        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+        );
+        const valuesClause = sql.join(valuesList, sql`, `);
+
+        let rows: { orgId: string; pubKey: string }[] = [];
+
         try {
-            const updatedSite = await withDeadlockRetry(async () => {
-                const [result] = await db
-                    .update(sites)
-                    .set({
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime,
-                    })
-                    .where(eq(sites.pubKey, publicKey))
-                    .returning({
-                        orgId: sites.orgId,
-                        siteId: sites.siteId
-                    });
-                return result;
-            }, `flush bandwidth for site ${publicKey}`);
-
-            if (updatedSite) {
-                if (exitNodeId) {
-                    const notAllowed = await checkExitNodeOrg(
-                        exitNodeId,
-                        updatedSite.orgId
-                    );
-                    if (notAllowed) {
-                        logger.warn(
-                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                        );
-                        // Skip usage tracking for this site but continue
-                        // processing the rest.
-                        continue;
-                    }
-                }
-
-                if (calcUsage) {
-                    const totalBandwidth = bytesIn + bytesOut;
-                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
-                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
-                }
-            }
+            rows = await withDeadlockRetry(async () => {
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
+                    UPDATE sites
+                    SET
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
+                        "lastBandwidthUpdate" = ${currentTime}
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
+                    WHERE sites."pubKey" = v.pub_key
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
+                `);
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
         } catch (error) {
             logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                 error
             );
+            // Discard the chunk — exact per-flush accuracy is not critical.
+            continue;
+        }
 
-            // Re-queue the failed entry so it is retried on the next flush
-            // rather than silently dropped.
-            const existing = accumulator.get(publicKey);
-            if (existing) {
-                existing.bytesIn += bytesIn;
-                existing.bytesOut += bytesOut;
-            } else {
-                accumulator.set(publicKey, {
-                    bytesIn,
-                    bytesOut,
-                    exitNodeId,
-                    calcUsage
-                });
+        // Collect billing usage from the returned rows.
+        for (const { orgId, pubKey } of rows) {
+            const entry = snapshotMap.get(pubKey);
+            if (!entry) continue;
+
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
+
+            if (exitNodeId) {
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
+                if (notAllowed) {
+                    logger.warn(
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
+                    );
+                    continue;
+                }
+            }
+
+            if (calcUsage) {
+                const current = orgUsageMap.get(orgId) ?? 0;
+                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
             }
         }
     }
 
-    // Process billing usage updates outside the site-update loop to keep
-    // lock scope small and concerns separated.
+    // Process billing usage updates after all chunks are written.
     if (orgUsageMap.size > 0) {
-        // Sort org IDs for consistent lock ordering.
         const sortedOrgIds = [...orgUsageMap.keys()].sort();
 
         for (const orgId of sortedOrgIds) {

From 660420ddef68f2c5abee349bcd98709c91aac869 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:01:54 -0700
Subject: [PATCH 116/314] Disable everything if not paid

---
 src/app/[orgId]/settings/(private)/idp/create/page.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..fc2c6c382 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

From 17eb93d045b94e7932421e5caca952224dc9ce0a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:12:13 -0700
Subject: [PATCH 117/314] Add better pooling controls

---
 server/db/pg/driver.ts     | 35 ++++++++++++---------
 server/db/pg/logsDriver.ts | 35 ++++++++++++---------
 server/db/pg/poolConfig.ts | 63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 28 deletions(-)
 create mode 100644 server/db/pg/poolConfig.ts

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 5b357d060..9366e32e1 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];
\ No newline at end of file
diff --git a/server/db/pg/logsDriver.ts b/server/db/pg/logsDriver.ts
index 49e26f89f..146b8fb2f 100644
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
\ No newline at end of file
diff --git a/server/db/pg/poolConfig.ts b/server/db/pg/poolConfig.ts
new file mode 100644
index 000000000..f753121c1
--- /dev/null
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
\ No newline at end of file

From 3e3b02021cdcc60fadb2d246efbe1f466b8054a2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:26:56 -0700
Subject: [PATCH 118/314] Add ssh access log

---
 server/private/routers/ssh/signSshKey.ts      | 19 +++++++++++++++++++
 src/app/[orgId]/settings/logs/access/page.tsx | 16 ++++++++--------
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index 5cffb4a34..c39d2e0ae 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -24,6 +24,7 @@ import {
     sites,
     userOrgs
 } from "@server/db";
+import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -463,6 +464,24 @@ export async function signSshKey(
             })
         });
 
+        await logAccessAudit({
+            action: true,
+            type: "ssh",
+            orgId: orgId,
+            resourceId: resource.siteResourceId,
+            user: req.user
+                ? { username: req.user.username ?? "", userId: req.user.userId }
+                : undefined,
+            metadata: {
+                resourceName: resource.name,
+                siteId: resource.siteId,
+                sshUsername: usernameToUse,
+                sshHost: sshHost
+            },
+            userAgent: req.headers["user-agent"],
+            requestIp: req.ip
+        });
+
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index 810022b98..dbb7b6708 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -493,7 +493,8 @@ export default function GeneralPage() {
                                 {
                                     value: "whitelistedEmail",
                                     label: "Whitelisted Email"
-                                }
+                                },
+                                { value: "ssh", label: "SSH" }
                             ]}
                             selectedValue={filters.type}
                             onValueChange={(value) =>
@@ -507,13 +508,12 @@ export default function GeneralPage() {
                 );
             },
             cell: ({ row }) => {
-                // should be capitalized first letter
-                return (
-                    <span>
-                        {row.original.type.charAt(0).toUpperCase() +
-                            row.original.type.slice(1) || "-"}
-                    </span>
-                );
+                const typeLabel =
+                    row.original.type === "ssh"
+                        ? "SSH"
+                        : row.original.type.charAt(0).toUpperCase() +
+                          row.original.type.slice(1);
+                return <span>{typeLabel || "-"}</span>;
             }
         },
         {

From 1f4cde5f7fae62fe6d6d75f3038ea68e68ad3c92 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:13:57 -0700
Subject: [PATCH 119/314] Add license script

---
 license.py | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 license.py

diff --git a/license.py b/license.py
new file mode 100644
index 000000000..865dfad7a
--- /dev/null
+++ b/license.py
@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))

From 348fcbcabf7016751c58314d6a3ceed84aa01b40 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:39:43 -0700
Subject: [PATCH 120/314] Try to solve th problem

---
 server/cleanup.ts                            |   2 +
 server/private/cleanup.ts                    |   2 +
 server/private/routers/ws/ws.ts              |  37 +-
 server/routers/newt/getNewtToken.ts          |  22 +-
 server/routers/newt/handleNewtPingMessage.ts |  19 +-
 server/routers/newt/pingAccumulator.ts       | 382 +++++++++++++++++++
 server/routers/olm/getOlmToken.ts            |   4 +-
 server/routers/olm/handleOlmPingMessage.ts   |  23 +-
 server/routers/ws/messageHandlers.ts         |   5 +
 server/routers/ws/ws.ts                      |  23 +-
 10 files changed, 446 insertions(+), 73 deletions(-)
 create mode 100644 server/routers/newt/pingAccumulator.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 81cc31692..10e9f4cc3 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,9 +1,11 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 4b12f1b3c..17d823491 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -16,8 +16,10 @@ import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 4bfda5da8..d96c55c91 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -30,6 +30,7 @@ import {
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import logger from "@server/logger";
@@ -197,11 +198,7 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
 
-// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
-// DB for a given siteId. Resets on server restart which is fine – the first
-// ping after startup will always write, re-establishing the online state.
-const lastPingDbWrite: Map<number, number> = new Map();
-const PING_DB_WRITE_INTERVAL = 45; // seconds
+
 
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -853,32 +850,16 @@ const setupConnection = async (
         );
     });
 
-    // Handle WebSocket protocol-level pings from older newt clients that do
-    // not send application-level "newt/ping" messages. Update the site's
-    // online state and lastPing timestamp so the offline checker treats them
-    // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            const now = Math.floor(Date.now() / 1000);
-            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
-            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
-            lastPingDbWrite.set(newtClient.siteId, now);
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: now
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 637973582..bc3cca9fc 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,5 +1,5 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
-import { db } from "@server/db";
+import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
@@ -92,6 +92,26 @@ export async function getNewtToken(
             );
         }
 
+        const [existingSession] = await db
+            .select()
+            .from(newtSessions)
+            .where(eq(newtSessions.newtId, existingNewt.newtId));
+
+        // if the session still has time in the expires, reuse it
+        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
+            return response<{ token: string; serverVersion: string }>(res, {
+                data: {
+                    token: existingSession.sessionId,
+                    serverVersion: APP_VERSION
+                },
+                success: true,
+                error: false,
+                message: "Token created successfully",
+                status: HttpCode.OK
+            });
+        }
+
+        // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
 
diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index 319647b83..da25852a0 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -5,6 +5,7 @@ import { Newt } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
+import { recordPing } from "./pingAccumulator";
 
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -114,18 +115,12 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
         return;
     }
 
-    try {
-        // Mark the site as online and record the ping timestamp.
-        await db
-            .update(sites)
-            .set({
-                online: true,
-                lastPing: Math.floor(Date.now() / 1000)
-            })
-            .where(eq(sites.siteId, newt.siteId));
-    } catch (error) {
-        logger.error("Error updating online state on newt ping", { error });
-    }
+    // Record the ping in memory; it will be flushed to the database
+    // periodically by the ping accumulator (every ~10s) in a single
+    // batched UPDATE instead of one query per ping. This prevents
+    // connection pool exhaustion under load, especially with
+    // cross-region latency to the database.
+    recordPing(newt.siteId);
 
     // Check config version and sync if stale.
     const configVersion = await getClientConfigVersion(newt.newtId);
diff --git a/server/routers/newt/pingAccumulator.ts b/server/routers/newt/pingAccumulator.ts
new file mode 100644
index 000000000..83afd613e
--- /dev/null
+++ b/server/routers/newt/pingAccumulator.ts
@@ -0,0 +1,382 @@
+import { db } from "@server/db";
+import { sites, clients, olms } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import logger from "@server/logger";
+
+/**
+ * Ping Accumulator
+ *
+ * Instead of writing to the database on every single newt/olm ping (which
+ * causes pool exhaustion under load, especially with cross-region latency),
+ * we accumulate pings in memory and flush them to the database periodically
+ * in a single batch.
+ *
+ * This is the same pattern used for bandwidth flushing in
+ * receiveBandwidth.ts and handleReceiveBandwidthMessage.ts.
+ *
+ * Supports two kinds of pings:
+ *   - **Site pings** (from newts): update `sites.online` and `sites.lastPing`
+ *   - **Client pings** (from OLMs): update `clients.online`, `clients.lastPing`,
+ *     `clients.archived`, and optionally reset `olms.archived`
+ */
+
+const FLUSH_INTERVAL_MS = 10_000; // Flush every 10 seconds
+const MAX_RETRIES = 2;
+const BASE_DELAY_MS = 50;
+
+// ── Site (newt) pings ──────────────────────────────────────────────────
+// Map of siteId -> latest ping timestamp (unix seconds)
+const pendingSitePings: Map<number, number> = new Map();
+
+// ── Client (OLM) pings ────────────────────────────────────────────────
+// Map of clientId -> latest ping timestamp (unix seconds)
+const pendingClientPings: Map<number, number> = new Map();
+// Set of olmIds whose `archived` flag should be reset to false
+const pendingOlmArchiveResets: Set<string> = new Set();
+
+let flushTimer: NodeJS.Timeout | null = null;
+
+// ── Public API ─────────────────────────────────────────────────────────
+
+/**
+ * Record a ping for a newt site. This does NOT write to the database
+ * immediately. Instead it stores the latest ping timestamp in memory,
+ * to be flushed periodically by the background timer.
+ */
+export function recordSitePing(siteId: number): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingSitePings.set(siteId, now);
+}
+
+/** @deprecated Use `recordSitePing` instead. Alias kept for existing call-sites. */
+export const recordPing = recordSitePing;
+
+/**
+ * Record a ping for an OLM client. Batches the `clients` table update
+ * (`online`, `lastPing`, `archived`) and, when `olmArchived` is true,
+ * also queues an `olms` table update to clear the archived flag.
+ */
+export function recordClientPing(
+    clientId: number,
+    olmId: string,
+    olmArchived: boolean
+): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingClientPings.set(clientId, now);
+    if (olmArchived) {
+        pendingOlmArchiveResets.add(olmId);
+    }
+}
+
+// ── Flush Logic ────────────────────────────────────────────────────────
+
+/**
+ * Flush all accumulated site pings to the database.
+ */
+async function flushSitePingsToDb(): Promise<void> {
+    if (pendingSitePings.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear so new pings arriving during the flush go into a
+    // fresh map for the next cycle.
+    const pingsToFlush = new Map(pendingSitePings);
+    pendingSitePings.clear();
+
+    // Sort by siteId for consistent lock ordering (prevents deadlocks)
+    const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+        ([a], [b]) => a - b
+    );
+
+    const BATCH_SIZE = 50;
+    for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+        const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+        try {
+            await withRetry(async () => {
+                // Group by timestamp for efficient bulk updates
+                const byTimestamp = new Map<number, number[]>();
+                for (const [siteId, timestamp] of batch) {
+                    const group = byTimestamp.get(timestamp) || [];
+                    group.push(siteId);
+                    byTimestamp.set(timestamp, group);
+                }
+
+                if (byTimestamp.size === 1) {
+                    const [timestamp, siteIds] = Array.from(
+                        byTimestamp.entries()
+                    )[0];
+                    await db
+                        .update(sites)
+                        .set({
+                            online: true,
+                            lastPing: timestamp
+                        })
+                        .where(inArray(sites.siteId, siteIds));
+                } else {
+                    await db.transaction(async (tx) => {
+                        for (const [timestamp, siteIds] of byTimestamp) {
+                            await tx
+                                .update(sites)
+                                .set({
+                                    online: true,
+                                    lastPing: timestamp
+                                })
+                                .where(inArray(sites.siteId, siteIds));
+                        }
+                    });
+                }
+            }, "flushSitePingsToDb");
+        } catch (error) {
+            logger.error(
+                `Failed to flush site ping batch (${batch.length} sites), re-queuing for next cycle`,
+                { error }
+            );
+            for (const [siteId, timestamp] of batch) {
+                const existing = pendingSitePings.get(siteId);
+                if (!existing || existing < timestamp) {
+                    pendingSitePings.set(siteId, timestamp);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush all accumulated client (OLM) pings to the database.
+ */
+async function flushClientPingsToDb(): Promise<void> {
+    if (pendingClientPings.size === 0 && pendingOlmArchiveResets.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear
+    const pingsToFlush = new Map(pendingClientPings);
+    pendingClientPings.clear();
+
+    const olmResetsToFlush = new Set(pendingOlmArchiveResets);
+    pendingOlmArchiveResets.clear();
+
+    // ── Flush client pings ─────────────────────────────────────────────
+    if (pingsToFlush.size > 0) {
+        const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+            ([a], [b]) => a - b
+        );
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+            const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    const byTimestamp = new Map<number, number[]>();
+                    for (const [clientId, timestamp] of batch) {
+                        const group = byTimestamp.get(timestamp) || [];
+                        group.push(clientId);
+                        byTimestamp.set(timestamp, group);
+                    }
+
+                    if (byTimestamp.size === 1) {
+                        const [timestamp, clientIds] = Array.from(
+                            byTimestamp.entries()
+                        )[0];
+                        await db
+                            .update(clients)
+                            .set({
+                                lastPing: timestamp,
+                                online: true,
+                                archived: false
+                            })
+                            .where(inArray(clients.clientId, clientIds));
+                    } else {
+                        await db.transaction(async (tx) => {
+                            for (const [timestamp, clientIds] of byTimestamp) {
+                                await tx
+                                    .update(clients)
+                                    .set({
+                                        lastPing: timestamp,
+                                        online: true,
+                                        archived: false
+                                    })
+                                    .where(
+                                        inArray(clients.clientId, clientIds)
+                                    );
+                            }
+                        });
+                    }
+                }, "flushClientPingsToDb");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush client ping batch (${batch.length} clients), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const [clientId, timestamp] of batch) {
+                    const existing = pendingClientPings.get(clientId);
+                    if (!existing || existing < timestamp) {
+                        pendingClientPings.set(clientId, timestamp);
+                    }
+                }
+            }
+        }
+    }
+
+    // ── Flush OLM archive resets ───────────────────────────────────────
+    if (olmResetsToFlush.size > 0) {
+        const olmIds = Array.from(olmResetsToFlush).sort();
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < olmIds.length; i += BATCH_SIZE) {
+            const batch = olmIds.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    await db
+                        .update(olms)
+                        .set({ archived: false })
+                        .where(inArray(olms.olmId, batch));
+                }, "flushOlmArchiveResets");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush OLM archive reset batch (${batch.length} olms), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const olmId of batch) {
+                    pendingOlmArchiveResets.add(olmId);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush everything — called by the interval timer and during shutdown.
+ */
+export async function flushPingsToDb(): Promise<void> {
+    await flushSitePingsToDb();
+    await flushClientPingsToDb();
+}
+
+// ── Retry / Error Helpers ──────────────────────────────────────────────
+
+/**
+ * Simple retry wrapper with exponential backoff for transient errors
+ * (connection timeouts, unexpected disconnects).
+ */
+async function withRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isTransientError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Detect transient connection errors that are safe to retry.
+ */
+function isTransientError(error: any): boolean {
+    if (!error) return false;
+
+    const message = (error.message || "").toLowerCase();
+    const causeMessage = (error.cause?.message || "").toLowerCase();
+    const code = error.code || "";
+
+    // Connection timeout / terminated
+    if (
+        message.includes("connection timeout") ||
+        message.includes("connection terminated") ||
+        message.includes("timeout exceeded when trying to connect") ||
+        causeMessage.includes("connection terminated unexpectedly") ||
+        causeMessage.includes("connection timeout")
+    ) {
+        return true;
+    }
+
+    // PostgreSQL deadlock
+    if (code === "40P01" || message.includes("deadlock")) {
+        return true;
+    }
+
+    // ECONNRESET, ECONNREFUSED, EPIPE
+    if (
+        code === "ECONNRESET" ||
+        code === "ECONNREFUSED" ||
+        code === "EPIPE" ||
+        code === "ETIMEDOUT"
+    ) {
+        return true;
+    }
+
+    return false;
+}
+
+// ── Lifecycle ──────────────────────────────────────────────────────────
+
+/**
+ * Start the background flush timer. Call this once at server startup.
+ */
+export function startPingAccumulator(): void {
+    if (flushTimer) {
+        return; // Already running
+    }
+
+    flushTimer = setInterval(async () => {
+        try {
+            await flushPingsToDb();
+        } catch (error) {
+            logger.error("Unhandled error in ping accumulator flush", {
+                error
+            });
+        }
+    }, FLUSH_INTERVAL_MS);
+
+    // Don't prevent the process from exiting
+    flushTimer.unref();
+
+    logger.info(
+        `Ping accumulator started (flush interval: ${FLUSH_INTERVAL_MS}ms)`
+    );
+}
+
+/**
+ * Stop the background flush timer and perform a final flush.
+ * Call this during graceful shutdown.
+ */
+export async function stopPingAccumulator(): Promise<void> {
+    if (flushTimer) {
+        clearInterval(flushTimer);
+        flushTimer = null;
+    }
+
+    // Final flush to persist any remaining pings
+    try {
+        await flushPingsToDb();
+    } catch (error) {
+        logger.error("Error during final ping accumulator flush", { error });
+    }
+
+    logger.info("Ping accumulator stopped");
+}
+
+/**
+ * Get the number of pending (unflushed) pings. Useful for monitoring.
+ */
+export function getPendingPingCount(): number {
+    return pendingSitePings.size + pendingClientPings.size;
+}
\ No newline at end of file
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 2734a63bc..027e7ec15 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -8,7 +8,9 @@ import {
     ExitNode,
     exitNodes,
     sites,
-    clientSitesAssociationsCache
+    clientSitesAssociationsCache,
+    olmSessions,
+    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
diff --git a/server/routers/olm/handleOlmPingMessage.ts b/server/routers/olm/handleOlmPingMessage.ts
index efcbf1696..0f520b234 100644
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -3,6 +3,7 @@ import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
+import { recordClientPing } from "@server/routers/newt/pingAccumulator";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
@@ -201,22 +202,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             await sendOlmSyncMessage(olm, client);
         }
 
-        // Update the client's last ping timestamp
-        await db
-            .update(clients)
-            .set({
-                lastPing: Math.floor(Date.now() / 1000),
-                online: true,
-                archived: false
-            })
-            .where(eq(clients.clientId, olm.clientId));
-
-        if (olm.archived) {
-            await db
-                .update(olms)
-                .set({ archived: false })
-                .where(eq(olms.olmId, olm.olmId));
-        }
+        // Record the ping in memory; it will be flushed to the database
+        // periodically by the ping accumulator (every ~10s) in a single
+        // batched UPDATE instead of one query per ping. This prevents
+        // connection pool exhaustion under load, especially with
+        // cross-region latency to the database.
+        recordClientPing(olm.clientId, olm.olmId, !!olm.archived);
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
diff --git a/server/routers/ws/messageHandlers.ts b/server/routers/ws/messageHandlers.ts
index 628caafd5..143e4d516 100644
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -11,6 +11,7 @@ import {
     startNewtOfflineChecker,
     handleNewtDisconnectingMessage
 } from "../newt";
+import { startPingAccumulator } from "../newt/pingAccumulator";
 import {
     handleOlmRegisterMessage,
     handleOlmRelayMessage,
@@ -46,6 +47,10 @@ export const messageHandlers: Record<string, MessageHandler> = {
     "ws/round-trip/complete": handleRoundTripMessage
 };
 
+// Start the ping accumulator for all builds — it batches per-site online/lastPing
+// updates into periodic bulk writes, preventing connection pool exhaustion.
+startPingAccumulator();
+
 if (build != "saas") {
     startOlmOfflineChecker(); // this is to handle the offline check for olms
     startNewtOfflineChecker(); // this is to handle the offline check for newts
diff --git a/server/routers/ws/ws.ts b/server/routers/ws/ws.ts
index 08a7dbd4c..6e6312715 100644
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -6,6 +6,7 @@ import { Socket } from "net";
 import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import { messageHandlers } from "./messageHandlers";
@@ -386,22 +387,14 @@ const setupConnection = async (
     // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: Math.floor(Date.now() / 1000)
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 

From 6bb6cf8a48dd99f291657b02ed6b99fba4aab144 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:54:51 -0700
Subject: [PATCH 121/314] Clean up

---
 server/private/routers/ws/ws.ts     |  5 -----
 server/routers/newt/getNewtToken.ts | 19 -------------------
 server/routers/olm/getOlmToken.ts   |  2 --
 3 files changed, 26 deletions(-)

diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index d96c55c91..67b83f931 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -19,14 +19,9 @@ import { Socket } from "net";
 import {
     Newt,
     newts,
-    NewtSession,
-    olms,
     Olm,
-    OlmSession,
     RemoteExitNode,
-    RemoteExitNodeSession,
     remoteExitNodes,
-    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index bc3cca9fc..9d3da7e97 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -92,25 +92,6 @@ export async function getNewtToken(
             );
         }
 
-        const [existingSession] = await db
-            .select()
-            .from(newtSessions)
-            .where(eq(newtSessions.newtId, existingNewt.newtId));
-
-        // if the session still has time in the expires, reuse it
-        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
-            return response<{ token: string; serverVersion: string }>(res, {
-                data: {
-                    token: existingSession.sessionId,
-                    serverVersion: APP_VERSION
-                },
-                success: true,
-                error: false,
-                message: "Token created successfully",
-                status: HttpCode.OK
-            });
-        }
-
         // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 027e7ec15..741b29f0a 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -9,8 +9,6 @@ import {
     exitNodes,
     sites,
     clientSitesAssociationsCache,
-    olmSessions,
-    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";

From 9b84623d0c40a89b2aa1f9e8a7242b35e445d558 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:12:51 -0700
Subject: [PATCH 122/314] Cache token for thundering hurd

---
 server/lib/tokenCache.ts                      | 22 ++++++
 server/private/lib/cache.ts                   | 13 ++++
 server/private/lib/tokenCache.ts              | 77 +++++++++++++++++++
 .../remoteExitNode/getRemoteExitNodeToken.ts  | 25 ++++--
 server/routers/newt/getNewtToken.ts           | 18 ++++-
 server/routers/olm/getOlmToken.ts             | 19 ++++-
 6 files changed, 161 insertions(+), 13 deletions(-)
 create mode 100644 server/lib/tokenCache.ts
 create mode 100644 server/private/lib/tokenCache.ts

diff --git a/server/lib/tokenCache.ts b/server/lib/tokenCache.ts
new file mode 100644
index 000000000..022f46c15
--- /dev/null
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    const token = await createSession();
+    return token;
+}
diff --git a/server/private/lib/cache.ts b/server/private/lib/cache.ts
index e8c03ba3d..1a2006d46 100644
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
new file mode 100644
index 000000000..bb6645688
--- /dev/null
+++ b/server/private/lib/tokenCache.ts
@@ -0,0 +1,77 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import redisManager from "#dynamic/lib/redis";
+import { encrypt, decrypt } from "@server/lib/crypto";
+import logger from "@server/logger";
+
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const cached = await redisManager.get(cacheKey);
+            if (cached) {
+                const token = decrypt(cached, secret);
+                if (token) {
+                    logger.debug(`Token cache hit for key: ${cacheKey}`);
+                    return token;
+                }
+                // Decryption produced an empty string – treat as a miss
+                logger.warn(
+                    `Token cache decryption returned empty string for key: ${cacheKey}, treating as miss`
+                );
+            }
+        } catch (e) {
+            logger.warn(
+                `Token cache read/decrypt failed for key ${cacheKey}, falling through to session creation:`,
+                e
+            );
+        }
+    }
+
+    const token = await createSession();
+
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const encrypted = encrypt(token, secret);
+            await redisManager.set(cacheKey, encrypted, ttlSeconds);
+            logger.debug(
+                `Token cached in Redis for key: ${cacheKey} (TTL ${ttlSeconds}s)`
+            );
+        } catch (e) {
+            logger.warn(
+                `Token cache write failed for key ${cacheKey} (session was still created):`,
+                e
+            );
+        }
+    }
+
+    return token;
+}
diff --git a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
index 24f0de159..025e2d34e 100644
--- a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
+++ b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
@@ -23,8 +23,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createRemoteExitNodeSession,
-    validateRemoteExitNodeSessionToken
+    validateRemoteExitNodeSessionToken,
+    EXPIRES
 } from "#private/auth/sessions/remoteExitNode";
+import { getOrCreateCachedToken } from "@server/private/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -103,14 +105,23 @@ export async function getRemoteExitNodeToken(
             );
         }
 
-        const resToken = generateSessionToken();
-        await createRemoteExitNodeSession(
-            resToken,
-            existingRemoteExitNode.remoteExitNodeId
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `remote_exit_node:token_cache:${existingRemoteExitNode.remoteExitNodeId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createRemoteExitNodeSession(
+                    token,
+                    existingRemoteExitNode.remoteExitNodeId
+                );
+                return token;
+            }
         );
 
-        // logger.debug(`Created RemoteExitNode token response: ${JSON.stringify(resToken)}`);
-
         return response<{ token: string }>(res, {
             data: {
                 token: resToken
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 9d3da7e97..c5abb9968 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,6 +1,8 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
 import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
+import { EXPIRES } from "@server/auth/sessions/newt";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -92,9 +94,19 @@ export async function getNewtToken(
             );
         }
 
-        // otherwise generate a new one
-        const resToken = generateSessionToken();
-        await createNewtSession(resToken, existingNewt.newtId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `newt:token_cache:${existingNewt.newtId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createNewtSession(token, existingNewt.newtId);
+                return token;
+            }
+        );
 
         return response<{ token: string; serverVersion: string }>(res, {
             data: {
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 741b29f0a..5b8411eb7 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -20,8 +20,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createOlmSession,
-    validateOlmSessionToken
+    validateOlmSessionToken,
+    EXPIRES
 } from "@server/auth/sessions/olm";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -132,8 +134,19 @@ export async function getOlmToken(
 
         logger.debug("Creating new olm session token");
 
-        const resToken = generateSessionToken();
-        await createOlmSession(resToken, existingOlm.olmId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `olm:token_cache:${existingOlm.olmId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createOlmSession(token, existingOlm.olmId);
+                return token;
+            }
+        );
 
         let clientIdToUse;
         if (orgId) {

From 99a064b77af0d84f8d996885bb4ee5db5dfb5305 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 20:27:34 -0700
Subject: [PATCH 123/314] Fix import problems

---
 server/private/lib/tokenCache.ts | 2 +-
 server/private/routers/ws/ws.ts  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
index bb6645688..284f1d698 100644
--- a/server/private/lib/tokenCache.ts
+++ b/server/private/lib/tokenCache.ts
@@ -11,7 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import redisManager from "#dynamic/lib/redis";
+import redisManager from "#private/lib/redis";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 67b83f931..21f4fad37 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -20,6 +20,7 @@ import {
     Newt,
     newts,
     Olm,
+    olms,
     RemoteExitNode,
     remoteExitNodes,
 } from "@server/db";

From c80c7df1d06266fbea9926159b86fd7bb675b178 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 20:33:58 -0700
Subject: [PATCH 124/314] Batch set bandwidth

---
 server/routers/gerbil/receiveBandwidth.ts | 146 +++++++++++++---------
 1 file changed, 84 insertions(+), 62 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b73ce986d..042c844aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
-import { sites } from "@server/db";
+import { sql } from "drizzle-orm";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
+
+// Maximum number of sites to include in a single batch UPDATE statement
+const BATCH_CHUNK_SIZE = 250;
 
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
     }
 }
 
+/**
+ * Execute a raw SQL query that returns rows, in a way that works across both
+ * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
+ * exposes `all`).  Drizzle's typed query builder doesn't support bulk
+ * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
+ */
+async function dbQueryRows<T extends Record<string, unknown>>(
+    query: Parameters<(typeof sql)["join"]>[0][number]
+): Promise<T[]> {
+    const anyDb = db as any;
+    if (typeof anyDb.execute === "function") {
+        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
+        const result = await anyDb.execute(query);
+        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
+    }
+    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
+    return (await anyDb.all(query)) as T[];
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
  * Swaps out the accumulator before writing so that any bandwidth messages
  * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
- * back into the accumulator so they will be retried on the next flush.
+ * being lost or causing contention. Sites are updated in chunks via a single
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
+ * accuracy is not critical and re-queuing is not worth the added complexity.
  *
  * This function is exported so that the application's graceful-shutdown
  * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
     );
 
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
+    const snapshotMap = new Map(sortedEntries);
+
+    // Aggregate billing usage by org across all chunks.
     const orgUsageMap = new Map<string, number>();
 
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
+    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
+        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
+        const chunkEnd = i + chunk.length - 1;
+
+        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
+        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
+        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
+        // in a single query instead of N individual round-trips.
+        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+        );
+        const valuesClause = sql.join(valuesList, sql`, `);
+
+        let rows: { orgId: string; pubKey: string }[] = [];
+
         try {
-            const updatedSite = await withDeadlockRetry(async () => {
-                const [result] = await db
-                    .update(sites)
-                    .set({
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime,
-                    })
-                    .where(eq(sites.pubKey, publicKey))
-                    .returning({
-                        orgId: sites.orgId,
-                        siteId: sites.siteId
-                    });
-                return result;
-            }, `flush bandwidth for site ${publicKey}`);
-
-            if (updatedSite) {
-                if (exitNodeId) {
-                    const notAllowed = await checkExitNodeOrg(
-                        exitNodeId,
-                        updatedSite.orgId
-                    );
-                    if (notAllowed) {
-                        logger.warn(
-                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                        );
-                        // Skip usage tracking for this site but continue
-                        // processing the rest.
-                        continue;
-                    }
-                }
-
-                if (calcUsage) {
-                    const totalBandwidth = bytesIn + bytesOut;
-                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
-                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
-                }
-            }
+            rows = await withDeadlockRetry(async () => {
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
+                    UPDATE sites
+                    SET
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
+                        "lastBandwidthUpdate" = ${currentTime}
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
+                    WHERE sites."pubKey" = v.pub_key
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
+                `);
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
         } catch (error) {
             logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                 error
             );
+            // Discard the chunk — exact per-flush accuracy is not critical.
+            continue;
+        }
 
-            // Re-queue the failed entry so it is retried on the next flush
-            // rather than silently dropped.
-            const existing = accumulator.get(publicKey);
-            if (existing) {
-                existing.bytesIn += bytesIn;
-                existing.bytesOut += bytesOut;
-            } else {
-                accumulator.set(publicKey, {
-                    bytesIn,
-                    bytesOut,
-                    exitNodeId,
-                    calcUsage
-                });
+        // Collect billing usage from the returned rows.
+        for (const { orgId, pubKey } of rows) {
+            const entry = snapshotMap.get(pubKey);
+            if (!entry) continue;
+
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
+
+            if (exitNodeId) {
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
+                if (notAllowed) {
+                    logger.warn(
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
+                    );
+                    continue;
+                }
+            }
+
+            if (calcUsage) {
+                const current = orgUsageMap.get(orgId) ?? 0;
+                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
             }
         }
     }
 
-    // Process billing usage updates outside the site-update loop to keep
-    // lock scope small and concerns separated.
+    // Process billing usage updates after all chunks are written.
     if (orgUsageMap.size > 0) {
-        // Sort org IDs for consistent lock ordering.
         const sortedOrgIds = [...orgUsageMap.keys()].sort();
 
         for (const orgId of sortedOrgIds) {

From 1f01108b62f8416887b47c492799326c34015e27 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 20:33:58 -0700
Subject: [PATCH 125/314] Batch set bandwidth

---
 server/routers/gerbil/receiveBandwidth.ts | 146 +++++++++++++---------
 1 file changed, 84 insertions(+), 62 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b73ce986d..042c844aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
-import { sites } from "@server/db";
+import { sql } from "drizzle-orm";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
+
+// Maximum number of sites to include in a single batch UPDATE statement
+const BATCH_CHUNK_SIZE = 250;
 
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
     }
 }
 
+/**
+ * Execute a raw SQL query that returns rows, in a way that works across both
+ * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
+ * exposes `all`).  Drizzle's typed query builder doesn't support bulk
+ * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
+ */
+async function dbQueryRows<T extends Record<string, unknown>>(
+    query: Parameters<(typeof sql)["join"]>[0][number]
+): Promise<T[]> {
+    const anyDb = db as any;
+    if (typeof anyDb.execute === "function") {
+        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
+        const result = await anyDb.execute(query);
+        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
+    }
+    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
+    return (await anyDb.all(query)) as T[];
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
  * Swaps out the accumulator before writing so that any bandwidth messages
  * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
- * back into the accumulator so they will be retried on the next flush.
+ * being lost or causing contention. Sites are updated in chunks via a single
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
+ * accuracy is not critical and re-queuing is not worth the added complexity.
  *
  * This function is exported so that the application's graceful-shutdown
  * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
     );
 
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
+    const snapshotMap = new Map(sortedEntries);
+
+    // Aggregate billing usage by org across all chunks.
     const orgUsageMap = new Map<string, number>();
 
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
+    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
+        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
+        const chunkEnd = i + chunk.length - 1;
+
+        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
+        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
+        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
+        // in a single query instead of N individual round-trips.
+        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+        );
+        const valuesClause = sql.join(valuesList, sql`, `);
+
+        let rows: { orgId: string; pubKey: string }[] = [];
+
         try {
-            const updatedSite = await withDeadlockRetry(async () => {
-                const [result] = await db
-                    .update(sites)
-                    .set({
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime,
-                    })
-                    .where(eq(sites.pubKey, publicKey))
-                    .returning({
-                        orgId: sites.orgId,
-                        siteId: sites.siteId
-                    });
-                return result;
-            }, `flush bandwidth for site ${publicKey}`);
-
-            if (updatedSite) {
-                if (exitNodeId) {
-                    const notAllowed = await checkExitNodeOrg(
-                        exitNodeId,
-                        updatedSite.orgId
-                    );
-                    if (notAllowed) {
-                        logger.warn(
-                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                        );
-                        // Skip usage tracking for this site but continue
-                        // processing the rest.
-                        continue;
-                    }
-                }
-
-                if (calcUsage) {
-                    const totalBandwidth = bytesIn + bytesOut;
-                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
-                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
-                }
-            }
+            rows = await withDeadlockRetry(async () => {
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
+                    UPDATE sites
+                    SET
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
+                        "lastBandwidthUpdate" = ${currentTime}
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
+                    WHERE sites."pubKey" = v.pub_key
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
+                `);
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
         } catch (error) {
             logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                 error
             );
+            // Discard the chunk — exact per-flush accuracy is not critical.
+            continue;
+        }
 
-            // Re-queue the failed entry so it is retried on the next flush
-            // rather than silently dropped.
-            const existing = accumulator.get(publicKey);
-            if (existing) {
-                existing.bytesIn += bytesIn;
-                existing.bytesOut += bytesOut;
-            } else {
-                accumulator.set(publicKey, {
-                    bytesIn,
-                    bytesOut,
-                    exitNodeId,
-                    calcUsage
-                });
+        // Collect billing usage from the returned rows.
+        for (const { orgId, pubKey } of rows) {
+            const entry = snapshotMap.get(pubKey);
+            if (!entry) continue;
+
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
+
+            if (exitNodeId) {
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
+                if (notAllowed) {
+                    logger.warn(
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
+                    );
+                    continue;
+                }
+            }
+
+            if (calcUsage) {
+                const current = orgUsageMap.get(orgId) ?? 0;
+                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
             }
         }
     }
 
-    // Process billing usage updates outside the site-update loop to keep
-    // lock scope small and concerns separated.
+    // Process billing usage updates after all chunks are written.
     if (orgUsageMap.size > 0) {
-        // Sort org IDs for consistent lock ordering.
         const sortedOrgIds = [...orgUsageMap.keys()].sort();
 
         for (const orgId of sortedOrgIds) {

From 6b3a6fa380f9c70e0a9f858c6b494b64c15aded0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 22:11:56 -0700
Subject: [PATCH 126/314] Add typecasts

---
 server/routers/gerbil/receiveBandwidth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 042c844aa..a1159bc22 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -146,7 +146,7 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         // support UPDATE … FROM (VALUES …), letting us update the whole chunk
         // in a single query instead of N individual round-trips.
         const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
-            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+            sql`(${publicKey}::text, ${bytesIn}::real, ${bytesOut}::real)`
         );
         const valuesClause = sql.join(valuesList, sql`, `);
 

From 5b9efc3c5f453b48b7261961d6c8fdcccc8999d1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 08:51:09 +0000
Subject: [PATCH 127/314] Bump picomatch

Bumps  and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..185ed7e85 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9764,9 +9764,9 @@
             }
         },
         "node_modules/anymatch/node_modules/picomatch": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-            "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+            "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -15177,9 +15177,9 @@
             }
         },
         "node_modules/micromatch/node_modules/picomatch": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-            "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+            "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
             "license": "MIT",
             "engines": {
                 "node": ">=8.6"
@@ -16468,9 +16468,9 @@
             "license": "ISC"
         },
         "node_modules/picomatch": {
-            "version": "4.0.3",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-            "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+            "version": "4.0.4",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+            "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -18891,9 +18891,9 @@
             }
         },
         "node_modules/tsc-alias/node_modules/picomatch": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-            "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+            "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
             "dev": true,
             "license": "MIT",
             "engines": {

From b4ca6432dba2ea012c962da5ce0ffb03d8b20f2d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 16:24:44 -0700
Subject: [PATCH 128/314] Fix double id

---
 src/components/CreateSiteProvisioningKeyCredenza.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 70c48ff08..e18bbbd06 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -150,7 +150,7 @@ export default function CreateSiteProvisioningKeyCredenza({
 
     const credential =
         created &&
-        `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
+        created.siteProvisioningKey;
 
     const unlimitedBatchSize = form.watch("unlimitedBatchSize");
 

From e13a0769396a6d8cf8293cc96b8a3606c953950f Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 16:37:31 -0700
Subject: [PATCH 129/314] ui improvements

---
 messages/bg-BG.json                           |   1 +
 messages/cs-CZ.json                           |   1 +
 messages/de-DE.json                           |   1 +
 messages/en-US.json                           |   1 +
 messages/es-ES.json                           |   1 +
 messages/fr-FR.json                           |   1 +
 messages/it-IT.json                           |   1 +
 messages/ko-KR.json                           |   1 +
 messages/nb-NO.json                           |   1 +
 messages/nl-NL.json                           |   1 +
 messages/pl-PL.json                           |   1 +
 messages/pt-PT.json                           |   1 +
 messages/ru-RU.json                           |   1 +
 messages/tr-TR.json                           |   1 +
 messages/zh-CN.json                           |   1 +
 messages/zh-TW.json                           |   1 +
 server/auth/actions.ts                        |   5 +-
 server/db/queries/verifySessionQueries.ts     |  42 ---
 server/middlewares/index.ts                   |   1 +
 server/middlewares/integration/index.ts       |   1 +
 .../verifyApiKeyCanSetUserOrgRoles.ts         |  74 ++++++
 .../verifyUserCanSetUserOrgRoles.ts           |  54 ++++
 server/routers/external.ts                    |  11 +
 server/routers/integration.ts                 |  11 +
 server/routers/user/index.ts                  |   1 +
 server/routers/user/listUsers.ts              |  30 ++-
 server/routers/user/setUserOrgRoles.ts        | 151 +++++++++++
 .../users/[userId]/access-controls/page.tsx   | 239 ++++++++----------
 .../[orgId]/settings/access/users/page.tsx    |  13 +-
 .../proxy/[niceId]/authentication/page.tsx    |   9 +-
 src/components/PermissionsSelectBox.tsx       |   3 +-
 src/components/UsersTable.tsx                 |  75 +++++-
 src/components/ui/badge.tsx                   |   2 +-
 33 files changed, 533 insertions(+), 205 deletions(-)
 create mode 100644 server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
 create mode 100644 server/middlewares/verifyUserCanSetUserOrgRoles.ts
 create mode 100644 server/routers/user/setUserOrgRoles.ts

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 0b96141e9..10b83f38d 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Изтрийте потребител",
     "actionListUsers": "Изброяване на потребители",
     "actionAddUserRole": "Добавяне на роля на потребител",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Генериране на токен за достъп",
     "actionDeleteAccessToken": "Изтриване на токен за достъп",
     "actionListAccessTokens": "Изброяване на токени за достъп",
diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index cb5372b36..ea12fe535 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Odstranit uživatele",
     "actionListUsers": "Seznam uživatelů",
     "actionAddUserRole": "Přidat uživatelskou roli",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generovat přístupový token",
     "actionDeleteAccessToken": "Odstranit přístupový token",
     "actionListAccessTokens": "Seznam přístupových tokenů",
diff --git a/messages/de-DE.json b/messages/de-DE.json
index 150a8597e..cef7223fb 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Benutzer entfernen",
     "actionListUsers": "Benutzer auflisten",
     "actionAddUserRole": "Benutzerrolle hinzufügen",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Zugriffstoken generieren",
     "actionDeleteAccessToken": "Zugriffstoken löschen",
     "actionListAccessTokens": "Zugriffstoken auflisten",
diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..cdfd57110 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1150,6 +1150,7 @@
     "actionRemoveUser": "Remove User",
     "actionListUsers": "List Users",
     "actionAddUserRole": "Add User Role",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generate Access Token",
     "actionDeleteAccessToken": "Delete Access Token",
     "actionListAccessTokens": "List Access Tokens",
diff --git a/messages/es-ES.json b/messages/es-ES.json
index e33a85ace..2fc52b885 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Eliminar usuario",
     "actionListUsers": "Listar usuarios",
     "actionAddUserRole": "Añadir rol de usuario",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generar token de acceso",
     "actionDeleteAccessToken": "Eliminar token de acceso",
     "actionListAccessTokens": "Lista de Tokens de Acceso",
diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index ec3dbffb8..2b3368a07 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Supprimer un utilisateur",
     "actionListUsers": "Lister les utilisateurs",
     "actionAddUserRole": "Ajouter un rôle utilisateur",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Générer un jeton d'accès",
     "actionDeleteAccessToken": "Supprimer un jeton d'accès",
     "actionListAccessTokens": "Lister les jetons d'accès",
diff --git a/messages/it-IT.json b/messages/it-IT.json
index adab7879a..6891cd290 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Rimuovi Utente",
     "actionListUsers": "Elenca Utenti",
     "actionAddUserRole": "Aggiungi Ruolo Utente",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Genera Token di Accesso",
     "actionDeleteAccessToken": "Elimina Token di Accesso",
     "actionListAccessTokens": "Elenca Token di Accesso",
diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 59f464305..02915abd7 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "사용자 제거",
     "actionListUsers": "사용자 목록",
     "actionAddUserRole": "사용자 역할 추가",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "액세스 토큰 생성",
     "actionDeleteAccessToken": "액세스 토큰 삭제",
     "actionListAccessTokens": "액세스 토큰 목록",
diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index e8a9fa9a3..50ec9a717 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Fjern bruker",
     "actionListUsers": "List opp brukere",
     "actionAddUserRole": "Legg til brukerrolle",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generer tilgangstoken",
     "actionDeleteAccessToken": "Slett tilgangstoken",
     "actionListAccessTokens": "List opp tilgangstokener",
diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 32580cc45..f0eaff3fd 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Gebruiker verwijderen",
     "actionListUsers": "Gebruikers weergeven",
     "actionAddUserRole": "Gebruikersrol toevoegen",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Genereer Toegangstoken",
     "actionDeleteAccessToken": "Verwijder toegangstoken",
     "actionListAccessTokens": "Lijst toegangstokens",
diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index ba0587b94..998fcc880 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Usuń użytkownika",
     "actionListUsers": "Lista użytkowników",
     "actionAddUserRole": "Dodaj rolę użytkownika",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Wygeneruj token dostępu",
     "actionDeleteAccessToken": "Usuń token dostępu",
     "actionListAccessTokens": "Lista tokenów dostępu",
diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3ce98fff6..b121f4b16 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Remover Utilizador",
     "actionListUsers": "Listar Utilizadores",
     "actionAddUserRole": "Adicionar Função ao Utilizador",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Gerar Token de Acesso",
     "actionDeleteAccessToken": "Eliminar Token de Acesso",
     "actionListAccessTokens": "Listar Tokens de Acesso",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 12043d8a2..0d42245e4 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Удалить пользователя",
     "actionListUsers": "Список пользователей",
     "actionAddUserRole": "Добавить роль пользователя",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Сгенерировать токен доступа",
     "actionDeleteAccessToken": "Удалить токен доступа",
     "actionListAccessTokens": "Список токенов доступа",
diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 362f891fb..2bfed7fb3 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Kullanıcıyı Kaldır",
     "actionListUsers": "Kullanıcıları Listele",
     "actionAddUserRole": "Kullanıcı Rolü Ekle",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
     "actionDeleteAccessToken": "Erişim Jetonunu Sil",
     "actionListAccessTokens": "Erişim Jetonlarını Listele",
diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index a7f2682fa..f297d1ea9 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "删除用户",
     "actionListUsers": "列出用户",
     "actionAddUserRole": "添加用户角色",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "生成访问令牌",
     "actionDeleteAccessToken": "删除访问令牌",
     "actionListAccessTokens": "访问令牌",
diff --git a/messages/zh-TW.json b/messages/zh-TW.json
index 1ae6a5156..8b9d05f53 100644
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -1091,6 +1091,7 @@
   "actionRemoveUser": "刪除用戶",
   "actionListUsers": "列出用戶",
   "actionAddUserRole": "添加用戶角色",
+  "actionSetUserOrgRoles": "Set User Roles",
   "actionGenerateAccessToken": "生成訪問令牌",
   "actionDeleteAccessToken": "刪除訪問令牌",
   "actionListAccessTokens": "訪問令牌",
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 6a5ed15dc..ae5136659 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -4,6 +4,7 @@ import { userActions, roleActions } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export enum ActionsEnum {
     createOrgUser = "createOrgUser",
@@ -54,6 +55,7 @@ export enum ActionsEnum {
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
     removeUserRole = "removeUserRole",
+    setUserOrgRoles = "setUserOrgRoles",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -158,9 +160,6 @@ export async function checkUserActionPermission(
         let userOrgRoleIds = req.userOrgRoleIds;
 
         if (userOrgRoleIds === undefined) {
-            const { getUserOrgRoleIds } = await import(
-                "@server/lib/userOrgRoles"
-            );
             userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
             if (userOrgRoleIds.length === 0) {
                 throw createHttpError(
diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 469df590d..66f968b02 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -104,48 +104,6 @@ export async function getUserSessionWithUser(
     };
 }
 
-/**
- * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
- * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
- */
-export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrg = await db
-        .select({
-            userId: userOrgs.userId,
-            orgId: userOrgs.orgId,
-            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned
-        })
-        .from(userOrgs)
-        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .limit(1);
-
-    if (userOrg.length === 0) return null;
-
-    const [firstRole] = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        )
-        .limit(1);
-
-    return firstRole
-        ? {
-              ...userOrg[0],
-              roleId: firstRole.roleId,
-              roleName: firstRole.roleName
-          }
-        : { ...userOrg[0], roleId: null, roleName: null };
-}
-
 /**
  * Get role name by role ID (for display).
  */
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 6437c90e2..435ccdb23 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -17,6 +17,7 @@ export * from "./verifyAccessTokenAccess";
 export * from "./requestTimeout";
 export * from "./verifyClientAccess";
 export * from "./verifyUserHasAction";
+export * from "./verifyUserCanSetUserOrgRoles";
 export * from "./verifyUserIsServerAdmin";
 export * from "./verifyIsLoggedInUser";
 export * from "./verifyIsLoggedInUser";
diff --git a/server/middlewares/integration/index.ts b/server/middlewares/integration/index.ts
index df186c1c8..8a213c6d2 100644
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -1,6 +1,7 @@
 export * from "./verifyApiKey";
 export * from "./verifyApiKeyOrgAccess";
 export * from "./verifyApiKeyHasAction";
+export * from "./verifyApiKeyCanSetUserOrgRoles";
 export * from "./verifyApiKeySiteAccess";
 export * from "./verifyApiKeyResourceAccess";
 export * from "./verifyApiKeyTargetAccess";
diff --git a/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
new file mode 100644
index 000000000..894665095
--- /dev/null
+++ b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
@@ -0,0 +1,74 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum } from "@server/auth/actions";
+import { db } from "@server/db";
+import { apiKeyActions } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+async function apiKeyHasAction(apiKeyId: string, actionId: ActionsEnum) {
+    const [row] = await db
+        .select()
+        .from(apiKeyActions)
+        .where(
+            and(
+                eq(apiKeyActions.apiKeyId, apiKeyId),
+                eq(apiKeyActions.actionId, actionId)
+            )
+        );
+    return !!row;
+}
+
+/**
+ * Allows setUserOrgRoles on the key, or both addUserRole and removeUserRole.
+ */
+export function verifyApiKeyCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            if (!req.apiKey) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "API Key not authenticated"
+                    )
+                );
+            }
+
+            const keyId = req.apiKey.apiKeyId;
+
+            if (await apiKeyHasAction(keyId, ActionsEnum.setUserOrgRoles)) {
+                return next();
+            }
+
+            const hasAdd = await apiKeyHasAction(keyId, ActionsEnum.addUserRole);
+            const hasRemove = await apiKeyHasAction(
+                keyId,
+                ActionsEnum.removeUserRole
+            );
+
+            if (hasAdd && hasRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying API key set user org roles:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying key action access"
+                )
+            );
+        }
+    };
+}
diff --git a/server/middlewares/verifyUserCanSetUserOrgRoles.ts b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
new file mode 100644
index 000000000..1a7554ab3
--- /dev/null
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -0,0 +1,54 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
+
+/**
+ * Allows the new setUserOrgRoles action, or legacy permission pair addUserRole + removeUserRole.
+ */
+export function verifyUserCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            const canSet = await checkUserActionPermission(
+                ActionsEnum.setUserOrgRoles,
+                req
+            );
+            if (canSet) {
+                return next();
+            }
+
+            const canAdd = await checkUserActionPermission(
+                ActionsEnum.addUserRole,
+                req
+            );
+            const canRemove = await checkUserActionPermission(
+                ActionsEnum.removeUserRole,
+                req
+            );
+
+            if (canAdd && canRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying set user org roles access:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying role access"
+                )
+            );
+        }
+    };
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index bae7bb4db..bb331dc69 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -39,6 +39,7 @@ import {
     verifyApiKeyAccess,
     verifyDomainAccess,
     verifyUserHasAction,
+    verifyUserCanSetUserOrgRoles,
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
@@ -837,6 +838,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyOrgAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
 authenticated.get("/org/:orgId/user/:userId/check", org.checkOrgUserAccess);
 
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index e77f82c83..32c06078b 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -16,6 +16,7 @@ import {
     verifyApiKey,
     verifyApiKeyOrgAccess,
     verifyApiKeyHasAction,
+    verifyApiKeyCanSetUserOrgRoles,
     verifyApiKeySiteAccess,
     verifyApiKeyResourceAccess,
     verifyApiKeyTargetAccess,
@@ -814,6 +815,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyApiKeyOrgAccess,
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index a300e0092..0884e8a2b 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -3,6 +3,7 @@ export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
 export * from "./removeUserRole";
+export * from "./setUserOrgRoles";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/listUsers.ts b/server/routers/user/listUsers.ts
index 37567f24e..fe7f6b250 100644
--- a/server/routers/user/listUsers.ts
+++ b/server/routers/user/listUsers.ts
@@ -5,11 +5,10 @@ import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { and, eq, inArray, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq } from "drizzle-orm";
 
 const listUsersParamsSchema = z.strictObject({
     orgId: z.string()
@@ -56,15 +55,24 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         .limit(limit)
         .offset(offset);
 
-    const roleRows = await db
-        .select({
-            userId: userOrgRoles.userId,
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(eq(userOrgRoles.orgId, orgId));
+    const userIds = rows.map((r) => r.id);
+    const roleRows =
+        userIds.length === 0
+            ? []
+            : await db
+                  .select({
+                      userId: userOrgRoles.userId,
+                      roleId: userOrgRoles.roleId,
+                      roleName: roles.name
+                  })
+                  .from(userOrgRoles)
+                  .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+                  .where(
+                      and(
+                          eq(userOrgRoles.orgId, orgId),
+                          inArray(userOrgRoles.userId, userIds)
+                      )
+                  );
 
     const rolesByUser = new Map<
         string,
diff --git a/server/routers/user/setUserOrgRoles.ts b/server/routers/user/setUserOrgRoles.ts
new file mode 100644
index 000000000..525c91729
--- /dev/null
+++ b/server/routers/user/setUserOrgRoles.ts
@@ -0,0 +1,151 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const setUserOrgRolesParamsSchema = z.strictObject({
+    orgId: z.string(),
+    userId: z.string()
+});
+
+const setUserOrgRolesBodySchema = z.strictObject({
+    roleIds: z.array(z.int().positive()).min(1)
+});
+
+export async function setUserOrgRoles(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setUserOrgRolesParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setUserOrgRolesBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId, userId } = parsedParams.data;
+        const { roleIds } = parsedBody.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const uniqueRoleIds = [...new Set(roleIds)];
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found in this organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const orgRoles = await db
+            .select({ roleId: roles.roleId })
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, orgId),
+                    inArray(roles.roleId, uniqueRoleIds)
+                )
+            );
+
+        if (orgRoles.length !== uniqueRoleIds.length) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "One or more role IDs are invalid for this organization"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
+
+            if (uniqueRoleIds.length > 0) {
+                await trx.insert(userOrgRoles).values(
+                    uniqueRoleIds.map((roleId) => ({
+                        userId,
+                        orgId,
+                        roleId
+                    }))
+                );
+            }
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId, roleIds: uniqueRoleIds },
+            success: true,
+            error: false,
+            message: "User roles set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 7a1dab309..6dcdf16fb 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -3,23 +3,18 @@
 import {
     Form,
     FormControl,
+    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import {
-    Select,
-    SelectContent,
-    SelectItem,
-    SelectTrigger,
-    SelectValue
-} from "@app/components/ui/select";
 import { Checkbox } from "@app/components/ui/checkbox";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AxiosResponse } from "axios";
-import { useEffect, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { ListRolesResponse } from "@server/routers/role";
@@ -42,12 +37,20 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
-import { Badge } from "@app/components/ui/badge";
 
-type UserRole = { roleId: number; name: string };
+const accessControlsFormSchema = z.object({
+    username: z.string(),
+    autoProvisioned: z.boolean(),
+    roles: z.array(
+        z.object({
+            id: z.string(),
+            text: z.string()
+        })
+    )
+});
 
 export default function AccessControlsPage() {
-    const { orgUser: user } = userOrgUserContext();
+    const { orgUser: user, updateOrgUser } = userOrgUserContext();
 
     const api = createApiClient(useEnvContext());
 
@@ -55,28 +58,34 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
+    const [activeRoleTagIndex, setActiveRoleTagIndex] = useState<number | null>(
+        null
+    );
 
     const t = useTranslations();
 
-    const formSchema = z.object({
-        username: z.string(),
-        autoProvisioned: z.boolean()
-    });
-
     const form = useForm({
-        resolver: zodResolver(formSchema),
+        resolver: zodResolver(accessControlsFormSchema),
         defaultValues: {
             username: user.username!,
-            autoProvisioned: user.autoProvisioned || false
+            autoProvisioned: user.autoProvisioned || false,
+            roles: (user.roles ?? []).map((r) => ({
+                id: r.roleId.toString(),
+                text: r.name
+            }))
         }
     });
 
     const currentRoleIds = user.roleIds ?? [];
-    const currentRoles: UserRole[] = user.roles ?? [];
 
     useEffect(() => {
-        setUserRoles(currentRoles);
+        form.setValue(
+            "roles",
+            (user.roles ?? []).map((r) => ({
+                id: r.roleId.toString(),
+                text: r.name
+            }))
+        );
     }, [user.userId, currentRoleIds.join(",")]);
 
     useEffect(() => {
@@ -104,59 +113,67 @@ export default function AccessControlsPage() {
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function handleAddRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.post(`/role/${roleId}/add/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            const role = roles.find((r) => r.roleId === roleId);
-            if (role) setUserRoles((prev) => [...prev, role]);
-        } catch (e) {
+    const allRoleOptions = useMemo(
+        () =>
+            roles
+                .map((role) => ({
+                    id: role.roleId.toString(),
+                    text: role.name
+                }))
+                .filter((role) => role.text !== "Admin"),
+        [roles]
+    );
+
+    function setRoleTags(
+        updater: Tag[] | ((prev: Tag[]) => Tag[])
+    ) {
+        const prev = form.getValues("roles");
+        const next = typeof updater === "function" ? updater(prev) : updater;
+
+        if (next.length === 0) {
             toast({
                 variant: "destructive",
                 title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
+                description: t("accessRoleSelectPlease")
             });
+            return;
         }
-        setLoading(false);
+
+        form.setValue("roles", next, { shouldDirty: true });
     }
 
-    async function handleRemoveRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.delete(`/role/${roleId}/remove/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
-        } catch (e) {
+    async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
+        if (values.roles.length === 0) {
             toast({
                 variant: "destructive",
                 title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
+                description: t("accessRoleSelectPlease")
             });
+            return;
         }
-        setLoading(false);
-    }
 
-    async function onSubmit(values: z.infer<typeof formSchema>) {
         setLoading(true);
         try {
-            await api.post(`/org/${orgId}/user/${user.userId}`, {
+            const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
+            await Promise.all([
+                api.post(`/org/${orgId}/user/${user.userId}/roles`, {
+                    roleIds
+                }),
+                api.post(`/org/${orgId}/user/${user.userId}`, {
+                    autoProvisioned: values.autoProvisioned
+                })
+            ]);
+
+            updateOrgUser({
+                roleIds,
+                roles: values.roles.map((r) => ({
+                    roleId: parseInt(r.id, 10),
+                    name: r.text
+                })),
                 autoProvisioned: values.autoProvisioned
             });
+
             toast({
                 variant: "default",
                 title: t("userSaved"),
@@ -175,11 +192,6 @@ export default function AccessControlsPage() {
         setLoading(false);
     }
 
-    const availableRolesToAdd = roles.filter(
-        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
-    );
-    const canRemoveRole = userRoles.length > 1;
-
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -216,72 +228,43 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormItem>
-                                    <FormLabel>{t("role")}</FormLabel>
-                                    <div className="flex flex-wrap gap-2 items-center">
-                                        {userRoles.map((r) => (
-                                            <Badge
-                                                key={r.roleId}
-                                                variant="secondary"
-                                                className="flex items-center gap-1"
-                                            >
-                                                {r.name}
-                                                {canRemoveRole && (
-                                                    <button
-                                                        type="button"
-                                                        onClick={() =>
-                                                            handleRemoveRole(
-                                                                r.roleId
-                                                            )
-                                                        }
-                                                        disabled={loading}
-                                                        className="ml-1 rounded hover:bg-muted"
-                                                        aria-label={`Remove ${r.name}`}
-                                                    >
-                                                        ×
-                                                    </button>
-                                                )}
-                                            </Badge>
-                                        ))}
-                                        {availableRolesToAdd.length > 0 && (
-                                            <Select
-                                                onValueChange={(value) => {
-                                                    handleAddRole(
-                                                        parseInt(value, 10)
-                                                    );
-                                                }}
-                                                disabled={loading}
-                                            >
-                                                <SelectTrigger className="w-[180px]">
-                                                    <SelectValue
-                                                        placeholder={t(
-                                                            "accessRoleSelect"
-                                                        )}
-                                                    />
-                                                </SelectTrigger>
-                                                <SelectContent>
-                                                    {availableRolesToAdd.map(
-                                                        (role) => (
-                                                            <SelectItem
-                                                                key={
-                                                                    role.roleId
-                                                                }
-                                                                value={role.roleId.toString()}
-                                                            >
-                                                                {role.name}
-                                                            </SelectItem>
-                                                        )
+                                <FormField
+                                    control={form.control}
+                                    name="roles"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-col items-start">
+                                            <FormLabel>{t("role")}</FormLabel>
+                                            <FormControl>
+                                                <TagInput
+                                                    {...field}
+                                                    activeTagIndex={
+                                                        activeRoleTagIndex
+                                                    }
+                                                    setActiveTagIndex={
+                                                        setActiveRoleTagIndex
+                                                    }
+                                                    placeholder={t(
+                                                        "accessRoleSelect2"
                                                     )}
-                                                </SelectContent>
-                                            </Select>
-                                        )}
-                                    </div>
-                                    {userRoles.length === 0 && (
-                                        <p className="text-sm text-muted-foreground">
-                                            {t("accessRoleSelectPlease")}
-                                        </p>
+                                                    size="sm"
+                                                    tags={field.value}
+                                                    setTags={setRoleTags}
+                                                    enableAutocomplete={true}
+                                                    autocompleteOptions={
+                                                        allRoleOptions
+                                                    }
+                                                    allowDuplicates={false}
+                                                    restrictTagsToAutocompleteOptions={
+                                                        true
+                                                    }
+                                                    sortTags={true}
+                                                    disabled={loading}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
                                     )}
-                                </FormItem>
+                                />
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -299,9 +282,7 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t(
-                                                            "autoProvisioned"
-                                                        )}
+                                                        {t("autoProvisioned")}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index c64ee6396..812ac2b64 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -86,11 +86,14 @@ export default async function UsersPage(props: UsersPageProps) {
             idpId: user.idpId,
             idpName: user.idpName || t("idpNameInternal"),
             status: t("userConfirmed"),
-            role: user.isOwner
-                ? t("accessRoleOwner")
-                : user.roles?.length
-                  ? user.roles.map((r) => r.roleName).join(", ")
-                  : t("accessRoleMember"),
+            roleLabels: user.isOwner
+                ? [t("accessRoleOwner")]
+                : (() => {
+                      const names = (user.roles ?? [])
+                          .map((r) => r.roleName)
+                          .filter((n): n is string => Boolean(n?.length));
+                      return names.length ? names : [t("accessRoleMember")];
+                  })(),
             isOwner: user.isOwner || false
         };
     });
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
index a533fb6c3..414a9b652 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
@@ -129,12 +129,13 @@ export default function ResourceAuthenticationPage() {
             orgId: org.org.orgId
         })
     );
-    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
-        orgQueries.identityProviders({
+    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery({
+        ...orgQueries.identityProviders({
             orgId: org.org.orgId,
             useOrgOnlyIdp: env.app.identityProviderMode === "org"
-        })
-    );
+        }),
+        enabled: isPaidUser(tierMatrix.orgOidc)
+    });
 
     const pageLoading =
         isLoadingOrgRoles ||
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 1f7c5279d..01be1aedb 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -95,7 +95,8 @@ function getActionsCategories(root: boolean) {
             [t("actionListRole")]: "listRoles",
             [t("actionUpdateRole")]: "updateRole",
             [t("actionListAllowedRoleResources")]: "listRoleResources",
-            [t("actionAddUserRole")]: "addUserRole"
+            [t("actionAddUserRole")]: "addUserRole",
+            [t("actionSetUserOrgRoles")]: "setUserOrgRoles"
         },
         "Access Token": {
             [t("actionGenerateAccessToken")]: "generateAccessToken",
diff --git a/src/components/UsersTable.tsx b/src/components/UsersTable.tsx
index 9b1dfee68..be1d6a345 100644
--- a/src/components/UsersTable.tsx
+++ b/src/components/UsersTable.tsx
@@ -12,6 +12,13 @@ import { Button } from "@app/components/ui/button";
 import { ArrowRight, ArrowUpDown, Crown, MoreHorizontal } from "lucide-react";
 import { UsersDataTable } from "@app/components/UsersDataTable";
 import { useState, useEffect } from "react";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { Badge, badgeVariants } from "@app/components/ui/badge";
+import { cn } from "@app/lib/cn";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
@@ -36,10 +43,65 @@ export type UserRow = {
     type: string;
     idpVariant: string | null;
     status: string;
-    role: string;
+    roleLabels: string[];
     isOwner: boolean;
 };
 
+const MAX_ROLE_BADGES = 3;
+
+function UserRoleBadges({ roleLabels }: { roleLabels: string[] }) {
+    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
+    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
+
+    return (
+        <div className="flex flex-wrap items-center gap-1">
+            {visible.map((label, i) => (
+                <Badge key={`${label}-${i}`} variant="secondary">
+                    {label}
+                </Badge>
+            ))}
+            {overflow.length > 0 && (
+                <OverflowRolesPopover labels={overflow} />
+            )}
+        </div>
+    );
+}
+
+function OverflowRolesPopover({ labels }: { labels: string[] }) {
+    const [open, setOpen] = useState(false);
+
+    return (
+        <Popover open={open} onOpenChange={setOpen}>
+            <PopoverTrigger asChild>
+                <button
+                    type="button"
+                    className={cn(
+                        badgeVariants({ variant: "secondary" }),
+                        "border-dashed"
+                    )}
+                    onMouseEnter={() => setOpen(true)}
+                    onMouseLeave={() => setOpen(false)}
+                >
+                    +{labels.length}
+                </button>
+            </PopoverTrigger>
+            <PopoverContent
+                align="start"
+                side="top"
+                className="w-auto max-w-xs p-2"
+                onMouseEnter={() => setOpen(true)}
+                onMouseLeave={() => setOpen(false)}
+            >
+                <ul className="space-y-1 text-sm">
+                    {labels.map((label, i) => (
+                        <li key={`${label}-${i}`}>{label}</li>
+                    ))}
+                </ul>
+            </PopoverContent>
+        </Popover>
+    );
+}
+
 type UsersTableProps = {
     users: UserRow[];
 };
@@ -124,7 +186,8 @@ export default function UsersTable({ users: u }: UsersTableProps) {
             }
         },
         {
-            accessorKey: "role",
+            id: "role",
+            accessorFn: (row) => row.roleLabels.join(", "),
             friendlyName: t("role"),
             header: ({ column }) => {
                 return (
@@ -140,13 +203,7 @@ export default function UsersTable({ users: u }: UsersTableProps) {
                 );
             },
             cell: ({ row }) => {
-                const userRow = row.original;
-
-                return (
-                    <div className="flex flex-row items-center gap-2">
-                        <span>{userRow.role}</span>
-                    </div>
-                );
+                return <UserRoleBadges roleLabels={row.original.roleLabels} />;
             }
         },
         {
diff --git a/src/components/ui/badge.tsx b/src/components/ui/badge.tsx
index 4d38e0fd4..2b474f45b 100644
--- a/src/components/ui/badge.tsx
+++ b/src/components/ui/badge.tsx
@@ -4,7 +4,7 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@app/lib/cn";
 
 const badgeVariants = cva(
-    "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-0",
+    "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors outline-none focus:outline-none focus-visible:outline-none focus-visible:ring-0",
     {
         variants: {
             variant: {

From d046084e84cac2ff1cac3e0724aa5a093e333117 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 16:44:30 -0700
Subject: [PATCH 130/314] delete role move to new role

---
 server/routers/role/deleteRole.ts | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/server/routers/role/deleteRole.ts b/server/routers/role/deleteRole.ts
index 24c26e654..4d2797250 100644
--- a/server/routers/role/deleteRole.ts
+++ b/server/routers/role/deleteRole.ts
@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { roles, userOrgRoles } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq, exists, aliasedTable } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -114,13 +114,32 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from userOrgRoles with roleId to newRoleId
+            const uorNewRole = aliasedTable(userOrgRoles, "user_org_roles_new");
+
+            // Users who already have newRoleId: drop the old assignment only (unique on userId+orgId+roleId).
+            await trx.delete(userOrgRoles).where(
+                and(
+                    eq(userOrgRoles.roleId, roleId),
+                    exists(
+                        trx
+                            .select()
+                            .from(uorNewRole)
+                            .where(
+                                and(
+                                    eq(uorNewRole.userId, userOrgRoles.userId),
+                                    eq(uorNewRole.orgId, userOrgRoles.orgId),
+                                    eq(uorNewRole.roleId, newRoleId)
+                                )
+                            )
+                    )
+                )
+            );
+
             await trx
                 .update(userOrgRoles)
                 .set({ roleId: newRoleId })
                 .where(eq(userOrgRoles.roleId, roleId));
 
-            // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));
         });
 

From 19a686b3e4040f91d125184b209517992a989dc8 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 16:49:43 -0700
Subject: [PATCH 131/314] Add restrictions around provisioning key

---
 server/routers/newt/registerNewt.ts | 45 +++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 12 deletions(-)

diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index b999eb35c..427ac173f 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -14,7 +14,7 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { eq, and } from "drizzle-orm";
+import { eq, and, sql } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import { verifyPassword, hashPassword } from "@server/auth/password";
 import {
@@ -26,6 +26,8 @@ import moment from "moment";
 import { build } from "@server/build";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
+import { INSPECT_MAX_BYTES } from "buffer";
+import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
 
 const bodySchema = z.object({
     provisioningKey: z.string().nonempty()
@@ -77,7 +79,10 @@ export async function registerNewt(
                     siteProvisioningKeys.siteProvisioningKeyId,
                 siteProvisioningKeyHash:
                     siteProvisioningKeys.siteProvisioningKeyHash,
-                orgId: siteProvisioningKeyOrg.orgId
+                orgId: siteProvisioningKeyOrg.orgId,
+                maxBatchSize: siteProvisioningKeys.maxBatchSize,
+                numUsed: siteProvisioningKeys.numUsed,
+                validUntil: siteProvisioningKeys.validUntil
             })
             .from(siteProvisioningKeys)
             .innerJoin(
@@ -118,13 +123,28 @@ export async function registerNewt(
             );
         }
 
+        if (keyRecord.maxBatchSize && keyRecord.numUsed >= keyRecord.maxBatchSize) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has reached its maximum usage"
+                )
+            );
+        }
+
+        if (keyRecord.validUntil && new Date(keyRecord.validUntil) < new Date()) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has expired"
+                )
+            );
+        }
+
         const { orgId } = keyRecord;
 
         // Verify the org exists
-        const [org] = await db
-            .select()
-            .from(orgs)
-            .where(eq(orgs.orgId, orgId));
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
         if (!org) {
             return next(
                 createHttpError(HttpCode.NOT_FOUND, "Organization not found")
@@ -208,7 +228,11 @@ export async function registerNewt(
 
             // Consume the provisioning key — cascade removes siteProvisioningKeyOrg
             await trx
-                .delete(siteProvisioningKeys)
+                .update(siteProvisioningKeys)
+                .set({
+                    lastUsed: moment().toISOString(),
+                    numUsed: sql`${siteProvisioningKeys.numUsed} + 1`
+                })
                 .where(
                     eq(
                         siteProvisioningKeys.siteProvisioningKeyId,
@@ -236,10 +260,7 @@ export async function registerNewt(
     } catch (error) {
         logger.error(error);
         return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "An error occurred"
-            )
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
         );
     }
-}
\ No newline at end of file
+}

From 13eadeaa8f0f67f2624110e1e28e258b7d730bae Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 18:19:10 -0700
Subject: [PATCH 132/314] support legacy one role per user

---
 messages/en-US.json                           |   2 +
 server/private/routers/external.ts            |  36 +++-
 server/private/routers/integration.ts         |  23 +++
 .../{ => private}/routers/user/addUserRole.ts |  19 ++-
 server/private/routers/user/index.ts          |  16 ++
 .../routers/user/removeUserRole.ts            |  20 ++-
 .../routers/user/setUserOrgRoles.ts           |  14 +-
 server/routers/external.ts                    |  24 +--
 server/routers/integration.ts                 |  22 +--
 server/routers/user/addUserRoleLegacy.ts      | 159 ++++++++++++++++++
 server/routers/user/index.ts                  |   5 +-
 server/routers/user/types.ts                  |  18 ++
 .../users/[userId]/access-controls/page.tsx   |  65 ++++++-
 src/components/PermissionsSelectBox.tsx       |   2 +-
 14 files changed, 360 insertions(+), 65 deletions(-)
 rename server/{ => private}/routers/user/addUserRole.ts (91%)
 create mode 100644 server/private/routers/user/index.ts
 rename server/{ => private}/routers/user/removeUserRole.ts (89%)
 rename server/{ => private}/routers/user/setUserOrgRoles.ts (92%)
 create mode 100644 server/routers/user/addUserRoleLegacy.ts
 create mode 100644 server/routers/user/types.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index cdfd57110..361771d87 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -512,6 +512,8 @@
     "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
     "accessControlsDescription": "Manage what this user can access and do in the organization",
     "accessControlsSubmit": "Save Access Controls",
+    "singleRolePerUserPlanNotice": "Your plan only supports one role per user.",
+    "singleRolePerUserEditionNotice": "This edition only supports one role per user.",
     "roles": "Roles",
     "accessUsersRoles": "Manage Users & Roles",
     "accessUsersRolesDescription": "Invite users and add them to roles to manage access to the organization",
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index df8ea8cbb..f5749d529 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -26,6 +26,7 @@ import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
+import * as user from "#private/routers/user";
 
 import {
     verifyOrgAccess,
@@ -33,7 +34,10 @@ import {
     verifyUserIsServerAdmin,
     verifySiteAccess,
     verifyClientAccess,
-    verifyLimits
+    verifyLimits,
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyUserCanSetUserOrgRoles
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -518,3 +522,33 @@ authenticated.post(
     // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
     ssh.signSshKey
 );
+
+authenticated.post(
+    "/user/:userId/add-role/:roleId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.addUserRole),
+    logActionAudit(ActionsEnum.addUserRole),
+    user.addUserRole
+);
+
+authenticated.delete(
+    "/user/:userId/remove-role/:roleId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
+authenticated.post(
+    "/user/:userId/org/:orgId/roles",
+    verifyOrgAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts
index 97b1adade..f8e6a63f4 100644
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -20,8 +20,11 @@ import {
     verifyApiKeyIsRoot,
     verifyApiKeyOrgAccess,
     verifyApiKeyIdpAccess,
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
     verifyLimits
 } from "@server/middlewares";
+import * as user from "#private/routers/user";
 import {
     verifyValidSubscription,
     verifyValidLicense
@@ -140,3 +143,23 @@ authenticated.get(
     verifyApiKeyHasAction(ActionsEnum.listIdps),
     orgIdp.listOrgIdps
 );
+
+authenticated.post(
+    "/user/:userId/add-role/:roleId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.addUserRole),
+    logActionAudit(ActionsEnum.addUserRole),
+    user.addUserRole
+);
+
+authenticated.delete(
+    "/user/:userId/remove-role/:roleId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
diff --git a/server/routers/user/addUserRole.ts b/server/private/routers/user/addUserRole.ts
similarity index 91%
rename from server/routers/user/addUserRole.ts
rename to server/private/routers/user/addUserRole.ts
index d41ad2051..a46bd1ed8 100644
--- a/server/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -1,5 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import stoi from "@server/lib/stoi";
 import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -8,7 +22,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
@@ -17,11 +30,9 @@ const addUserRoleParamsSchema = z.strictObject({
     roleId: z.string().transform(stoi).pipe(z.number())
 });
 
-export type AddUserRoleResponse = z.infer<typeof addUserRoleParamsSchema>;
-
 registry.registerPath({
     method: "post",
-    path: "/role/{roleId}/add/{userId}",
+    path: "/user/{userId}/add-role/{roleId}",
     description: "Add a role to a user.",
     tags: [OpenAPITags.Role, OpenAPITags.User],
     request: {
diff --git a/server/private/routers/user/index.ts b/server/private/routers/user/index.ts
new file mode 100644
index 000000000..6317eced5
--- /dev/null
+++ b/server/private/routers/user/index.ts
@@ -0,0 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./addUserRole";
+export * from "./removeUserRole";
+export * from "./setUserOrgRoles";
diff --git a/server/routers/user/removeUserRole.ts b/server/private/routers/user/removeUserRole.ts
similarity index 89%
rename from server/routers/user/removeUserRole.ts
rename to server/private/routers/user/removeUserRole.ts
index 8d353fea3..e9c3d10c0 100644
--- a/server/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -1,5 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import stoi from "@server/lib/stoi";
 import { db } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -8,7 +22,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
@@ -19,8 +32,9 @@ const removeUserRoleParamsSchema = z.strictObject({
 
 registry.registerPath({
     method: "delete",
-    path: "/role/{roleId}/remove/{userId}",
-    description: "Remove a role from a user. User must have at least one role left in the org.",
+    path: "/user/{userId}/remove-role/{roleId}",
+    description:
+        "Remove a role from a user. User must have at least one role left in the org.",
     tags: [OpenAPITags.Role, OpenAPITags.User],
     request: {
         params: removeUserRoleParamsSchema
diff --git a/server/routers/user/setUserOrgRoles.ts b/server/private/routers/user/setUserOrgRoles.ts
similarity index 92%
rename from server/routers/user/setUserOrgRoles.ts
rename to server/private/routers/user/setUserOrgRoles.ts
index 525c91729..67563fd26 100644
--- a/server/routers/user/setUserOrgRoles.ts
+++ b/server/private/routers/user/setUserOrgRoles.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { clients, db } from "@server/db";
@@ -8,7 +21,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
 const setUserOrgRolesParamsSchema = z.strictObject({
diff --git a/server/routers/external.ts b/server/routers/external.ts
index bb331dc69..03d5fa111 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -39,7 +39,6 @@ import {
     verifyApiKeyAccess,
     verifyDomainAccess,
     verifyUserHasAction,
-    verifyUserCanSetUserOrgRoles,
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
@@ -645,6 +644,7 @@ authenticated.delete(
     logActionAudit(ActionsEnum.deleteRole),
     role.deleteRole
 );
+
 authenticated.post(
     "/role/:roleId/add/:userId",
     verifyRoleAccess,
@@ -652,17 +652,7 @@ authenticated.post(
     verifyLimits,
     verifyUserHasAction(ActionsEnum.addUserRole),
     logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
-);
-
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyRoleAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
+    user.addUserRoleLegacy
 );
 
 authenticated.post(
@@ -838,16 +828,6 @@ authenticated.post(
     user.updateOrgUser
 );
 
-authenticated.post(
-    "/org/:orgId/user/:userId/roles",
-    verifyOrgAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserCanSetUserOrgRoles(),
-    logActionAudit(ActionsEnum.setUserOrgRoles),
-    user.setUserOrgRoles
-);
-
 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
 authenticated.get("/org/:orgId/user/:userId/check", org.checkOrgUserAccess);
 
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 32c06078b..2865b4bcb 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -596,17 +596,7 @@ authenticated.post(
     verifyLimits,
     verifyApiKeyHasAction(ActionsEnum.addUserRole),
     logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
-);
-
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyApiKeyRoleAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
+    user.addUserRoleLegacy
 );
 
 authenticated.post(
@@ -815,16 +805,6 @@ authenticated.post(
     user.updateOrgUser
 );
 
-authenticated.post(
-    "/org/:orgId/user/:userId/roles",
-    verifyApiKeyOrgAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyCanSetUserOrgRoles(),
-    logActionAudit(ActionsEnum.setUserOrgRoles),
-    user.setUserOrgRoles
-);
-
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyApiKeyOrgAccess,
diff --git a/server/routers/user/addUserRoleLegacy.ts b/server/routers/user/addUserRoleLegacy.ts
new file mode 100644
index 000000000..db0c6182f
--- /dev/null
+++ b/server/routers/user/addUserRoleLegacy.ts
@@ -0,0 +1,159 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import stoi from "@server/lib/stoi";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+/** Legacy path param order: /role/:roleId/add/:userId */
+const addUserRoleLegacyParamsSchema = z.strictObject({
+    roleId: z.string().transform(stoi).pipe(z.number()),
+    userId: z.string()
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/role/{roleId}/add/{userId}",
+    description:
+        "Legacy: set exactly one role for the user (replaces any other roles the user has in the org).",
+    tags: [OpenAPITags.Role, OpenAPITags.User],
+    request: {
+        params: addUserRoleLegacyParamsSchema
+    },
+    responses: {}
+});
+
+export async function addUserRoleLegacy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = addUserRoleLegacyParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId, roleId } = parsedParams.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
+            );
+        }
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
+            )
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the role of the owner of the organization"
+                )
+            );
+        }
+
+        const [roleInOrg] = await db
+            .select()
+            .from(roles)
+            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, role.orgId)))
+            .limit(1);
+
+        if (!roleInOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Role not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, role.orgId)
+                    )
+                );
+
+            await trx.insert(userOrgRoles).values({
+                userId,
+                orgId: role.orgId,
+                roleId
+            });
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, role.orgId)
+                    )
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { ...existingUser, roleId },
+            success: true,
+            error: false,
+            message: "Role added to user successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index 0884e8a2b..e03676caa 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -1,9 +1,8 @@
 export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
-export * from "./addUserRole";
-export * from "./removeUserRole";
-export * from "./setUserOrgRoles";
+export * from "./types";
+export * from "./addUserRoleLegacy";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/types.ts b/server/routers/user/types.ts
new file mode 100644
index 000000000..bd5b54efa
--- /dev/null
+++ b/server/routers/user/types.ts
@@ -0,0 +1,18 @@
+import type { UserOrg } from "@server/db";
+
+export type AddUserRoleResponse = {
+    userId: string;
+    roleId: number;
+};
+
+/** Legacy POST /role/:roleId/add/:userId response shape (membership + effective role). */
+export type AddUserRoleLegacyResponse = UserOrg & { roleId: number };
+
+export type SetUserOrgRolesParams = {
+    orgId: string;
+    userId: string;
+};
+
+export type SetUserOrgRolesBody = {
+    roleIds: number[];
+};
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 6dcdf16fb..c9ed7d561 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -37,6 +37,9 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { build } from "@server/build";
 
 const accessControlsFormSchema = z.object({
     username: z.string(),
@@ -51,8 +54,9 @@ const accessControlsFormSchema = z.object({
 
 export default function AccessControlsPage() {
     const { orgUser: user, updateOrgUser } = userOrgUserContext();
+    const { env } = useEnvContext();
 
-    const api = createApiClient(useEnvContext());
+    const api = createApiClient({ env });
 
     const { orgId } = useParams();
 
@@ -63,6 +67,18 @@ export default function AccessControlsPage() {
     );
 
     const t = useTranslations();
+    const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
+        usePaidStatus();
+    const multiRoleFeatureTiers = Array.from(
+        new Set([...tierMatrix.sshPam, ...tierMatrix.orgOidc])
+    );
+    const isPaid = isPaidUser(multiRoleFeatureTiers);
+    const supportsMultipleRolesPerUser = isPaid;
+    const showMultiRolePaywallMessage =
+        !env.flags.disableEnterpriseFeatures &&
+        ((build === "saas" && !isPaid) ||
+            (build === "enterprise" && !isPaid) ||
+            (build === "oss" && !isPaid));
 
     const form = useForm({
         resolver: zodResolver(accessControlsFormSchema),
@@ -124,11 +140,28 @@ export default function AccessControlsPage() {
         [roles]
     );
 
-    function setRoleTags(
-        updater: Tag[] | ((prev: Tag[]) => Tag[])
-    ) {
+    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
         const prev = form.getValues("roles");
-        const next = typeof updater === "function" ? updater(prev) : updater;
+        const nextValue =
+            typeof updater === "function" ? updater(prev) : updater;
+        const next = supportsMultipleRolesPerUser
+            ? nextValue
+            : nextValue.length > 1
+              ? [nextValue[nextValue.length - 1]]
+              : nextValue;
+
+        // In single-role mode, selecting the currently selected role can transiently
+        // emit an empty tag list from TagInput; keep the prior selection.
+        if (
+            !supportsMultipleRolesPerUser &&
+            next.length === 0 &&
+            prev.length > 0
+        ) {
+            form.setValue("roles", [prev[prev.length - 1]], {
+                shouldDirty: true
+            });
+            return;
+        }
 
         if (next.length === 0) {
             toast({
@@ -155,11 +188,14 @@ export default function AccessControlsPage() {
         setLoading(true);
         try {
             const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+            const updateRoleRequest = supportsMultipleRolesPerUser
+                ? api.post(`/user/${user.userId}/org/${orgId}/roles`, {
+                      roleIds
+                  })
+                : api.post(`/role/${roleIds[0]}/add/${user.userId}`);
 
             await Promise.all([
-                api.post(`/org/${orgId}/user/${user.userId}/roles`, {
-                    roleIds
-                }),
+                updateRoleRequest,
                 api.post(`/org/${orgId}/user/${user.userId}`, {
                     autoProvisioned: values.autoProvisioned
                 })
@@ -233,7 +269,7 @@ export default function AccessControlsPage() {
                                     name="roles"
                                     render={({ field }) => (
                                         <FormItem className="flex flex-col items-start">
-                                            <FormLabel>{t("role")}</FormLabel>
+                                            <FormLabel>{t("roles")}</FormLabel>
                                             <FormControl>
                                                 <TagInput
                                                     {...field}
@@ -261,6 +297,17 @@ export default function AccessControlsPage() {
                                                     disabled={loading}
                                                 />
                                             </FormControl>
+                                            {showMultiRolePaywallMessage && (
+                                                <FormDescription>
+                                                    {build === "saas"
+                                                        ? t(
+                                                              "singleRolePerUserPlanNotice"
+                                                          )
+                                                        : t(
+                                                              "singleRolePerUserEditionNotice"
+                                                          )}
+                                                </FormDescription>
+                                            )}
                                             <FormMessage />
                                         </FormItem>
                                     )}
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 01be1aedb..80a4b9926 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -96,7 +96,7 @@ function getActionsCategories(root: boolean) {
             [t("actionUpdateRole")]: "updateRole",
             [t("actionListAllowedRoleResources")]: "listRoleResources",
             [t("actionAddUserRole")]: "addUserRole",
-            [t("actionSetUserOrgRoles")]: "setUserOrgRoles"
+            [t("actionRemoveUserRole")]: "removeUserRole"
         },
         "Access Token": {
             [t("actionGenerateAccessToken")]: "generateAccessToken",

From 914e95e47feec90169ee837008cacc9df63009e8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Mar 2026 02:36:44 +0000
Subject: [PATCH 133/314] Bump yaml from 2.8.2 to 2.8.3

Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.2...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..2a7fbd625 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -102,7 +102,7 @@
                 "winston": "3.19.0",
                 "winston-daily-rotate-file": "5.0.0",
                 "ws": "8.19.0",
-                "yaml": "2.8.2",
+                "yaml": "2.8.3",
                 "yargs": "18.0.0",
                 "zod": "4.3.6",
                 "zod-validation-error": "5.0.0"
@@ -19679,9 +19679,9 @@
             "license": "ISC"
         },
         "node_modules/yaml": {
-            "version": "2.8.2",
-            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-            "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+            "version": "2.8.3",
+            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+            "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
             "license": "ISC",
             "bin": {
                 "yaml": "bin.mjs"
diff --git a/package.json b/package.json
index 05ae3b49f..988e12ed7 100644
--- a/package.json
+++ b/package.json
@@ -125,7 +125,7 @@
         "winston": "3.19.0",
         "winston-daily-rotate-file": "5.0.0",
         "ws": "8.19.0",
-        "yaml": "2.8.2",
+        "yaml": "2.8.3",
         "yargs": "18.0.0",
         "zod": "4.3.6",
         "zod-validation-error": "5.0.0"

From e05af54f76492ad62b31ad75494fa444a6bf4fa7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 21:36:51 -0700
Subject: [PATCH 134/314] Use standard component

---
 .../CreateSiteProvisioningKeyCredenza.tsx     | 111 ++++++++++++++----
 .../EditSiteProvisioningKeyCredenza.tsx       |  93 +++++++++++----
 2 files changed, 162 insertions(+), 42 deletions(-)

diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index e18bbbd06..3a1c7c372 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -36,6 +36,10 @@ import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { zodResolver } from "@hookform/resolvers/zod";
 import CopyTextBox from "@app/components/CopyTextBox";
+import {
+    DateTimePicker,
+    DateTimeValue
+} from "@app/components/DateTimePicker";
 
 const FORM_ID = "create-site-provisioning-key-form";
 
@@ -261,27 +265,92 @@ export default function CreateSiteProvisioningKeyCredenza({
                                 <FormField
                                     control={form.control}
                                     name="validUntil"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>
-                                                {t(
-                                                    "provisioningKeysValidUntil"
-                                                )}
-                                            </FormLabel>
-                                            <FormControl>
-                                                <Input
-                                                    type="datetime-local"
-                                                    {...field}
-                                                />
-                                            </FormControl>
-                                            <FormDescription>
-                                                {t(
-                                                    "provisioningKeysValidUntilHint"
-                                                )}
-                                            </FormDescription>
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                    render={({ field }) => {
+                                        const dateTimeValue: DateTimeValue =
+                                            (() => {
+                                                if (!field.value) return {};
+                                                const d = new Date(
+                                                    field.value
+                                                );
+                                                if (isNaN(d.getTime()))
+                                                    return {};
+                                                const hours = d
+                                                    .getHours()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                const minutes = d
+                                                    .getMinutes()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                const seconds = d
+                                                    .getSeconds()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                return {
+                                                    date: d,
+                                                    time: `${hours}:${minutes}:${seconds}`
+                                                };
+                                            })();
+
+                                        return (
+                                            <FormItem>
+                                                <FormLabel>
+                                                    {t(
+                                                        "provisioningKeysValidUntil"
+                                                    )}
+                                                </FormLabel>
+                                                <FormControl>
+                                                    <DateTimePicker
+                                                        value={dateTimeValue}
+                                                        onChange={(value) => {
+                                                            if (!value.date) {
+                                                                field.onChange(
+                                                                    ""
+                                                                );
+                                                                return;
+                                                            }
+                                                            const d = new Date(
+                                                                value.date
+                                                            );
+                                                            if (value.time) {
+                                                                const [
+                                                                    h,
+                                                                    m,
+                                                                    s
+                                                                ] =
+                                                                    value.time.split(
+                                                                        ":"
+                                                                    );
+                                                                d.setHours(
+                                                                    parseInt(
+                                                                        h,
+                                                                        10
+                                                                    ),
+                                                                    parseInt(
+                                                                        m,
+                                                                        10
+                                                                    ),
+                                                                    parseInt(
+                                                                        s || "0",
+                                                                        10
+                                                                    )
+                                                                );
+                                                            }
+                                                            field.onChange(
+                                                                d.toISOString()
+                                                            );
+                                                        }}
+                                                    />
+                                                </FormControl>
+                                                <FormDescription>
+                                                    {t(
+                                                        "provisioningKeysValidUntilHint"
+                                                    )}
+                                                </FormDescription>
+                                                <FormMessage />
+                                            </FormItem>
+                                        );
+                                    }}
                                 />
                             </form>
                         </Form>
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
index 9603374d5..138190edc 100644
--- a/src/components/EditSiteProvisioningKeyCredenza.tsx
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -33,7 +33,10 @@ import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { zodResolver } from "@hookform/resolvers/zod";
-import moment from "moment";
+import {
+    DateTimePicker,
+    DateTimeValue
+} from "@app/components/DateTimePicker";
 
 const FORM_ID = "edit-site-provisioning-key-form";
 
@@ -109,9 +112,7 @@ export default function EditSiteProvisioningKeyCredenza({
             name: provisioningKey.name,
             unlimitedBatchSize: provisioningKey.maxBatchSize == null,
             maxBatchSize: provisioningKey.maxBatchSize ?? 100,
-            validUntil: provisioningKey.validUntil
-                ? moment(provisioningKey.validUntil).format("YYYY-MM-DDTHH:mm")
-                : ""
+            validUntil: provisioningKey.validUntil ?? ""
         });
     }, [open, provisioningKey, form]);
 
@@ -257,23 +258,73 @@ export default function EditSiteProvisioningKeyCredenza({
                             <FormField
                                 control={form.control}
                                 name="validUntil"
-                                render={({ field }) => (
-                                    <FormItem>
-                                        <FormLabel>
-                                            {t("provisioningKeysValidUntil")}
-                                        </FormLabel>
-                                        <FormControl>
-                                            <Input
-                                                type="datetime-local"
-                                                {...field}
-                                            />
-                                        </FormControl>
-                                        <FormDescription>
-                                            {t("provisioningKeysValidUntilHint")}
-                                        </FormDescription>
-                                        <FormMessage />
-                                    </FormItem>
-                                )}
+                                render={({ field }) => {
+                                    const dateTimeValue: DateTimeValue =
+                                        (() => {
+                                            if (!field.value) return {};
+                                            const d = new Date(field.value);
+                                            if (isNaN(d.getTime())) return {};
+                                            const hours = d
+                                                .getHours()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            const minutes = d
+                                                .getMinutes()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            const seconds = d
+                                                .getSeconds()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            return {
+                                                date: d,
+                                                time: `${hours}:${minutes}:${seconds}`
+                                            };
+                                        })();
+
+                                    return (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("provisioningKeysValidUntil")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <DateTimePicker
+                                                    value={dateTimeValue}
+                                                    onChange={(value) => {
+                                                        if (!value.date) {
+                                                            field.onChange("");
+                                                            return;
+                                                        }
+                                                        const d = new Date(
+                                                            value.date
+                                                        );
+                                                        if (value.time) {
+                                                            const [h, m, s] =
+                                                                value.time.split(
+                                                                    ":"
+                                                                );
+                                                            d.setHours(
+                                                                parseInt(h, 10),
+                                                                parseInt(m, 10),
+                                                                parseInt(
+                                                                    s || "0",
+                                                                    10
+                                                                )
+                                                            );
+                                                        }
+                                                        field.onChange(
+                                                            d.toISOString()
+                                                        );
+                                                    }}
+                                                />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t("provisioningKeysValidUntilHint")}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    );
+                                }}
                             />
                         </form>
                     </Form>

From ad7d68d2b443ea4b04a174277830040c072cf2f2 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 21:46:01 -0700
Subject: [PATCH 135/314] basic idp mapping builder

---
 server/routers/idp/validateOidcCallback.ts    |  94 +++--
 .../(private)/idp/[idpId]/general/page.tsx    | 167 +++++----
 .../settings/(private)/idp/create/page.tsx    | 119 +++---
 src/components/AutoProvisionConfigWidget.tsx  | 349 +++++++++++++-----
 src/lib/idpRoleMapping.ts                     | 266 +++++++++++++
 5 files changed, 755 insertions(+), 240 deletions(-)
 create mode 100644 src/lib/idpRoleMapping.ts

diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 8714c4d38..86545269b 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -41,6 +41,7 @@ import {
     assignUserToOrg,
     removeUserFromOrg
 } from "@server/lib/userOrg";
+import { unwrapRoleMapping } from "@app/lib/idpRoleMapping";
 
 const ensureTrailingSlash = (url: string): string => {
     return url;
@@ -367,7 +368,7 @@ export async function validateOidcCallback(
             const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
             const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
 
-            const userOrgInfo: { orgId: string; roleId: number }[] = [];
+            const userOrgInfo: { orgId: string; roleIds: number[] }[] = [];
             for (const org of allOrgs) {
                 const [idpOrgRes] = await db
                     .select()
@@ -379,8 +380,6 @@ export async function validateOidcCallback(
                         )
                     );
 
-                let roleId: number | undefined = undefined;
-
                 const orgMapping = idpOrgRes?.orgMapping || defaultOrgMapping;
                 const hydratedOrgMapping = hydrateOrgMapping(
                     orgMapping,
@@ -405,38 +404,47 @@ export async function validateOidcCallback(
                     idpOrgRes?.roleMapping || defaultRoleMapping;
                 if (roleMapping) {
                     logger.debug("Role Mapping", { roleMapping });
-                    const roleName = jmespath.search(claims, roleMapping);
+                    const roleMappingJmes = unwrapRoleMapping(
+                        roleMapping
+                    ).evaluationExpression;
+                    const roleMappingResult = jmespath.search(
+                        claims,
+                        roleMappingJmes
+                    );
+                    const roleNames = normalizeRoleMappingResult(
+                        roleMappingResult
+                    );
 
-                    if (!roleName) {
-                        logger.error("Role name not found in the ID token", {
-                            roleName
+                    if (!roleNames.length) {
+                        logger.error("Role mapping returned no valid roles", {
+                            roleMappingResult
                         });
                         continue;
                     }
 
-                    const [roleRes] = await db
+                    const roleRes = await db
                         .select()
                         .from(roles)
                         .where(
                             and(
                                 eq(roles.orgId, org.orgId),
-                                eq(roles.name, roleName)
+                                inArray(roles.name, roleNames)
                             )
                         );
 
-                    if (!roleRes) {
-                        logger.error("Role not found", {
+                    if (!roleRes.length) {
+                        logger.error("No mapped roles found in organization", {
                             orgId: org.orgId,
-                            roleName
+                            roleNames
                         });
                         continue;
                     }
 
-                    roleId = roleRes.roleId;
+                    const roleIds = [...new Set(roleRes.map((r) => r.roleId))];
 
                     userOrgInfo.push({
                         orgId: org.orgId,
-                        roleId
+                        roleIds
                     });
                 }
             }
@@ -584,15 +592,17 @@ export async function validateOidcCallback(
                     const currentRolesInOrg = userRolesInOrgs.filter(
                         (r) => r.orgId === currentOrg.orgId
                     );
-                    const hasIdpRole = currentRolesInOrg.some(
-                        (r) => r.roleId === newRole.roleId
-                    );
-                    if (!hasIdpRole) {
-                        await trx.insert(userOrgRoles).values({
-                            userId: userId!,
-                            orgId: currentOrg.orgId,
-                            roleId: newRole.roleId
-                        });
+                    for (const roleId of newRole.roleIds) {
+                        const hasIdpRole = currentRolesInOrg.some(
+                            (r) => r.roleId === roleId
+                        );
+                        if (!hasIdpRole) {
+                            await trx.insert(userOrgRoles).values({
+                                userId: userId!,
+                                orgId: currentOrg.orgId,
+                                roleId
+                            });
+                        }
                     }
                 }
 
@@ -606,6 +616,12 @@ export async function validateOidcCallback(
 
                 if (orgsToAdd.length > 0) {
                     for (const org of orgsToAdd) {
+                        const [initialRoleId, ...additionalRoleIds] =
+                            org.roleIds;
+                        if (!initialRoleId) {
+                            continue;
+                        }
+
                         const [fullOrg] = await trx
                             .select()
                             .from(orgs)
@@ -618,9 +634,17 @@ export async function validateOidcCallback(
                                     userId: userId!,
                                     autoProvisioned: true,
                                 },
-                                org.roleId,
+                                initialRoleId,
                                 trx
                             );
+
+                            for (const roleId of additionalRoleIds) {
+                                await trx.insert(userOrgRoles).values({
+                                    userId: userId!,
+                                    orgId: org.orgId,
+                                    roleId
+                                });
+                            }
                         }
                     }
                 }
@@ -745,3 +769,25 @@ function hydrateOrgMapping(
     }
     return orgMapping.split("{{orgId}}").join(orgId);
 }
+
+function normalizeRoleMappingResult(
+    result: unknown
+): string[] {
+    if (typeof result === "string") {
+        const role = result.trim();
+        return role ? [role] : [];
+    }
+
+    if (Array.isArray(result)) {
+        return [
+            ...new Set(
+                result
+                    .filter((value): value is string => typeof value === "string")
+                    .map((value) => value.trim())
+                    .filter(Boolean)
+            )
+        ];
+    }
+
+    return [];
+}
diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 7d4bece1e..9754b07e5 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -47,6 +47,14 @@ import { ListRolesResponse } from "@server/routers/role";
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    detectRoleMappingConfig,
+    ensureMappingBuilderRuleIds,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 export default function GeneralPage() {
     const { env } = useEnvContext();
@@ -56,9 +64,15 @@ export default function GeneralPage() {
     const [loading, setLoading] = useState(false);
     const [initialLoading, setInitialLoading] = useState(true);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [roleMappingMode, setRoleMappingMode] = useState<
-        "role" | "expression"
-    >("role");
+    const [roleMappingMode, setRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [fixedRoleNames, setFixedRoleNames] = useState<string[]>([]);
+    const [mappingBuilderClaimPath, setMappingBuilderClaimPath] =
+        useState("groups");
+    const [mappingBuilderRules, setMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [rawRoleExpression, setRawRoleExpression] = useState("");
     const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
 
     const dashboardRedirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
@@ -190,34 +204,8 @@ export default function GeneralPage() {
                     // Set the variant
                     setVariant(idpVariant as "oidc" | "google" | "azure");
 
-                    // Check if roleMapping matches the basic pattern '{role name}' (simple single role)
-                    // This should NOT match complex expressions like 'Admin' || 'Member'
-                    const isBasicRolePattern =
-                        roleMapping &&
-                        typeof roleMapping === "string" &&
-                        /^'[^']+'$/.test(roleMapping);
-
-                    // Determine if roleMapping is a number (roleId) or matches basic pattern
-                    const isRoleId =
-                        !isNaN(Number(roleMapping)) && roleMapping !== "";
-                    const isRoleName = isBasicRolePattern;
-
-                    // Extract role name from basic pattern for matching
-                    let extractedRoleName = null;
-                    if (isRoleName) {
-                        extractedRoleName = roleMapping.slice(1, -1); // Remove quotes
-                    }
-
-                    // Try to find matching role by name if we have a basic pattern
-                    let matchingRoleId = undefined;
-                    if (extractedRoleName && availableRoles.length > 0) {
-                        const matchingRole = availableRoles.find(
-                            (role) => role.name === extractedRoleName
-                        );
-                        if (matchingRole) {
-                            matchingRoleId = matchingRole.roleId;
-                        }
-                    }
+                    const detectedRoleMappingConfig =
+                        detectRoleMappingConfig(roleMapping);
 
                     // Extract tenant ID from Azure URLs if present
                     let tenantId = "";
@@ -238,9 +226,7 @@ export default function GeneralPage() {
                         clientSecret: data.idpOidcConfig.clientSecret,
                         autoProvision: data.idp.autoProvision,
                         roleMapping: roleMapping || null,
-                        roleId: isRoleId
-                            ? Number(roleMapping)
-                            : matchingRoleId || null
+                        roleId: null
                     };
 
                     // Add variant-specific fields
@@ -259,10 +245,18 @@ export default function GeneralPage() {
 
                     form.reset(formData);
 
-                    // Set the role mapping mode based on the data
-                    // Default to "expression" unless it's a simple roleId or basic '{role name}' pattern
-                    setRoleMappingMode(
-                        matchingRoleId && isRoleName ? "role" : "expression"
+                    setRoleMappingMode(detectedRoleMappingConfig.mode);
+                    setFixedRoleNames(detectedRoleMappingConfig.fixedRoleNames);
+                    setMappingBuilderClaimPath(
+                        detectedRoleMappingConfig.mappingBuilder.claimPath
+                    );
+                    setMappingBuilderRules(
+                        ensureMappingBuilderRuleIds(
+                            detectedRoleMappingConfig.mappingBuilder.rules
+                        )
+                    );
+                    setRawRoleExpression(
+                        detectedRoleMappingConfig.rawExpression
                     );
                 }
             } catch (e) {
@@ -327,7 +321,26 @@ export default function GeneralPage() {
                 return;
             }
 
-            const roleName = roles.find((r) => r.roleId === data.roleId)?.name;
+            const roleMappingExpression = compileRoleMappingExpression({
+                mode: roleMappingMode,
+                fixedRoleNames,
+                mappingBuilder: {
+                    claimPath: mappingBuilderClaimPath,
+                    rules: mappingBuilderRules
+                },
+                rawExpression: rawRoleExpression
+            });
+
+            if (data.autoProvision && !roleMappingExpression) {
+                toast({
+                    title: t("error"),
+                    description:
+                        "A role mapping is required when auto-provisioning is enabled.",
+                    variant: "destructive"
+                });
+                setLoading(false);
+                return;
+            }
 
             // Build payload based on variant
             let payload: any = {
@@ -335,10 +348,7 @@ export default function GeneralPage() {
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
                 autoProvision: data.autoProvision,
-                roleMapping:
-                    roleMappingMode === "role"
-                        ? `'${roleName}'`
-                        : data.roleMapping || ""
+                roleMapping: roleMappingExpression
             };
 
             // Add variant-specific fields
@@ -497,42 +507,43 @@ export default function GeneralPage() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <SettingsSectionForm>
-                            <PaidFeaturesAlert
-                                tiers={tierMatrix.autoProvisioning}
-                            />
+                        <PaidFeaturesAlert
+                            tiers={tierMatrix.autoProvisioning}
+                        />
 
-                            <Form {...form}>
-                                <form
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                    className="space-y-4"
-                                    id="general-settings-form"
-                                >
-                                    <AutoProvisionConfigWidget
-                                        control={form.control}
-                                        autoProvision={form.watch(
-                                            "autoProvision"
-                                        )}
-                                        onAutoProvisionChange={(checked) => {
-                                            form.setValue(
-                                                "autoProvision",
-                                                checked
-                                            );
-                                        }}
-                                        roleMappingMode={roleMappingMode}
-                                        onRoleMappingModeChange={(data) => {
-                                            setRoleMappingMode(data);
-                                            // Clear roleId and roleMapping when mode changes
-                                            form.setValue("roleId", null);
-                                            form.setValue("roleMapping", null);
-                                        }}
-                                        roles={roles}
-                                        roleIdFieldName="roleId"
-                                        roleMappingFieldName="roleMapping"
-                                    />
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+                        <Form {...form}>
+                            <form
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                                id="general-settings-form"
+                            >
+                                <AutoProvisionConfigWidget
+                                    autoProvision={form.watch("autoProvision")}
+                                    onAutoProvisionChange={(checked) => {
+                                        form.setValue("autoProvision", checked);
+                                    }}
+                                    roleMappingMode={roleMappingMode}
+                                    onRoleMappingModeChange={(data) => {
+                                        setRoleMappingMode(data);
+                                    }}
+                                    roles={roles}
+                                    fixedRoleNames={fixedRoleNames}
+                                    onFixedRoleNamesChange={setFixedRoleNames}
+                                    mappingBuilderClaimPath={
+                                        mappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={mappingBuilderRules}
+                                    onMappingBuilderRulesChange={
+                                        setMappingBuilderRules
+                                    }
+                                    rawExpression={rawRoleExpression}
+                                    onRawExpressionChange={setRawRoleExpression}
+                                />
+                            </form>
+                        </Form>
                     </SettingsSectionBody>
                 </SettingsSection>
 
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..2d6985849 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -42,6 +42,12 @@ import { useParams, useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 export default function Page() {
     const { env } = useEnvContext();
@@ -49,9 +55,15 @@ export default function Page() {
     const router = useRouter();
     const [createLoading, setCreateLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [roleMappingMode, setRoleMappingMode] = useState<
-        "role" | "expression"
-    >("role");
+    const [roleMappingMode, setRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [fixedRoleNames, setFixedRoleNames] = useState<string[]>([]);
+    const [mappingBuilderClaimPath, setMappingBuilderClaimPath] =
+        useState("groups");
+    const [mappingBuilderRules, setMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [rawRoleExpression, setRawRoleExpression] = useState("");
     const t = useTranslations();
     const { isPaidUser } = usePaidStatus();
 
@@ -228,7 +240,26 @@ export default function Page() {
                 tokenUrl = tokenUrl?.replace("{{TENANT_ID}}", data.tenantId);
             }
 
-            const roleName = roles.find((r) => r.roleId === data.roleId)?.name;
+            const roleMappingExpression = compileRoleMappingExpression({
+                mode: roleMappingMode,
+                fixedRoleNames,
+                mappingBuilder: {
+                    claimPath: mappingBuilderClaimPath,
+                    rules: mappingBuilderRules
+                },
+                rawExpression: rawRoleExpression
+            });
+
+            if (data.autoProvision && !roleMappingExpression) {
+                toast({
+                    title: t("error"),
+                    description:
+                        "A role mapping is required when auto-provisioning is enabled.",
+                    variant: "destructive"
+                });
+                setCreateLoading(false);
+                return;
+            }
 
             const payload = {
                 name: data.name,
@@ -240,10 +271,7 @@ export default function Page() {
                 emailPath: data.emailPath,
                 namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                roleMapping:
-                    roleMappingMode === "role"
-                        ? `'${roleName}'`
-                        : data.roleMapping || "",
+                roleMapping: roleMappingExpression,
                 scopes: data.scopes,
                 variant: data.type
             };
@@ -363,43 +391,44 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <SettingsSectionForm>
-                            <PaidFeaturesAlert
-                                tiers={tierMatrix.autoProvisioning}
-                            />
-                            <Form {...form}>
-                                <form
-                                    className="space-y-4"
-                                    id="create-idp-form"
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                >
-                                    <AutoProvisionConfigWidget
-                                        control={form.control}
-                                        autoProvision={
-                                            form.watch(
-                                                "autoProvision"
-                                            ) as boolean
-                                        } // is this right?
-                                        onAutoProvisionChange={(checked) => {
-                                            form.setValue(
-                                                "autoProvision",
-                                                checked
-                                            );
-                                        }}
-                                        roleMappingMode={roleMappingMode}
-                                        onRoleMappingModeChange={(data) => {
-                                            setRoleMappingMode(data);
-                                            // Clear roleId and roleMapping when mode changes
-                                            form.setValue("roleId", null);
-                                            form.setValue("roleMapping", null);
-                                        }}
-                                        roles={roles}
-                                        roleIdFieldName="roleId"
-                                        roleMappingFieldName="roleMapping"
-                                    />
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+                        <PaidFeaturesAlert
+                            tiers={tierMatrix.autoProvisioning}
+                        />
+                        <Form {...form}>
+                            <form
+                                className="space-y-4"
+                                id="create-idp-form"
+                                onSubmit={form.handleSubmit(onSubmit)}
+                            >
+                                <AutoProvisionConfigWidget
+                                    autoProvision={
+                                        form.watch("autoProvision") as boolean
+                                    } // is this right?
+                                    onAutoProvisionChange={(checked) => {
+                                        form.setValue("autoProvision", checked);
+                                    }}
+                                    roleMappingMode={roleMappingMode}
+                                    onRoleMappingModeChange={(data) => {
+                                        setRoleMappingMode(data);
+                                    }}
+                                    roles={roles}
+                                    fixedRoleNames={fixedRoleNames}
+                                    onFixedRoleNamesChange={setFixedRoleNames}
+                                    mappingBuilderClaimPath={
+                                        mappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={mappingBuilderRules}
+                                    onMappingBuilderRulesChange={
+                                        setMappingBuilderRules
+                                    }
+                                    rawExpression={rawRoleExpression}
+                                    onRawExpressionChange={setRawRoleExpression}
+                                />
+                            </form>
+                        </Form>
                     </SettingsSectionBody>
                 </SettingsSection>
 
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index f5979aec3..44ee8c6e0 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,57 +1,74 @@
 "use client";
 
 import {
-    FormField,
-    FormItem,
     FormLabel,
-    FormControl,
-    FormDescription,
-    FormMessage
+    FormDescription
 } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import {
-    Select,
-    SelectContent,
-    SelectItem,
-    SelectTrigger,
-    SelectValue
-} from "@app/components/ui/select";
+import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { Control, FieldValues, Path } from "react-hook-form";
+import { useMemo, useState } from "react";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import {
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 type Role = {
     roleId: number;
     name: string;
 };
 
-type AutoProvisionConfigWidgetProps<T extends FieldValues> = {
-    control: Control<T>;
+type AutoProvisionConfigWidgetProps = {
     autoProvision: boolean;
     onAutoProvisionChange: (checked: boolean) => void;
-    roleMappingMode: "role" | "expression";
-    onRoleMappingModeChange: (mode: "role" | "expression") => void;
+    roleMappingMode: RoleMappingMode;
+    onRoleMappingModeChange: (mode: RoleMappingMode) => void;
     roles: Role[];
-    roleIdFieldName: Path<T>;
-    roleMappingFieldName: Path<T>;
+    fixedRoleNames: string[];
+    onFixedRoleNamesChange: (roleNames: string[]) => void;
+    mappingBuilderClaimPath: string;
+    onMappingBuilderClaimPathChange: (claimPath: string) => void;
+    mappingBuilderRules: MappingBuilderRule[];
+    onMappingBuilderRulesChange: (rules: MappingBuilderRule[]) => void;
+    rawExpression: string;
+    onRawExpressionChange: (expression: string) => void;
 };
 
-export default function AutoProvisionConfigWidget<T extends FieldValues>({
-    control,
+export default function AutoProvisionConfigWidget({
     autoProvision,
     onAutoProvisionChange,
     roleMappingMode,
     onRoleMappingModeChange,
     roles,
-    roleIdFieldName,
-    roleMappingFieldName
-}: AutoProvisionConfigWidgetProps<T>) {
+    fixedRoleNames,
+    onFixedRoleNamesChange,
+    mappingBuilderClaimPath,
+    onMappingBuilderClaimPathChange,
+    mappingBuilderRules,
+    onMappingBuilderRulesChange,
+    rawExpression,
+    onRawExpressionChange
+}: AutoProvisionConfigWidgetProps) {
     const t = useTranslations();
-
     const { isPaidUser } = usePaidStatus();
+    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const roleOptions = useMemo(
+        () =>
+            roles.map((role) => ({
+                id: role.name,
+                text: role.name
+            })),
+        [roles]
+    );
 
     return (
         <div className="space-y-4">
@@ -81,97 +98,243 @@ export default function AutoProvisionConfigWidget<T extends FieldValues>({
                         <RadioGroup
                             value={roleMappingMode}
                             onValueChange={onRoleMappingModeChange}
-                            className="flex space-x-6"
+                            className="flex flex-wrap gap-x-6 gap-y-2"
                         >
                             <div className="flex items-center space-x-2">
-                                <RadioGroupItem value="role" id="role-mode" />
+                                <RadioGroupItem
+                                    value="fixedRoles"
+                                    id="fixed-roles-mode"
+                                />
                                 <label
-                                    htmlFor="role-mode"
+                                    htmlFor="fixed-roles-mode"
                                     className="text-sm font-medium"
                                 >
-                                    {t("selectRole")}
+                                    Fixed roles
                                 </label>
                             </div>
                             <div className="flex items-center space-x-2">
                                 <RadioGroupItem
-                                    value="expression"
+                                    value="mappingBuilder"
+                                    id="mapping-builder-mode"
+                                />
+                                <label
+                                    htmlFor="mapping-builder-mode"
+                                    className="text-sm font-medium"
+                                >
+                                    Mapping builder
+                                </label>
+                            </div>
+                            <div className="flex items-center space-x-2">
+                                <RadioGroupItem
+                                    value="rawExpression"
                                     id="expression-mode"
                                 />
                                 <label
                                     htmlFor="expression-mode"
                                     className="text-sm font-medium"
                                 >
-                                    {t("roleMappingExpression")}
+                                    Raw expression
                                 </label>
                             </div>
                         </RadioGroup>
                     </div>
 
-                    {roleMappingMode === "role" ? (
-                        <FormField
-                            control={control}
-                            name={roleIdFieldName}
-                            render={({ field }) => (
-                                <FormItem>
-                                    <Select
-                                        onValueChange={(value) =>
-                                            field.onChange(Number(value))
-                                        }
-                                        value={field.value?.toString()}
-                                    >
-                                        <FormControl>
-                                            <SelectTrigger>
-                                                <SelectValue
-                                                    placeholder={t(
-                                                        "selectRolePlaceholder"
-                                                    )}
-                                                />
-                                            </SelectTrigger>
-                                        </FormControl>
-                                        <SelectContent>
-                                            {roles.map((role) => (
-                                                <SelectItem
-                                                    key={role.roleId}
-                                                    value={role.roleId.toString()}
-                                                >
-                                                    {role.name}
-                                                </SelectItem>
-                                            ))}
-                                        </SelectContent>
-                                    </Select>
-                                    <FormDescription>
-                                        {t("selectRoleDescription")}
-                                    </FormDescription>
-                                    <FormMessage />
-                                </FormItem>
-                            )}
-                        />
-                    ) : (
-                        <FormField
-                            control={control}
-                            name={roleMappingFieldName}
-                            render={({ field }) => (
-                                <FormItem>
-                                    <FormControl>
-                                        <Input
-                                            {...field}
-                                            defaultValue={field.value || ""}
-                                            value={field.value || ""}
-                                            placeholder={t(
-                                                "roleMappingExpressionPlaceholder"
-                                            )}
-                                        />
-                                    </FormControl>
-                                    <FormDescription>
-                                        {t("roleMappingExpressionDescription")}
-                                    </FormDescription>
-                                    <FormMessage />
-                                </FormItem>
-                            )}
-                        />
+                    {roleMappingMode === "fixedRoles" && (
+                        <div className="space-y-2">
+                            <TagInput
+                                tags={fixedRoleNames.map((name) => ({
+                                    id: name,
+                                    text: name
+                                }))}
+                                setTags={(nextTags) => {
+                                    const next =
+                                        typeof nextTags === "function"
+                                            ? nextTags(
+                                                  fixedRoleNames.map((name) => ({
+                                                      id: name,
+                                                      text: name
+                                                  }))
+                                              )
+                                            : nextTags;
+
+                                    onFixedRoleNamesChange(
+                                        [...new Set(next.map((tag) => tag.text))]
+                                    );
+                                }}
+                                activeTagIndex={activeFixedRoleTagIndex}
+                                setActiveTagIndex={setActiveFixedRoleTagIndex}
+                                placeholder="Select one or more roles"
+                                enableAutocomplete={true}
+                                autocompleteOptions={roleOptions}
+                                restrictTagsToAutocompleteOptions={true}
+                                allowDuplicates={false}
+                                sortTags={true}
+                                size="sm"
+                            />
+                            <FormDescription>
+                                Assign the same role set to every auto-provisioned
+                                user.
+                            </FormDescription>
+                        </div>
+                    )}
+
+                    {roleMappingMode === "mappingBuilder" && (
+                        <div className="space-y-4 rounded-md border p-3">
+                            <div className="space-y-2">
+                                <FormLabel>Claim path</FormLabel>
+                                <Input
+                                    value={mappingBuilderClaimPath}
+                                    onChange={(e) =>
+                                        onMappingBuilderClaimPathChange(
+                                            e.target.value
+                                        )
+                                    }
+                                    placeholder="groups"
+                                />
+                                <FormDescription>
+                                    Path in the token payload that contains source
+                                    values (for example, groups).
+                                </FormDescription>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="hidden md:grid md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:gap-3">
+                                    <FormLabel>Match value</FormLabel>
+                                    <FormLabel>Assign roles</FormLabel>
+                                    <span />
+                                </div>
+
+                                {mappingBuilderRules.map((rule, index) => (
+                                    <BuilderRuleRow
+                                        key={rule.id ?? `mapping-rule-${index}`}
+                                        roleOptions={roleOptions}
+                                        rule={rule}
+                                        onChange={(nextRule) => {
+                                            const nextRules =
+                                                mappingBuilderRules.map(
+                                                    (row, i) =>
+                                                        i === index
+                                                            ? nextRule
+                                                            : row
+                                                );
+                                            onMappingBuilderRulesChange(
+                                                nextRules
+                                            );
+                                        }}
+                                        onRemove={() => {
+                                            const nextRules =
+                                                mappingBuilderRules.filter(
+                                                    (_, i) => i !== index
+                                                );
+                                            onMappingBuilderRulesChange(
+                                                nextRules.length
+                                                    ? nextRules
+                                                    : [createMappingBuilderRule()]
+                                            );
+                                        }}
+                                    />
+                                ))}
+                            </div>
+
+                            <Button
+                                type="button"
+                                variant="outline"
+                                onClick={() => {
+                                    onMappingBuilderRulesChange([
+                                        ...mappingBuilderRules,
+                                        createMappingBuilderRule()
+                                    ]);
+                                }}
+                            >
+                                Add mapping rule
+                            </Button>
+                        </div>
+                    )}
+
+                    {roleMappingMode === "rawExpression" && (
+                        <div className="space-y-2">
+                            <Input
+                                value={rawExpression}
+                                onChange={(e) =>
+                                    onRawExpressionChange(e.target.value)
+                                }
+                                placeholder={t("roleMappingExpressionPlaceholder")}
+                            />
+                            <FormDescription>
+                                Expression must evaluate to a string or string
+                                array.
+                            </FormDescription>
+                        </div>
                     )}
                 </div>
             )}
         </div>
     );
 }
+
+function BuilderRuleRow({
+    rule,
+    roleOptions,
+    onChange,
+    onRemove
+}: {
+    rule: MappingBuilderRule;
+    roleOptions: Tag[];
+    onChange: (rule: MappingBuilderRule) => void;
+    onRemove: () => void;
+}) {
+    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
+
+    return (
+        <div className="grid gap-3 rounded-md border p-3 md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:items-start">
+            <div className="space-y-1">
+                <FormLabel className="text-xs md:hidden">Match value</FormLabel>
+                <Input
+                    value={rule.matchValue}
+                    onChange={(e) =>
+                        onChange({
+                            ...rule,
+                            matchValue: e.target.value
+                        })
+                    }
+                    placeholder="Match value (for example: admin)"
+                />
+            </div>
+            <div className="space-y-1 min-w-0">
+                <FormLabel className="text-xs md:hidden">Assign roles</FormLabel>
+                <TagInput
+                    tags={rule.roleNames.map((name) => ({ id: name, text: name }))}
+                    setTags={(nextTags) => {
+                        const next =
+                            typeof nextTags === "function"
+                                ? nextTags(
+                                      rule.roleNames.map((name) => ({
+                                          id: name,
+                                          text: name
+                                      }))
+                                  )
+                                : nextTags;
+                        onChange({
+                            ...rule,
+                            roleNames: [...new Set(next.map((tag) => tag.text))]
+                        });
+                    }}
+                    activeTagIndex={activeTagIndex}
+                    setActiveTagIndex={setActiveTagIndex}
+                    placeholder="Assign roles"
+                    enableAutocomplete={true}
+                    autocompleteOptions={roleOptions}
+                    restrictTagsToAutocompleteOptions={true}
+                    allowDuplicates={false}
+                    sortTags={true}
+                    size="sm"
+                />
+            </div>
+            <div className="flex justify-end md:justify-start">
+                <Button type="button" variant="ghost" onClick={onRemove}>
+                    Remove
+                </Button>
+            </div>
+        </div>
+    );
+}
diff --git a/src/lib/idpRoleMapping.ts b/src/lib/idpRoleMapping.ts
new file mode 100644
index 000000000..2b336b3dd
--- /dev/null
+++ b/src/lib/idpRoleMapping.ts
@@ -0,0 +1,266 @@
+export type RoleMappingMode = "fixedRoles" | "mappingBuilder" | "rawExpression";
+
+export type MappingBuilderRule = {
+    /** Stable React list key; not used when compiling JMESPath. */
+    id?: string;
+    matchValue: string;
+    roleNames: string[];
+};
+
+function newMappingBuilderRuleId(): string {
+    if (typeof crypto !== "undefined" && "randomUUID" in crypto) {
+        return crypto.randomUUID();
+    }
+    return `rule-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
+}
+
+export function createMappingBuilderRule(): MappingBuilderRule {
+    return {
+        id: newMappingBuilderRuleId(),
+        matchValue: "",
+        roleNames: []
+    };
+}
+
+/** Ensures every rule has a stable id (e.g. after loading from the API). */
+export function ensureMappingBuilderRuleIds(
+    rules: MappingBuilderRule[]
+): MappingBuilderRule[] {
+    return rules.map((rule) =>
+        rule.id ? rule : { ...rule, id: newMappingBuilderRuleId() }
+    );
+}
+
+export type MappingBuilderConfig = {
+    claimPath: string;
+    rules: MappingBuilderRule[];
+};
+
+export type RoleMappingConfig = {
+    mode: RoleMappingMode;
+    fixedRoleNames: string[];
+    mappingBuilder: MappingBuilderConfig;
+    rawExpression: string;
+};
+
+const SINGLE_QUOTED_ROLE_REGEX = /^'([^']+)'$/;
+const QUOTED_ROLE_ARRAY_REGEX = /^\[(.*)\]$/;
+
+/** Stored role mappings created by the mapping builder are prefixed so the UI can restore the builder. */
+export const PANGOLIN_ROLE_MAP_BUILDER_PREFIX = "__PANGOLIN_ROLE_MAP_BUILDER_V1__";
+
+const BUILDER_METADATA_SEPARATOR = "\n---\n";
+
+export type UnwrappedRoleMapping = {
+    /** Expression passed to JMESPath (no builder wrapper). */
+    evaluationExpression: string;
+    /** Present when the stored value was saved from the mapping builder. */
+    builderState: { claimPath: string; rules: MappingBuilderRule[] } | null;
+};
+
+/**
+ * Split stored DB value into evaluation expression and optional builder metadata.
+ * Legacy values (no prefix) are returned as-is for evaluation.
+ */
+export function unwrapRoleMapping(
+    stored: string | null | undefined
+): UnwrappedRoleMapping {
+    const trimmed = stored?.trim() ?? "";
+    if (!trimmed.startsWith(PANGOLIN_ROLE_MAP_BUILDER_PREFIX)) {
+        return {
+            evaluationExpression: trimmed,
+            builderState: null
+        };
+    }
+
+    let rest = trimmed.slice(PANGOLIN_ROLE_MAP_BUILDER_PREFIX.length);
+    if (rest.startsWith("\n")) {
+        rest = rest.slice(1);
+    }
+
+    const sepIdx = rest.indexOf(BUILDER_METADATA_SEPARATOR);
+    if (sepIdx === -1) {
+        return {
+            evaluationExpression: trimmed,
+            builderState: null
+        };
+    }
+
+    const jsonPart = rest.slice(0, sepIdx).trim();
+    const inner = rest.slice(sepIdx + BUILDER_METADATA_SEPARATOR.length).trim();
+
+    try {
+        const meta = JSON.parse(jsonPart) as {
+            claimPath?: unknown;
+            rules?: unknown;
+        };
+        if (
+            typeof meta.claimPath === "string" &&
+            Array.isArray(meta.rules)
+        ) {
+            const rules: MappingBuilderRule[] = meta.rules.map(
+                (r: unknown) => {
+                    const row = r as {
+                        matchValue?: unknown;
+                        roleNames?: unknown;
+                    };
+                    return {
+                        matchValue:
+                            typeof row.matchValue === "string"
+                                ? row.matchValue
+                                : "",
+                        roleNames: Array.isArray(row.roleNames)
+                            ? row.roleNames.filter(
+                                  (n): n is string => typeof n === "string"
+                              )
+                            : []
+                    };
+                }
+            );
+            return {
+                evaluationExpression: inner,
+                builderState: {
+                    claimPath: meta.claimPath,
+                    rules: ensureMappingBuilderRuleIds(rules)
+                }
+            };
+        }
+    } catch {
+        /* fall through */
+    }
+
+    return {
+        evaluationExpression: inner.length ? inner : trimmed,
+        builderState: null
+    };
+}
+
+function escapeSingleQuotes(value: string): string {
+    return value.replace(/'/g, "\\'");
+}
+
+export function compileRoleMappingExpression(config: RoleMappingConfig): string {
+    if (config.mode === "rawExpression") {
+        return config.rawExpression.trim();
+    }
+
+    if (config.mode === "fixedRoles") {
+        const roleNames = dedupeNonEmpty(config.fixedRoleNames);
+        if (!roleNames.length) {
+            return "";
+        }
+
+        if (roleNames.length === 1) {
+            return `'${escapeSingleQuotes(roleNames[0])}'`;
+        }
+
+        return `[${roleNames.map((name) => `'${escapeSingleQuotes(name)}'`).join(", ")}]`;
+    }
+
+    const claimPath = config.mappingBuilder.claimPath.trim();
+    const rules = config.mappingBuilder.rules
+        .map((rule) => ({
+            matchValue: rule.matchValue.trim(),
+            roleNames: dedupeNonEmpty(rule.roleNames)
+        }))
+        .filter((rule) => Boolean(rule.matchValue) && rule.roleNames.length > 0);
+
+    if (!claimPath || !rules.length) {
+        return "";
+    }
+
+    const compiledRules = rules.map((rule) => {
+        const mappedRoles = `[${rule.roleNames
+            .map((name) => `'${escapeSingleQuotes(name)}'`)
+            .join(", ")}]`;
+        return `contains(${claimPath}, '${escapeSingleQuotes(rule.matchValue)}') && ${mappedRoles} || []`;
+    });
+
+    const inner = `[${compiledRules.join(", ")}][]`;
+    const metadata = {
+        claimPath,
+        rules: rules.map((r) => ({
+            matchValue: r.matchValue,
+            roleNames: r.roleNames
+        }))
+    };
+
+    return `${PANGOLIN_ROLE_MAP_BUILDER_PREFIX}\n${JSON.stringify(metadata)}${BUILDER_METADATA_SEPARATOR}${inner}`;
+}
+
+export function detectRoleMappingConfig(
+    expression: string | null | undefined
+): RoleMappingConfig {
+    const stored = expression?.trim() || "";
+
+    if (!stored) {
+        return defaultRoleMappingConfig();
+    }
+
+    const { evaluationExpression, builderState } = unwrapRoleMapping(stored);
+
+    if (builderState) {
+        return {
+            mode: "mappingBuilder",
+            fixedRoleNames: [],
+            mappingBuilder: {
+                claimPath: builderState.claimPath,
+                rules: builderState.rules
+            },
+            rawExpression: evaluationExpression
+        };
+    }
+
+    const tail = evaluationExpression.trim();
+
+    const singleMatch = tail.match(SINGLE_QUOTED_ROLE_REGEX);
+    if (singleMatch?.[1]) {
+        return {
+            mode: "fixedRoles",
+            fixedRoleNames: [singleMatch[1]],
+            mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+            rawExpression: tail
+        };
+    }
+
+    const arrayMatch = tail.match(QUOTED_ROLE_ARRAY_REGEX);
+    if (arrayMatch?.[1]) {
+        const roleNames = arrayMatch[1]
+            .split(",")
+            .map((entry) => entry.trim())
+            .map((entry) => entry.match(SINGLE_QUOTED_ROLE_REGEX)?.[1] || "")
+            .filter(Boolean);
+
+        if (roleNames.length > 0) {
+            return {
+                mode: "fixedRoles",
+                fixedRoleNames: roleNames,
+                mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+                rawExpression: tail
+            };
+        }
+    }
+
+    return {
+        mode: "rawExpression",
+        fixedRoleNames: [],
+        mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+        rawExpression: tail
+    };
+}
+
+export function defaultRoleMappingConfig(): RoleMappingConfig {
+    return {
+        mode: "fixedRoles",
+        fixedRoleNames: [],
+        mappingBuilder: {
+            claimPath: "groups",
+            rules: [createMappingBuilderRule()]
+        },
+        rawExpression: ""
+    };
+}
+
+function dedupeNonEmpty(values: string[]): string[] {
+    return [...new Set(values.map((value) => value.trim()).filter(Boolean))];
+}

From 5ddcfeb50661747322110e8a38cf2295b9090c4a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Mar 2026 06:56:52 +0000
Subject: [PATCH 136/314] Bump nodemailer from 8.0.1 to 8.0.4

Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 8.0.1 to 8.0.4.
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v8.0.1...v8.0.4)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 8.0.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 9 +++++----
 package.json      | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..952061bee 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -74,7 +74,7 @@
                 "next-themes": "0.4.6",
                 "nextjs-toploader": "3.9.17",
                 "node-cache": "5.1.2",
-                "nodemailer": "8.0.1",
+                "nodemailer": "8.0.4",
                 "oslo": "1.2.1",
                 "pg": "8.20.0",
                 "posthog-node": "5.28.0",
@@ -15636,9 +15636,10 @@
             "license": "MIT"
         },
         "node_modules/nodemailer": {
-            "version": "8.0.1",
-            "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.1.tgz",
-            "integrity": "sha512-5kcldIXmaEjZcHR6F28IKGSgpmZHaF1IXLWFTG+Xh3S+Cce4MiakLtWY+PlBU69fLbRa8HlaGIrC/QolUpHkhg==",
+            "version": "8.0.4",
+            "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.4.tgz",
+            "integrity": "sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==",
+            "license": "MIT-0",
             "engines": {
                 "node": ">=6.0.0"
             }
diff --git a/package.json b/package.json
index 05ae3b49f..4e942701e 100644
--- a/package.json
+++ b/package.json
@@ -97,7 +97,7 @@
         "next-themes": "0.4.6",
         "nextjs-toploader": "3.9.17",
         "node-cache": "5.1.2",
-        "nodemailer": "8.0.1",
+        "nodemailer": "8.0.4",
         "oslo": "1.2.1",
         "pg": "8.20.0",
         "posthog-node": "5.28.0",

From 06f840a6800db0cf8d36c9d2d58fb732ee403560 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:43:09 +0000
Subject: [PATCH 137/314] Bump brace-expansion

Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 5.0.4 to 5.0.5
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.4...v5.0.5)

Updates `brace-expansion` from 1.1.12 to 1.1.13
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.4...v5.0.5)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 5.0.5
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 1.1.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..c034e8439 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10265,9 +10265,9 @@
             "license": "MIT"
         },
         "node_modules/brace-expansion": {
-            "version": "5.0.4",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-            "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+            "version": "5.0.5",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+            "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
             "license": "MIT",
             "dependencies": {
                 "balanced-match": "^4.0.2"
@@ -12459,9 +12459,9 @@
             "license": "MIT"
         },
         "node_modules/eslint-config-next/node_modules/brace-expansion": {
-            "version": "1.1.12",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-            "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+            "version": "1.1.13",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+            "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
             "dev": true,
             "license": "MIT",
             "dependencies": {

From 04dfbd0a14e03e504551f71083a40a1c1a89d3b1 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 27 Mar 2026 12:04:41 -0700
Subject: [PATCH 138/314] Chainid send through

---
 server/routers/newt/handleGetConfigMessage.ts    | 8 +++++---
 server/routers/newt/handleNewtRegisterMessage.ts | 5 +++--
 server/routers/olm/handleOlmRegisterMessage.ts   | 6 ++++--
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 98be479c0..c73098ce4 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -11,7 +11,8 @@ import { canCompress } from "@server/lib/clientVersionChecks";
 
 const inputSchema = z.object({
     publicKey: z.string(),
-    port: z.int().positive()
+    port: z.int().positive(),
+    chainId: z.string()
 });
 
 type Input = z.infer<typeof inputSchema>;
@@ -43,7 +44,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         return;
     }
 
-    const { publicKey, port } = message.data as Input;
+    const { publicKey, port, chainId } = message.data as Input;
     const siteId = newt.siteId;
 
     // Get the current site data
@@ -136,7 +137,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
             data: {
                 ipAddress: site.address,
                 peers,
-                targets: targetsToSend
+                targets: targetsToSend,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/newt/handleNewtRegisterMessage.ts b/server/routers/newt/handleNewtRegisterMessage.ts
index 90034cfbf..fce42caa3 100644
--- a/server/routers/newt/handleNewtRegisterMessage.ts
+++ b/server/routers/newt/handleNewtRegisterMessage.ts
@@ -43,7 +43,7 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
 
     const siteId = newt.siteId;
 
-    const { publicKey, pingResults, newtVersion, backwardsCompatible } =
+    const { publicKey, pingResults, newtVersion, backwardsCompatible, chainId } =
         message.data;
     if (!publicKey) {
         logger.warn("Public key not provided");
@@ -211,7 +211,8 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
                     udp: udpTargets,
                     tcp: tcpTargets
                 },
-                healthCheckTargets: validHealthCheckTargets
+                healthCheckTargets: validHealthCheckTargets,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 5439245c4..26dbff1bd 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -41,7 +41,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         orgId,
         userToken,
         fingerprint,
-        postures
+        postures,
+        chainId
     } = message.data;
 
     if (!olm.clientId) {
@@ -293,7 +294,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             data: {
                 sites: siteConfigurations,
                 tunnelIP: client.subnet,
-                utilitySubnet: org.utilitySubnet
+                utilitySubnet: org.utilitySubnet,
+                chainId: chainId
             }
         },
         options: {

From 177926932b79d1162987a9a7d4e3d78121bb4022 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 27 Mar 2026 17:07:58 -0700
Subject: [PATCH 139/314] Update hybrid for multi role

---
 server/private/routers/hybrid.ts | 90 +++++++++++++++++++++++++++-----
 1 file changed, 77 insertions(+), 13 deletions(-)

diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index a38385b0c..5ca720594 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -52,7 +52,9 @@ import {
     userOrgs,
     roleResources,
     userResources,
-    resourceRules
+    resourceRules,
+    userOrgRoles,
+    roles
 } from "@server/db";
 import { eq, and, inArray, isNotNull, ne } from "drizzle-orm";
 import { response } from "@server/lib/response";
@@ -104,6 +106,13 @@ const getUserOrgSessionVerifySchema = z.strictObject({
     sessionId: z.string().min(1, "Session ID is required")
 });
 
+const getRoleNameParamsSchema = z.strictObject({
+    roleId: z
+        .string()
+        .transform(Number)
+        .pipe(z.int().positive("Role ID must be a positive integer"))
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
     roleId: z
         .string()
@@ -796,23 +805,26 @@ hybridRouter.get(
                 );
             }
 
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
+            const userOrgRoleRows = await db
+                .select({ roleId: userOrgRoles.roleId })
+                .from(userOrgRoles)
                 .where(
-                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
-                )
-                .limit(1);
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
 
-            const result = userOrgRole.length > 0 ? userOrgRole[0] : null;
+            const roleIds = userOrgRoleRows.map((r) => r.roleId);
 
-            return response<typeof userOrgs.$inferSelect | null>(res, {
-                data: result,
+            return response<number[]>(res, {
+                data: roleIds,
                 success: true,
                 error: false,
-                message: result
-                    ? "User org role retrieved successfully"
-                    : "User org role not found",
+                message:
+                    roleIds.length > 0
+                        ? "User org roles retrieved successfully"
+                        : "User has no roles in this organization",
                 status: HttpCode.OK
             });
         } catch (error) {
@@ -890,6 +902,58 @@ hybridRouter.get(
     }
 );
 
+// Get role name by ID
+hybridRouter.get(
+    "/role/:roleId/name",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getRoleNameParamsSchema.safeParse(req.params);
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { roleId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode?.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            const [role] = await db
+                .select({ name: roles.name })
+                .from(roles)
+                .where(eq(roles.roleId, roleId))
+                .limit(1);
+
+            return response<string | null>(res, {
+                data: role?.name ?? null,
+                success: true,
+                error: false,
+                message: role ? "Role name retrieved successfully" : "Role not found",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get role name"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
     "/role/:roleId/resource/:resourceId/access",

From bea20674a8efd8ab9e7b1b048d6e76a89d8b3ec6 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 27 Mar 2026 17:35:35 -0700
Subject: [PATCH 140/314] support policy buildiner in global idp

---
 messages/en-US.json                          |  31 +-
 src/app/admin/idp/[idpId]/general/page.tsx   |  64 ++-
 src/app/admin/idp/[idpId]/layout.tsx         |   2 +-
 src/app/admin/idp/[idpId]/policies/page.tsx  | 385 +++++++++++++------
 src/app/admin/idp/create/page.tsx            |  33 --
 src/components/AutoProvisionConfigWidget.tsx | 293 +-------------
 src/components/RoleMappingConfigFields.tsx   | 366 ++++++++++++++++++
 7 files changed, 703 insertions(+), 471 deletions(-)
 create mode 100644 src/components/RoleMappingConfigFields.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 361771d87..7d00c8105 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -509,6 +509,7 @@
     "userSaved": "User saved",
     "userSavedDescription": "The user has been updated.",
     "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Auto Provision Settings",
     "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
     "accessControlsDescription": "Manage what this user can access and do in the organization",
     "accessControlsSubmit": "Save Access Controls",
@@ -1042,7 +1043,6 @@
     "pageNotFoundDescription": "Oops! The page you're looking for doesn't exist.",
     "overview": "Overview",
     "home": "Home",
-    "accessControl": "Access Control",
     "settings": "Settings",
     "usersAll": "All Users",
     "license": "License",
@@ -1942,6 +1942,24 @@
     "invalidValue": "Invalid value",
     "idpTypeLabel": "Identity Provider Type",
     "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Fixed roles",
+    "roleMappingModeMappingBuilder": "Mapping builder",
+    "roleMappingModeRawExpression": "Raw expression",
+    "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
+    "roleMappingClaimPath": "Claim path",
+    "roleMappingClaimPathPlaceholder": "groups",
+    "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
+    "roleMappingMatchValue": "Match value",
+    "roleMappingAssignRoles": "Assign roles",
+    "roleMappingAddMappingRule": "Add mapping rule",
+    "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
+    "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
+    "roleMappingRemoveRule": "Remove",
     "idpGoogleConfiguration": "Google Configuration",
     "idpGoogleConfigurationDescription": "Configure the Google OAuth2 credentials",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2514,9 +2532,9 @@
     "remoteExitNodeRegenerateCredentialsConfirmation": "Are you sure you want to regenerate the credentials for this remote exit node?",
     "remoteExitNodeRegenerateCredentialsWarning": "This will regenerate the credentials. The remote exit node will stay connected until you manually restart it and use the new credentials.",
     "agent": "Agent",
-    "personalUseOnly":  "Personal Use Only",
-    "loginPageLicenseWatermark":  "This instance is licensed for personal use only.",
-    "instanceIsUnlicensed":  "This instance is unlicensed.",
+    "personalUseOnly": "Personal Use Only",
+    "loginPageLicenseWatermark": "This instance is licensed for personal use only.",
+    "instanceIsUnlicensed": "This instance is unlicensed.",
     "portRestrictions": "Port Restrictions",
     "allPorts": "All",
     "custom": "Custom",
@@ -2570,7 +2588,7 @@
     "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
     "forced": "Forced",
     "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
-    "warning:" : "Warning:",
+    "warning:": "Warning:",
     "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
     "pageTitle": "Page Title",
     "pageTitleDescription": "The main heading displayed on the maintenance page",
@@ -2687,5 +2705,6 @@
     "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
     "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
     "approvalsEmptyStateButtonText": "Manage Roles",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "We are having trouble verifying your domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab."
 }
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index d431efa2d..a5ed14a6e 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -15,7 +15,8 @@ import {
 import { Input } from "@app/components/ui/input";
 import { useForm } from "react-hook-form";
 import { toast } from "@app/hooks/useToast";
-import { useRouter, useParams, redirect } from "next/navigation";
+import { useRouter, useParams } from "next/navigation";
+import Link from "next/link";
 import {
     SettingsContainer,
     SettingsSection,
@@ -189,15 +190,6 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
-                        <Alert variant="neutral" className="">
-                            <InfoIcon className="h-4 w-4" />
-                            <AlertTitle className="font-semibold">
-                                {t("redirectUrlAbout")}
-                            </AlertTitle>
-                            <AlertDescription>
-                                {t("redirectUrlAboutDescription")}
-                            </AlertDescription>
-                        </Alert>
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -239,9 +231,32 @@ export default function GeneralPage() {
                                             }}
                                         />
                                     </div>
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
+                                    <div className="flex flex-col gap-2">
+                                        <span className="text-sm text-muted-foreground">
+                                            {t(
+                                                "idpAutoProvisionUsersDescription"
+                                            )}
+                                        </span>
+                                        {form.watch("autoProvision") && (
+                                            <FormDescription>
+                                                {t.rich(
+                                                    "idpAdminAutoProvisionPoliciesTabHint",
+                                                    {
+                                                        policiesTabLink: (
+                                                            chunks
+                                                        ) => (
+                                                            <Link
+                                                                href={`/admin/idp/${idpId}/policies`}
+                                                                className="text-primary hover:underline inline-flex items-center gap-1"
+                                                            >
+                                                                {chunks}
+                                                            </Link>
+                                                        )
+                                                    }
+                                                )}
+                                            </FormDescription>
+                                        )}
+                                    </div>
                                 </form>
                             </Form>
                         </SettingsSectionForm>
@@ -375,29 +390,6 @@ export default function GeneralPage() {
                                         className="space-y-4"
                                         id="general-settings-form"
                                     >
-                                        <Alert variant="neutral">
-                                            <InfoIcon className="h-4 w-4" />
-                                            <AlertTitle className="font-semibold">
-                                                {t("idpJmespathAbout")}
-                                            </AlertTitle>
-                                            <AlertDescription>
-                                                {t(
-                                                    "idpJmespathAboutDescription"
-                                                )}
-                                                <a
-                                                    href="https://jmespath.org"
-                                                    target="_blank"
-                                                    rel="noopener noreferrer"
-                                                    className="text-primary hover:underline inline-flex items-center"
-                                                >
-                                                    {t(
-                                                        "idpJmespathAboutDescriptionLink"
-                                                    )}{" "}
-                                                    <ExternalLink className="ml-1 h-4 w-4" />
-                                                </a>
-                                            </AlertDescription>
-                                        </Alert>
-
                                         <FormField
                                             control={form.control}
                                             name="identifierPath"
diff --git a/src/app/admin/idp/[idpId]/layout.tsx b/src/app/admin/idp/[idpId]/layout.tsx
index 9634a3de2..93ca08bd7 100644
--- a/src/app/admin/idp/[idpId]/layout.tsx
+++ b/src/app/admin/idp/[idpId]/layout.tsx
@@ -34,7 +34,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
             href: `/admin/idp/${params.idpId}/general`
         },
         {
-            title: t("orgPolicies"),
+            title: t("autoProvisionSettings"),
             href: `/admin/idp/${params.idpId}/policies`
         }
     ];
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index bf17abe98..086074e2d 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { useEffect, useState } from "react";
-import { useParams, useRouter } from "next/navigation";
+import { useParams } from "next/navigation";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
@@ -34,6 +34,7 @@ import { InfoIcon, ExternalLink, CheckIcon } from "lucide-react";
 import PolicyTable, { PolicyRow } from "../../../../../components/PolicyTable";
 import { AxiosResponse } from "axios";
 import { ListOrgsResponse } from "@server/routers/org";
+import { ListRolesResponse } from "@server/routers/role";
 import {
     Popover,
     PopoverContent,
@@ -50,8 +51,6 @@ import {
 } from "@app/components/ui/command";
 import { CaretSortIcon } from "@radix-ui/react-icons";
 import Link from "next/link";
-import { Textarea } from "@app/components/ui/textarea";
-import { InfoPopup } from "@app/components/ui/info-popup";
 import { GetIdpResponse } from "@server/routers/idp";
 import {
     SettingsContainer,
@@ -64,16 +63,40 @@ import {
     SettingsSectionForm
 } from "@app/components/Settings";
 import { useTranslations } from "next-intl";
+import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    defaultRoleMappingConfig,
+    detectRoleMappingConfig,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 type Organization = {
     orgId: string;
     name: string;
 };
 
+function resetRoleMappingStateFromDetected(
+    setMode: (m: RoleMappingMode) => void,
+    setFixed: (v: string[]) => void,
+    setClaim: (v: string) => void,
+    setRules: (v: MappingBuilderRule[]) => void,
+    setRaw: (v: string) => void,
+    stored: string | null | undefined
+) {
+    const d = detectRoleMappingConfig(stored);
+    setMode(d.mode);
+    setFixed(d.fixedRoleNames);
+    setClaim(d.mappingBuilder.claimPath);
+    setRules(d.mappingBuilder.rules);
+    setRaw(d.rawExpression);
+}
+
 export default function PoliciesPage() {
     const { env } = useEnvContext();
     const api = createApiClient({ env });
-    const router = useRouter();
     const { idpId } = useParams();
     const t = useTranslations();
 
@@ -88,14 +111,39 @@ export default function PoliciesPage() {
     const [showAddDialog, setShowAddDialog] = useState(false);
     const [editingPolicy, setEditingPolicy] = useState<PolicyRow | null>(null);
 
+    const [defaultRoleMappingMode, setDefaultRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [defaultFixedRoleNames, setDefaultFixedRoleNames] = useState<
+        string[]
+    >([]);
+    const [defaultMappingBuilderClaimPath, setDefaultMappingBuilderClaimPath] =
+        useState("groups");
+    const [defaultMappingBuilderRules, setDefaultMappingBuilderRules] =
+        useState<MappingBuilderRule[]>([createMappingBuilderRule()]);
+    const [defaultRawRoleExpression, setDefaultRawRoleExpression] =
+        useState("");
+
+    const [policyRoleMappingMode, setPolicyRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [policyFixedRoleNames, setPolicyFixedRoleNames] = useState<string[]>(
+        []
+    );
+    const [policyMappingBuilderClaimPath, setPolicyMappingBuilderClaimPath] =
+        useState("groups");
+    const [policyMappingBuilderRules, setPolicyMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [policyRawRoleExpression, setPolicyRawRoleExpression] = useState("");
+    const [policyOrgRoles, setPolicyOrgRoles] = useState<
+        { roleId: number; name: string }[]
+    >([]);
+
     const policyFormSchema = z.object({
         orgId: z.string().min(1, { message: t("orgRequired") }),
-        roleMapping: z.string().optional(),
         orgMapping: z.string().optional()
     });
 
     const defaultMappingsSchema = z.object({
-        defaultRoleMapping: z.string().optional(),
         defaultOrgMapping: z.string().optional()
     });
 
@@ -106,15 +154,15 @@ export default function PoliciesPage() {
         resolver: zodResolver(policyFormSchema),
         defaultValues: {
             orgId: "",
-            roleMapping: "",
             orgMapping: ""
         }
     });
 
+    const policyFormOrgId = form.watch("orgId");
+
     const defaultMappingsForm = useForm({
         resolver: zodResolver(defaultMappingsSchema),
         defaultValues: {
-            defaultRoleMapping: "",
             defaultOrgMapping: ""
         }
     });
@@ -127,9 +175,16 @@ export default function PoliciesPage() {
             if (res.status === 200) {
                 const data = res.data.data;
                 defaultMappingsForm.reset({
-                    defaultRoleMapping: data.idp.defaultRoleMapping || "",
                     defaultOrgMapping: data.idp.defaultOrgMapping || ""
                 });
+                resetRoleMappingStateFromDetected(
+                    setDefaultRoleMappingMode,
+                    setDefaultFixedRoleNames,
+                    setDefaultMappingBuilderClaimPath,
+                    setDefaultMappingBuilderRules,
+                    setDefaultRawRoleExpression,
+                    data.idp.defaultRoleMapping
+                );
             }
         } catch (e) {
             toast({
@@ -184,11 +239,67 @@ export default function PoliciesPage() {
         load();
     }, [idpId]);
 
+    useEffect(() => {
+        if (!showAddDialog) {
+            return;
+        }
+
+        const orgId = editingPolicy?.orgId || policyFormOrgId;
+        if (!orgId) {
+            setPolicyOrgRoles([]);
+            return;
+        }
+
+        let cancelled = false;
+        (async () => {
+            const res = await api
+                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
+                .catch((e) => {
+                    console.error(e);
+                    toast({
+                        variant: "destructive",
+                        title: t("accessRoleErrorFetch"),
+                        description: formatAxiosError(
+                            e,
+                            t("accessRoleErrorFetchDescription")
+                        )
+                    });
+                    return null;
+                });
+            if (!cancelled && res?.status === 200) {
+                setPolicyOrgRoles(res.data.data.roles);
+            }
+        })();
+
+        return () => {
+            cancelled = true;
+        };
+    }, [showAddDialog, editingPolicy?.orgId, policyFormOrgId, api, t]);
+
+    function resetPolicyDialogRoleMappingState() {
+        const d = defaultRoleMappingConfig();
+        setPolicyRoleMappingMode(d.mode);
+        setPolicyFixedRoleNames(d.fixedRoleNames);
+        setPolicyMappingBuilderClaimPath(d.mappingBuilder.claimPath);
+        setPolicyMappingBuilderRules(d.mappingBuilder.rules);
+        setPolicyRawRoleExpression(d.rawExpression);
+    }
+
     const onAddPolicy = async (data: PolicyFormValues) => {
+        const roleMappingExpression = compileRoleMappingExpression({
+            mode: policyRoleMappingMode,
+            fixedRoleNames: policyFixedRoleNames,
+            mappingBuilder: {
+                claimPath: policyMappingBuilderClaimPath,
+                rules: policyMappingBuilderRules
+            },
+            rawExpression: policyRawRoleExpression
+        });
+
         setAddPolicyLoading(true);
         try {
             const res = await api.put(`/idp/${idpId}/org/${data.orgId}`, {
-                roleMapping: data.roleMapping,
+                roleMapping: roleMappingExpression,
                 orgMapping: data.orgMapping
             });
             if (res.status === 201) {
@@ -197,7 +308,7 @@ export default function PoliciesPage() {
                     name:
                         organizations.find((org) => org.orgId === data.orgId)
                             ?.name || "",
-                    roleMapping: data.roleMapping,
+                    roleMapping: roleMappingExpression,
                     orgMapping: data.orgMapping
                 };
                 setPolicies([...policies, newPolicy]);
@@ -207,6 +318,7 @@ export default function PoliciesPage() {
                 });
                 setShowAddDialog(false);
                 form.reset();
+                resetPolicyDialogRoleMappingState();
             }
         } catch (e) {
             toast({
@@ -222,12 +334,22 @@ export default function PoliciesPage() {
     const onEditPolicy = async (data: PolicyFormValues) => {
         if (!editingPolicy) return;
 
+        const roleMappingExpression = compileRoleMappingExpression({
+            mode: policyRoleMappingMode,
+            fixedRoleNames: policyFixedRoleNames,
+            mappingBuilder: {
+                claimPath: policyMappingBuilderClaimPath,
+                rules: policyMappingBuilderRules
+            },
+            rawExpression: policyRawRoleExpression
+        });
+
         setEditPolicyLoading(true);
         try {
             const res = await api.post(
                 `/idp/${idpId}/org/${editingPolicy.orgId}`,
                 {
-                    roleMapping: data.roleMapping,
+                    roleMapping: roleMappingExpression,
                     orgMapping: data.orgMapping
                 }
             );
@@ -237,7 +359,7 @@ export default function PoliciesPage() {
                         policy.orgId === editingPolicy.orgId
                             ? {
                                   ...policy,
-                                  roleMapping: data.roleMapping,
+                                  roleMapping: roleMappingExpression,
                                   orgMapping: data.orgMapping
                               }
                             : policy
@@ -250,6 +372,7 @@ export default function PoliciesPage() {
                 setShowAddDialog(false);
                 setEditingPolicy(null);
                 form.reset();
+                resetPolicyDialogRoleMappingState();
             }
         } catch (e) {
             toast({
@@ -287,10 +410,20 @@ export default function PoliciesPage() {
     };
 
     const onUpdateDefaultMappings = async (data: DefaultMappingsValues) => {
+        const defaultRoleMappingExpression = compileRoleMappingExpression({
+            mode: defaultRoleMappingMode,
+            fixedRoleNames: defaultFixedRoleNames,
+            mappingBuilder: {
+                claimPath: defaultMappingBuilderClaimPath,
+                rules: defaultMappingBuilderRules
+            },
+            rawExpression: defaultRawRoleExpression
+        });
+
         setUpdateDefaultMappingsLoading(true);
         try {
             const res = await api.post(`/idp/${idpId}/oidc`, {
-                defaultRoleMapping: data.defaultRoleMapping,
+                defaultRoleMapping: defaultRoleMappingExpression,
                 defaultOrgMapping: data.defaultOrgMapping
             });
             if (res.status === 200) {
@@ -317,25 +450,36 @@ export default function PoliciesPage() {
     return (
         <>
             <SettingsContainer>
-                <Alert variant="neutral" className="mb-6">
-                    <InfoIcon className="h-4 w-4" />
-                    <AlertTitle className="font-semibold">
-                        {t("orgPoliciesAbout")}
-                    </AlertTitle>
-                    <AlertDescription>
-                        {/*TODO(vlalx): Validate replacing */}
-                        {t("orgPoliciesAboutDescription")}{" "}
-                        <Link
-                            href="https://docs.pangolin.net/manage/identity-providers/auto-provisioning"
-                            target="_blank"
-                            rel="noopener noreferrer"
-                            className="text-primary hover:underline"
-                        >
-                            {t("orgPoliciesAboutDescriptionLink")}
-                            <ExternalLink className="ml-1 h-4 w-4 inline" />
-                        </Link>
-                    </AlertDescription>
-                </Alert>
+                <PolicyTable
+                    policies={policies}
+                    onDelete={onDeletePolicy}
+                    onAdd={() => {
+                        loadOrganizations();
+                        form.reset({
+                            orgId: "",
+                            orgMapping: ""
+                        });
+                        setEditingPolicy(null);
+                        resetPolicyDialogRoleMappingState();
+                        setShowAddDialog(true);
+                    }}
+                    onEdit={(policy) => {
+                        setEditingPolicy(policy);
+                        form.reset({
+                            orgId: policy.orgId,
+                            orgMapping: policy.orgMapping || ""
+                        });
+                        resetRoleMappingStateFromDetected(
+                            setPolicyRoleMappingMode,
+                            setPolicyFixedRoleNames,
+                            setPolicyMappingBuilderClaimPath,
+                            setPolicyMappingBuilderRules,
+                            setPolicyRawRoleExpression,
+                            policy.roleMapping
+                        );
+                        setShowAddDialog(true);
+                    }}
+                />
 
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -353,51 +497,58 @@ export default function PoliciesPage() {
                                     onUpdateDefaultMappings
                                 )}
                                 id="policy-default-mappings-form"
-                                className="space-y-4"
+                                className="space-y-6"
                             >
-                                <div className="grid gap-6 md:grid-cols-2">
-                                    <FormField
-                                        control={defaultMappingsForm.control}
-                                        name="defaultRoleMapping"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("defaultMappingsRole")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t(
-                                                        "defaultMappingsRoleDescription"
-                                                    )}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
+                                <RoleMappingConfigFields
+                                    fieldIdPrefix="admin-idp-default-role"
+                                    showFreeformRoleNamesHint={true}
+                                    roleMappingMode={defaultRoleMappingMode}
+                                    onRoleMappingModeChange={
+                                        setDefaultRoleMappingMode
+                                    }
+                                    roles={[]}
+                                    fixedRoleNames={defaultFixedRoleNames}
+                                    onFixedRoleNamesChange={
+                                        setDefaultFixedRoleNames
+                                    }
+                                    mappingBuilderClaimPath={
+                                        defaultMappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setDefaultMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={
+                                        defaultMappingBuilderRules
+                                    }
+                                    onMappingBuilderRulesChange={
+                                        setDefaultMappingBuilderRules
+                                    }
+                                    rawExpression={defaultRawRoleExpression}
+                                    onRawExpressionChange={
+                                        setDefaultRawRoleExpression
+                                    }
+                                />
 
-                                    <FormField
-                                        control={defaultMappingsForm.control}
-                                        name="defaultOrgMapping"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("defaultMappingsOrg")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t(
-                                                        "defaultMappingsOrgDescription"
-                                                    )}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
-                                </div>
+                                <FormField
+                                    control={defaultMappingsForm.control}
+                                    name="defaultOrgMapping"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("defaultMappingsOrg")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input {...field} />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t(
+                                                    "defaultMappingsOrgDescription"
+                                                )}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                         <SettingsSectionFooter>
@@ -411,41 +562,20 @@ export default function PoliciesPage() {
                         </SettingsSectionFooter>
                     </SettingsSectionBody>
                 </SettingsSection>
-
-                <PolicyTable
-                    policies={policies}
-                    onDelete={onDeletePolicy}
-                    onAdd={() => {
-                        loadOrganizations();
-                        form.reset({
-                            orgId: "",
-                            roleMapping: "",
-                            orgMapping: ""
-                        });
-                        setEditingPolicy(null);
-                        setShowAddDialog(true);
-                    }}
-                    onEdit={(policy) => {
-                        setEditingPolicy(policy);
-                        form.reset({
-                            orgId: policy.orgId,
-                            roleMapping: policy.roleMapping || "",
-                            orgMapping: policy.orgMapping || ""
-                        });
-                        setShowAddDialog(true);
-                    }}
-                />
             </SettingsContainer>
 
             <Credenza
                 open={showAddDialog}
                 onOpenChange={(val) => {
                     setShowAddDialog(val);
-                    setEditingPolicy(null);
-                    form.reset();
+                    if (!val) {
+                        setEditingPolicy(null);
+                        form.reset();
+                        resetPolicyDialogRoleMappingState();
+                    }
                 }}
             >
-                <CredenzaContent>
+                <CredenzaContent className="max-w-4xl w-[calc(100vw-2rem)] sm:w-full">
                     <CredenzaHeader>
                         <CredenzaTitle>
                             {editingPolicy
@@ -456,7 +586,7 @@ export default function PoliciesPage() {
                             {t("orgPolicyConfig")}
                         </CredenzaDescription>
                     </CredenzaHeader>
-                    <CredenzaBody>
+                    <CredenzaBody className="min-w-0 overflow-x-auto">
                         <Form {...form}>
                             <form
                                 onSubmit={form.handleSubmit(
@@ -557,25 +687,34 @@ export default function PoliciesPage() {
                                     )}
                                 />
 
-                                <FormField
-                                    control={form.control}
-                                    name="roleMapping"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>
-                                                {t("roleMappingPathOptional")}
-                                            </FormLabel>
-                                            <FormControl>
-                                                <Input {...field} />
-                                            </FormControl>
-                                            <FormDescription>
-                                                {t(
-                                                    "defaultMappingsRoleDescription"
-                                                )}
-                                            </FormDescription>
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                <RoleMappingConfigFields
+                                    fieldIdPrefix="admin-idp-policy-role"
+                                    showFreeformRoleNamesHint={false}
+                                    roleMappingMode={policyRoleMappingMode}
+                                    onRoleMappingModeChange={
+                                        setPolicyRoleMappingMode
+                                    }
+                                    roles={policyOrgRoles}
+                                    fixedRoleNames={policyFixedRoleNames}
+                                    onFixedRoleNamesChange={
+                                        setPolicyFixedRoleNames
+                                    }
+                                    mappingBuilderClaimPath={
+                                        policyMappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setPolicyMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={
+                                        policyMappingBuilderRules
+                                    }
+                                    onMappingBuilderRulesChange={
+                                        setPolicyMappingBuilderRules
+                                    }
+                                    rawExpression={policyRawRoleExpression}
+                                    onRawExpressionChange={
+                                        setPolicyRawRoleExpression
+                                    }
                                 />
 
                                 <FormField
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index acb2f3582..91b55da23 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -340,16 +340,6 @@ export default function Page() {
                                         />
                                     </form>
                                 </Form>
-
-                                <Alert variant="neutral">
-                                    <InfoIcon className="h-4 w-4" />
-                                    <AlertTitle className="font-semibold">
-                                        {t("idpOidcConfigureAlert")}
-                                    </AlertTitle>
-                                    <AlertDescription>
-                                        {t("idpOidcConfigureAlertDescription")}
-                                    </AlertDescription>
-                                </Alert>
                             </SettingsSectionBody>
                         </SettingsSection>
 
@@ -369,29 +359,6 @@ export default function Page() {
                                         id="create-idp-form"
                                         onSubmit={form.handleSubmit(onSubmit)}
                                     >
-                                        <Alert variant="neutral">
-                                            <InfoIcon className="h-4 w-4" />
-                                            <AlertTitle className="font-semibold">
-                                                {t("idpJmespathAbout")}
-                                            </AlertTitle>
-                                            <AlertDescription>
-                                                {t(
-                                                    "idpJmespathAboutDescription"
-                                                )}{" "}
-                                                <a
-                                                    href="https://jmespath.org"
-                                                    target="_blank"
-                                                    rel="noopener noreferrer"
-                                                    className="text-primary hover:underline inline-flex items-center"
-                                                >
-                                                    {t(
-                                                        "idpJmespathAboutDescriptionLink"
-                                                    )}{" "}
-                                                    <ExternalLink className="ml-1 h-4 w-4" />
-                                                </a>
-                                            </AlertDescription>
-                                        </Alert>
-
                                         <FormField
                                             control={form.control}
                                             name="identifierPath"
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index 44ee8c6e0..59849989a 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,23 +1,15 @@
 "use client";
 
-import {
-    FormLabel,
-    FormDescription
-} from "@app/components/ui/form";
+import { FormDescription } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
-import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import { Button } from "@app/components/ui/button";
-import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { useMemo, useState } from "react";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { Tag, TagInput } from "@app/components/tags/tag-input";
 import {
-    createMappingBuilderRule,
     MappingBuilderRule,
     RoleMappingMode
 } from "@app/lib/idpRoleMapping";
+import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
 
 type Role = {
     roleId: number;
@@ -57,18 +49,6 @@ export default function AutoProvisionConfigWidget({
 }: AutoProvisionConfigWidgetProps) {
     const t = useTranslations();
     const { isPaidUser } = usePaidStatus();
-    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
-        number | null
-    >(null);
-
-    const roleOptions = useMemo(
-        () =>
-            roles.map((role) => ({
-                id: role.name,
-                text: role.name
-            })),
-        [roles]
-    );
 
     return (
         <div className="space-y-4">
@@ -80,261 +60,30 @@ export default function AutoProvisionConfigWidget({
                     onCheckedChange={onAutoProvisionChange}
                     disabled={!isPaidUser(tierMatrix.autoProvisioning)}
                 />
-                <span className="text-sm text-muted-foreground">
+                <FormDescription className="text-sm text-muted-foreground">
                     {t("idpAutoProvisionUsersDescription")}
-                </span>
+                </FormDescription>
             </div>
 
             {autoProvision && (
-                <div className="space-y-4">
-                    <div>
-                        <FormLabel className="mb-2">
-                            {t("roleMapping")}
-                        </FormLabel>
-                        <FormDescription className="mb-4">
-                            {t("roleMappingDescription")}
-                        </FormDescription>
-
-                        <RadioGroup
-                            value={roleMappingMode}
-                            onValueChange={onRoleMappingModeChange}
-                            className="flex flex-wrap gap-x-6 gap-y-2"
-                        >
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="fixedRoles"
-                                    id="fixed-roles-mode"
-                                />
-                                <label
-                                    htmlFor="fixed-roles-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Fixed roles
-                                </label>
-                            </div>
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="mappingBuilder"
-                                    id="mapping-builder-mode"
-                                />
-                                <label
-                                    htmlFor="mapping-builder-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Mapping builder
-                                </label>
-                            </div>
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="rawExpression"
-                                    id="expression-mode"
-                                />
-                                <label
-                                    htmlFor="expression-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Raw expression
-                                </label>
-                            </div>
-                        </RadioGroup>
-                    </div>
-
-                    {roleMappingMode === "fixedRoles" && (
-                        <div className="space-y-2">
-                            <TagInput
-                                tags={fixedRoleNames.map((name) => ({
-                                    id: name,
-                                    text: name
-                                }))}
-                                setTags={(nextTags) => {
-                                    const next =
-                                        typeof nextTags === "function"
-                                            ? nextTags(
-                                                  fixedRoleNames.map((name) => ({
-                                                      id: name,
-                                                      text: name
-                                                  }))
-                                              )
-                                            : nextTags;
-
-                                    onFixedRoleNamesChange(
-                                        [...new Set(next.map((tag) => tag.text))]
-                                    );
-                                }}
-                                activeTagIndex={activeFixedRoleTagIndex}
-                                setActiveTagIndex={setActiveFixedRoleTagIndex}
-                                placeholder="Select one or more roles"
-                                enableAutocomplete={true}
-                                autocompleteOptions={roleOptions}
-                                restrictTagsToAutocompleteOptions={true}
-                                allowDuplicates={false}
-                                sortTags={true}
-                                size="sm"
-                            />
-                            <FormDescription>
-                                Assign the same role set to every auto-provisioned
-                                user.
-                            </FormDescription>
-                        </div>
-                    )}
-
-                    {roleMappingMode === "mappingBuilder" && (
-                        <div className="space-y-4 rounded-md border p-3">
-                            <div className="space-y-2">
-                                <FormLabel>Claim path</FormLabel>
-                                <Input
-                                    value={mappingBuilderClaimPath}
-                                    onChange={(e) =>
-                                        onMappingBuilderClaimPathChange(
-                                            e.target.value
-                                        )
-                                    }
-                                    placeholder="groups"
-                                />
-                                <FormDescription>
-                                    Path in the token payload that contains source
-                                    values (for example, groups).
-                                </FormDescription>
-                            </div>
-
-                            <div className="space-y-3">
-                                <div className="hidden md:grid md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:gap-3">
-                                    <FormLabel>Match value</FormLabel>
-                                    <FormLabel>Assign roles</FormLabel>
-                                    <span />
-                                </div>
-
-                                {mappingBuilderRules.map((rule, index) => (
-                                    <BuilderRuleRow
-                                        key={rule.id ?? `mapping-rule-${index}`}
-                                        roleOptions={roleOptions}
-                                        rule={rule}
-                                        onChange={(nextRule) => {
-                                            const nextRules =
-                                                mappingBuilderRules.map(
-                                                    (row, i) =>
-                                                        i === index
-                                                            ? nextRule
-                                                            : row
-                                                );
-                                            onMappingBuilderRulesChange(
-                                                nextRules
-                                            );
-                                        }}
-                                        onRemove={() => {
-                                            const nextRules =
-                                                mappingBuilderRules.filter(
-                                                    (_, i) => i !== index
-                                                );
-                                            onMappingBuilderRulesChange(
-                                                nextRules.length
-                                                    ? nextRules
-                                                    : [createMappingBuilderRule()]
-                                            );
-                                        }}
-                                    />
-                                ))}
-                            </div>
-
-                            <Button
-                                type="button"
-                                variant="outline"
-                                onClick={() => {
-                                    onMappingBuilderRulesChange([
-                                        ...mappingBuilderRules,
-                                        createMappingBuilderRule()
-                                    ]);
-                                }}
-                            >
-                                Add mapping rule
-                            </Button>
-                        </div>
-                    )}
-
-                    {roleMappingMode === "rawExpression" && (
-                        <div className="space-y-2">
-                            <Input
-                                value={rawExpression}
-                                onChange={(e) =>
-                                    onRawExpressionChange(e.target.value)
-                                }
-                                placeholder={t("roleMappingExpressionPlaceholder")}
-                            />
-                            <FormDescription>
-                                Expression must evaluate to a string or string
-                                array.
-                            </FormDescription>
-                        </div>
-                    )}
-                </div>
+                <RoleMappingConfigFields
+                    fieldIdPrefix="org-idp-auto-provision"
+                    showFreeformRoleNamesHint={false}
+                    roleMappingMode={roleMappingMode}
+                    onRoleMappingModeChange={onRoleMappingModeChange}
+                    roles={roles}
+                    fixedRoleNames={fixedRoleNames}
+                    onFixedRoleNamesChange={onFixedRoleNamesChange}
+                    mappingBuilderClaimPath={mappingBuilderClaimPath}
+                    onMappingBuilderClaimPathChange={
+                        onMappingBuilderClaimPathChange
+                    }
+                    mappingBuilderRules={mappingBuilderRules}
+                    onMappingBuilderRulesChange={onMappingBuilderRulesChange}
+                    rawExpression={rawExpression}
+                    onRawExpressionChange={onRawExpressionChange}
+                />
             )}
         </div>
     );
 }
-
-function BuilderRuleRow({
-    rule,
-    roleOptions,
-    onChange,
-    onRemove
-}: {
-    rule: MappingBuilderRule;
-    roleOptions: Tag[];
-    onChange: (rule: MappingBuilderRule) => void;
-    onRemove: () => void;
-}) {
-    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
-
-    return (
-        <div className="grid gap-3 rounded-md border p-3 md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:items-start">
-            <div className="space-y-1">
-                <FormLabel className="text-xs md:hidden">Match value</FormLabel>
-                <Input
-                    value={rule.matchValue}
-                    onChange={(e) =>
-                        onChange({
-                            ...rule,
-                            matchValue: e.target.value
-                        })
-                    }
-                    placeholder="Match value (for example: admin)"
-                />
-            </div>
-            <div className="space-y-1 min-w-0">
-                <FormLabel className="text-xs md:hidden">Assign roles</FormLabel>
-                <TagInput
-                    tags={rule.roleNames.map((name) => ({ id: name, text: name }))}
-                    setTags={(nextTags) => {
-                        const next =
-                            typeof nextTags === "function"
-                                ? nextTags(
-                                      rule.roleNames.map((name) => ({
-                                          id: name,
-                                          text: name
-                                      }))
-                                  )
-                                : nextTags;
-                        onChange({
-                            ...rule,
-                            roleNames: [...new Set(next.map((tag) => tag.text))]
-                        });
-                    }}
-                    activeTagIndex={activeTagIndex}
-                    setActiveTagIndex={setActiveTagIndex}
-                    placeholder="Assign roles"
-                    enableAutocomplete={true}
-                    autocompleteOptions={roleOptions}
-                    restrictTagsToAutocompleteOptions={true}
-                    allowDuplicates={false}
-                    sortTags={true}
-                    size="sm"
-                />
-            </div>
-            <div className="flex justify-end md:justify-start">
-                <Button type="button" variant="ghost" onClick={onRemove}>
-                    Remove
-                </Button>
-            </div>
-        </div>
-    );
-}
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
new file mode 100644
index 000000000..4fe1a037b
--- /dev/null
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -0,0 +1,366 @@
+"use client";
+
+import { FormLabel, FormDescription } from "@app/components/ui/form";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { useTranslations } from "next-intl";
+import { useMemo, useState } from "react";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import {
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
+
+export type RoleMappingRoleOption = {
+    roleId: number;
+    name: string;
+};
+
+export type RoleMappingConfigFieldsProps = {
+    roleMappingMode: RoleMappingMode;
+    onRoleMappingModeChange: (mode: RoleMappingMode) => void;
+    roles: RoleMappingRoleOption[];
+    fixedRoleNames: string[];
+    onFixedRoleNamesChange: (roleNames: string[]) => void;
+    mappingBuilderClaimPath: string;
+    onMappingBuilderClaimPathChange: (claimPath: string) => void;
+    mappingBuilderRules: MappingBuilderRule[];
+    onMappingBuilderRulesChange: (rules: MappingBuilderRule[]) => void;
+    rawExpression: string;
+    onRawExpressionChange: (expression: string) => void;
+    /** Unique prefix for radio `id`/`htmlFor` when multiple instances exist on one page. */
+    fieldIdPrefix?: string;
+    /** When true, show extra hint for global default policies (no org role list). */
+    showFreeformRoleNamesHint?: boolean;
+};
+
+export default function RoleMappingConfigFields({
+    roleMappingMode,
+    onRoleMappingModeChange,
+    roles,
+    fixedRoleNames,
+    onFixedRoleNamesChange,
+    mappingBuilderClaimPath,
+    onMappingBuilderClaimPathChange,
+    mappingBuilderRules,
+    onMappingBuilderRulesChange,
+    rawExpression,
+    onRawExpressionChange,
+    fieldIdPrefix = "role-mapping",
+    showFreeformRoleNamesHint = false
+}: RoleMappingConfigFieldsProps) {
+    const t = useTranslations();
+    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const restrictToOrgRoles = roles.length > 0;
+
+    const roleOptions = useMemo(
+        () =>
+            roles.map((role) => ({
+                id: role.name,
+                text: role.name
+            })),
+        [roles]
+    );
+
+    const fixedRadioId = `${fieldIdPrefix}-fixed-roles-mode`;
+    const builderRadioId = `${fieldIdPrefix}-mapping-builder-mode`;
+    const rawRadioId = `${fieldIdPrefix}-raw-expression-mode`;
+
+    /** Same template on header + rows so 1fr/1.75fr columns line up (auto third col differs per row otherwise). */
+    const mappingRulesGridClass =
+        "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3";
+
+    return (
+        <div className="space-y-4">
+            <div>
+                <FormLabel className="mb-2">{t("roleMapping")}</FormLabel>
+                <FormDescription className="mb-4">
+                    {t("roleMappingDescription")}
+                </FormDescription>
+
+                <RadioGroup
+                    value={roleMappingMode}
+                    onValueChange={onRoleMappingModeChange}
+                    className="flex flex-wrap gap-x-6 gap-y-2"
+                >
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem value="fixedRoles" id={fixedRadioId} />
+                        <label
+                            htmlFor={fixedRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeFixedRoles")}
+                        </label>
+                    </div>
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem
+                            value="mappingBuilder"
+                            id={builderRadioId}
+                        />
+                        <label
+                            htmlFor={builderRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeMappingBuilder")}
+                        </label>
+                    </div>
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem value="rawExpression" id={rawRadioId} />
+                        <label
+                            htmlFor={rawRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeRawExpression")}
+                        </label>
+                    </div>
+                </RadioGroup>
+            </div>
+
+            {roleMappingMode === "fixedRoles" && (
+                <div className="space-y-2 min-w-0 max-w-full">
+                    <TagInput
+                        tags={fixedRoleNames.map((name) => ({
+                            id: name,
+                            text: name
+                        }))}
+                        setTags={(nextTags) => {
+                            const next =
+                                typeof nextTags === "function"
+                                    ? nextTags(
+                                          fixedRoleNames.map((name) => ({
+                                              id: name,
+                                              text: name
+                                          }))
+                                      )
+                                    : nextTags;
+
+                            onFixedRoleNamesChange([
+                                ...new Set(next.map((tag) => tag.text))
+                            ]);
+                        }}
+                        activeTagIndex={activeFixedRoleTagIndex}
+                        setActiveTagIndex={setActiveFixedRoleTagIndex}
+                        placeholder={
+                            restrictToOrgRoles
+                                ? t("roleMappingFixedRolesPlaceholderSelect")
+                                : t("roleMappingFixedRolesPlaceholderFreeform")
+                        }
+                        enableAutocomplete={restrictToOrgRoles}
+                        autocompleteOptions={roleOptions}
+                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
+                        allowDuplicates={false}
+                        sortTags={true}
+                        size="sm"
+                    />
+                    <FormDescription>
+                        {showFreeformRoleNamesHint
+                            ? t("roleMappingFixedRolesDescriptionDefaultPolicy")
+                            : t("roleMappingFixedRolesDescriptionSameForAll")}
+                    </FormDescription>
+                </div>
+            )}
+
+            {roleMappingMode === "mappingBuilder" && (
+                <div className="space-y-4 rounded-md border p-3 min-w-0 max-w-full">
+                    <div className="space-y-2">
+                        <FormLabel>{t("roleMappingClaimPath")}</FormLabel>
+                        <Input
+                            value={mappingBuilderClaimPath}
+                            onChange={(e) =>
+                                onMappingBuilderClaimPathChange(e.target.value)
+                            }
+                            placeholder={t("roleMappingClaimPathPlaceholder")}
+                        />
+                        <FormDescription>
+                            {t("roleMappingClaimPathDescription")}
+                        </FormDescription>
+                    </div>
+
+                    <div className="space-y-3">
+                        <div
+                            className={`hidden ${mappingRulesGridClass} md:items-end`}
+                        >
+                            <FormLabel className="min-w-0">
+                                {t("roleMappingMatchValue")}
+                            </FormLabel>
+                            <FormLabel className="min-w-0">
+                                {t("roleMappingAssignRoles")}
+                            </FormLabel>
+                            <span aria-hidden className="min-w-0" />
+                        </div>
+
+                        {mappingBuilderRules.map((rule, index) => (
+                            <BuilderRuleRow
+                                key={rule.id ?? `mapping-rule-${index}`}
+                                mappingRulesGridClass={mappingRulesGridClass}
+                                fieldIdPrefix={`${fieldIdPrefix}-rule-${index}`}
+                                roleOptions={roleOptions}
+                                restrictToOrgRoles={restrictToOrgRoles}
+                                showFreeformRoleNamesHint={
+                                    showFreeformRoleNamesHint
+                                }
+                                rule={rule}
+                                onChange={(nextRule) => {
+                                    const nextRules = mappingBuilderRules.map(
+                                        (row, i) =>
+                                            i === index ? nextRule : row
+                                    );
+                                    onMappingBuilderRulesChange(nextRules);
+                                }}
+                                onRemove={() => {
+                                    const nextRules =
+                                        mappingBuilderRules.filter(
+                                            (_, i) => i !== index
+                                        );
+                                    onMappingBuilderRulesChange(
+                                        nextRules.length
+                                            ? nextRules
+                                            : [createMappingBuilderRule()]
+                                    );
+                                }}
+                            />
+                        ))}
+                    </div>
+
+                    <Button
+                        type="button"
+                        variant="outline"
+                        onClick={() => {
+                            onMappingBuilderRulesChange([
+                                ...mappingBuilderRules,
+                                createMappingBuilderRule()
+                            ]);
+                        }}
+                    >
+                        {t("roleMappingAddMappingRule")}
+                    </Button>
+                </div>
+            )}
+
+            {roleMappingMode === "rawExpression" && (
+                <div className="space-y-2">
+                    <Input
+                        value={rawExpression}
+                        onChange={(e) => onRawExpressionChange(e.target.value)}
+                        placeholder={t("roleMappingExpressionPlaceholder")}
+                    />
+                    <FormDescription>
+                        {t("roleMappingRawExpressionResultDescription")}
+                    </FormDescription>
+                </div>
+            )}
+        </div>
+    );
+}
+
+function BuilderRuleRow({
+    rule,
+    roleOptions,
+    restrictToOrgRoles,
+    showFreeformRoleNamesHint,
+    fieldIdPrefix,
+    mappingRulesGridClass,
+    onChange,
+    onRemove
+}: {
+    rule: MappingBuilderRule;
+    roleOptions: Tag[];
+    restrictToOrgRoles: boolean;
+    showFreeformRoleNamesHint: boolean;
+    fieldIdPrefix: string;
+    mappingRulesGridClass: string;
+    onChange: (rule: MappingBuilderRule) => void;
+    onRemove: () => void;
+}) {
+    const t = useTranslations();
+    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
+
+    return (
+        <div
+            className={`grid gap-3 min-w-0 ${mappingRulesGridClass} md:items-start`}
+        >
+            <div className="space-y-1 min-w-0">
+                <FormLabel className="text-xs md:hidden">
+                    {t("roleMappingMatchValue")}
+                </FormLabel>
+                <Input
+                    id={`${fieldIdPrefix}-match`}
+                    value={rule.matchValue}
+                    onChange={(e) =>
+                        onChange({
+                            ...rule,
+                            matchValue: e.target.value
+                        })
+                    }
+                    placeholder={t("roleMappingMatchValuePlaceholder")}
+                />
+            </div>
+            <div className="space-y-1 min-w-0 w-full max-w-full">
+                <FormLabel className="text-xs md:hidden">
+                    {t("roleMappingAssignRoles")}
+                </FormLabel>
+                <div className="min-w-0 max-w-full">
+                    <TagInput
+                        tags={rule.roleNames.map((name) => ({
+                            id: name,
+                            text: name
+                        }))}
+                        setTags={(nextTags) => {
+                            const next =
+                                typeof nextTags === "function"
+                                    ? nextTags(
+                                          rule.roleNames.map((name) => ({
+                                              id: name,
+                                              text: name
+                                          }))
+                                      )
+                                    : nextTags;
+                            onChange({
+                                ...rule,
+                                roleNames: [
+                                    ...new Set(next.map((tag) => tag.text))
+                                ]
+                            });
+                        }}
+                        activeTagIndex={activeTagIndex}
+                        setActiveTagIndex={setActiveTagIndex}
+                        placeholder={
+                            restrictToOrgRoles
+                                ? t("roleMappingAssignRoles")
+                                : t("roleMappingAssignRolesPlaceholderFreeform")
+                        }
+                        enableAutocomplete={restrictToOrgRoles}
+                        autocompleteOptions={roleOptions}
+                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
+                        allowDuplicates={false}
+                        sortTags={true}
+                        size="sm"
+                        styleClasses={{
+                            inlineTagsContainer: "min-w-0 max-w-full"
+                        }}
+                    />
+                </div>
+                {showFreeformRoleNamesHint && (
+                    <p className="text-sm text-muted-foreground">
+                        {t("roleMappingBuilderFreeformRowHint")}
+                    </p>
+                )}
+            </div>
+            <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
+                <Button
+                    type="button"
+                    variant="outline"
+                    className="h-9 shrink-0 px-2"
+                    onClick={onRemove}
+                >
+                    {t("roleMappingRemoveRule")}
+                </Button>
+            </div>
+        </div>
+    );
+}

From 7bcb852dba81b20d3d38469c88c8cad1dba8495d Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 27 Mar 2026 18:10:19 -0700
Subject: [PATCH 141/314] add google and azure templates to global idp

---
 messages/en-US.json                           |  16 +-
 server/routers/idp/createOidcIdp.ts           |   9 +-
 server/routers/idp/updateOidcIdp.ts           |   9 +-
 .../(private)/idp/[idpId]/general/page.tsx    |  33 -
 .../settings/(private)/idp/create/page.tsx    | 124 +---
 src/app/admin/idp/[idpId]/general/page.tsx    | 638 +++++++++++++-----
 src/app/admin/idp/[idpId]/policies/page.tsx   |   2 +-
 src/app/admin/idp/create/page.tsx             | 282 ++++++--
 src/app/admin/layout.tsx                      |  13 +-
 src/components/RoleMappingConfigFields.tsx    |   2 +-
 .../idp/OidcIdpProviderTypeSelect.tsx         |  75 ++
 src/lib/idp/oidcIdpProviderDefaults.ts        |  46 ++
 12 files changed, 870 insertions(+), 379 deletions(-)
 create mode 100644 src/components/idp/OidcIdpProviderTypeSelect.tsx
 create mode 100644 src/lib/idp/oidcIdpProviderDefaults.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index 7d00c8105..505378b7f 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -890,7 +890,7 @@
     "defaultMappingsRole": "Default Role Mapping",
     "defaultMappingsRoleDescription": "The result of this expression must return the role name as defined in the organization as a string.",
     "defaultMappingsOrg": "Default Organization Mapping",
-    "defaultMappingsOrgDescription": "This expression must return the org ID or true for the user to be allowed to access the organization.",
+    "defaultMappingsOrgDescription": "When set, this expression must return the organization ID or true for the user to access that organization. When unset, defining an organization policy for that org is enough: the user is allowed in as long as a valid role mapping can be resolved for them within the organization.",
     "defaultMappingsSubmit": "Save Default Mappings",
     "orgPoliciesEdit": "Edit Organization Policy",
     "org": "Organization",
@@ -1942,19 +1942,19 @@
     "invalidValue": "Invalid value",
     "idpTypeLabel": "Identity Provider Type",
     "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
-    "roleMappingModeFixedRoles": "Fixed roles",
-    "roleMappingModeMappingBuilder": "Mapping builder",
-    "roleMappingModeRawExpression": "Raw expression",
+    "roleMappingModeFixedRoles": "Fixed Roles",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Raw Expression",
     "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
     "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
     "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
     "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
-    "roleMappingClaimPath": "Claim path",
+    "roleMappingClaimPath": "Claim Path",
     "roleMappingClaimPathPlaceholder": "groups",
     "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
-    "roleMappingMatchValue": "Match value",
-    "roleMappingAssignRoles": "Assign roles",
-    "roleMappingAddMappingRule": "Add mapping rule",
+    "roleMappingMatchValue": "Match Value",
+    "roleMappingAssignRoles": "Assign Roles",
+    "roleMappingAddMappingRule": "Add Mapping Rule",
     "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
     "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
     "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
diff --git a/server/routers/idp/createOidcIdp.ts b/server/routers/idp/createOidcIdp.ts
index 5b53f6820..0f0cc0cce 100644
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@@ -25,7 +25,8 @@ const bodySchema = z.strictObject({
     namePath: z.string().optional(),
     scopes: z.string().nonempty(),
     autoProvision: z.boolean().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
+    variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc")
 });
 
 export type CreateIdpResponse = {
@@ -77,7 +78,8 @@ export async function createOidcIdp(
             namePath,
             name,
             autoProvision,
-            tags
+            tags,
+            variant
         } = parsedBody.data;
 
         if (
@@ -121,7 +123,8 @@ export async function createOidcIdp(
                 scopes,
                 identifierPath,
                 emailPath,
-                namePath
+                namePath,
+                variant
             });
         });
 
diff --git a/server/routers/idp/updateOidcIdp.ts b/server/routers/idp/updateOidcIdp.ts
index fe32a8b08..905b32013 100644
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@@ -31,7 +31,8 @@ const bodySchema = z.strictObject({
     autoProvision: z.boolean().optional(),
     defaultRoleMapping: z.string().optional(),
     defaultOrgMapping: z.string().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
+    variant: z.enum(["oidc", "google", "azure"]).optional()
 });
 
 export type UpdateIdpResponse = {
@@ -96,7 +97,8 @@ export async function updateOidcIdp(
             autoProvision,
             defaultRoleMapping,
             defaultOrgMapping,
-            tags
+            tags,
+            variant
         } = parsedBody.data;
 
         if (process.env.IDENTITY_PROVIDER_MODE === "org") {
@@ -159,7 +161,8 @@ export async function updateOidcIdp(
                 scopes,
                 identifierPath,
                 emailPath,
-                namePath
+                namePath,
+                variant
             };
 
             keysToUpdate = Object.keys(configData).filter(
diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 9754b07e5..37cf400a5 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -448,16 +448,6 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
-                        <Alert variant="neutral" className="">
-                            <InfoIcon className="h-4 w-4" />
-                            <AlertTitle className="font-semibold">
-                                {t("redirectUrlAbout")}
-                            </AlertTitle>
-                            <AlertDescription>
-                                {t("redirectUrlAboutDescription")}
-                            </AlertDescription>
-                        </Alert>
-
                         {/* IDP Type Indicator */}
                         <div className="flex items-center space-x-2 mb-4">
                             <span className="text-sm font-medium text-muted-foreground">
@@ -843,29 +833,6 @@ export default function GeneralPage() {
                                             className="space-y-4"
                                             id="general-settings-form"
                                         >
-                                            <Alert variant="neutral">
-                                                <InfoIcon className="h-4 w-4" />
-                                                <AlertTitle className="font-semibold">
-                                                    {t("idpJmespathAbout")}
-                                                </AlertTitle>
-                                                <AlertDescription>
-                                                    {t(
-                                                        "idpJmespathAboutDescription"
-                                                    )}{" "}
-                                                    <a
-                                                        href="https://jmespath.org"
-                                                        target="_blank"
-                                                        rel="noopener noreferrer"
-                                                        className="text-primary hover:underline inline-flex items-center"
-                                                    >
-                                                        {t(
-                                                            "idpJmespathAboutDescriptionLink"
-                                                        )}{" "}
-                                                        <ExternalLink className="ml-1 h-4 w-4" />
-                                                    </a>
-                                                </AlertDescription>
-                                            </Alert>
-
                                             <FormField
                                                 control={form.control}
                                                 name="identifierPath"
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 970f9f970..17adcb6b6 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -13,7 +13,7 @@ import {
     SettingsSectionTitle
 } from "@app/components/Settings";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
-import { StrategySelect } from "@app/components/StrategySelect";
+import { OidcIdpProviderTypeSelect } from "@app/components/idp/OidcIdpProviderTypeSelect";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
 import {
@@ -27,17 +27,16 @@ import {
 } from "@app/components/ui/form";
 import { Input } from "@app/components/ui/input";
 import { useEnvContext } from "@app/hooks/useEnvContext";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { applyOidcIdpProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ListRolesResponse } from "@server/routers/role";
 import { AxiosResponse } from "axios";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
-import Image from "next/image";
 import { useParams, useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -96,49 +95,6 @@ export default function Page() {
 
     type CreateIdpFormValues = z.infer<typeof createIdpFormSchema>;
 
-    interface ProviderTypeOption {
-        id: "oidc" | "google" | "azure";
-        title: string;
-        description: string;
-        icon?: React.ReactNode;
-    }
-
-    const providerTypes: ReadonlyArray<ProviderTypeOption> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        },
-        {
-            id: "google",
-            title: t("idpGoogleTitle"),
-            description: t("idpGoogleDescription"),
-            icon: (
-                <Image
-                    src="/idp/google.png"
-                    alt={t("idpGoogleAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        },
-        {
-            id: "azure",
-            title: t("idpAzureTitle"),
-            description: t("idpAzureDescription"),
-            icon: (
-                <Image
-                    src="/idp/azure.png"
-                    alt={t("idpAzureAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        }
-    ];
-
     const form = useForm({
         resolver: zodResolver(createIdpFormSchema),
         defaultValues: {
@@ -186,47 +142,6 @@ export default function Page() {
         fetchRoles();
     }, []);
 
-    // Handle provider type changes and set defaults
-    const handleProviderChange = (value: "oidc" | "google" | "azure") => {
-        form.setValue("type", value);
-
-        if (value === "google") {
-            // Set Google defaults
-            form.setValue(
-                "authUrl",
-                "https://accounts.google.com/o/oauth2/v2/auth"
-            );
-            form.setValue("tokenUrl", "https://oauth2.googleapis.com/token");
-            form.setValue("identifierPath", "email");
-            form.setValue("emailPath", "email");
-            form.setValue("namePath", "name");
-            form.setValue("scopes", "openid profile email");
-        } else if (value === "azure") {
-            // Set Azure Entra ID defaults (URLs will be constructed dynamically)
-            form.setValue(
-                "authUrl",
-                "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/authorize"
-            );
-            form.setValue(
-                "tokenUrl",
-                "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token"
-            );
-            form.setValue("identifierPath", "email");
-            form.setValue("emailPath", "email");
-            form.setValue("namePath", "name");
-            form.setValue("scopes", "openid profile email");
-            form.setValue("tenantId", "");
-        } else {
-            // Reset to OIDC defaults
-            form.setValue("authUrl", "");
-            form.setValue("tokenUrl", "");
-            form.setValue("identifierPath", "sub");
-            form.setValue("namePath", "name");
-            form.setValue("emailPath", "email");
-            form.setValue("scopes", "openid profile email");
-        }
-    };
-
     async function onSubmit(data: CreateIdpFormValues) {
         setCreateLoading(true);
 
@@ -304,6 +219,7 @@ export default function Page() {
     }
 
     const disabled = !isPaidUser(tierMatrix.orgOidc);
+    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     return (
         <>
@@ -336,23 +252,13 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <div>
-                            <div className="mb-2">
-                                <span className="text-sm font-medium">
-                                    {t("idpType")}
-                                </span>
-                            </div>
-                            <StrategySelect
-                                options={providerTypes}
-                                defaultValue={form.getValues("type")}
-                                onChange={(value) => {
-                                    handleProviderChange(
-                                        value as "oidc" | "google" | "azure"
-                                    );
-                                }}
-                                cols={3}
-                            />
-                        </div>
+                        <OidcIdpProviderTypeSelect
+                            value={form.watch("type")}
+                            templatesPaid={templatesPaid}
+                            onTypeChange={(next) => {
+                                applyOidcIdpProviderType(form.setValue, next);
+                            }}
+                        />
 
                         <SettingsSectionForm>
                             <Form {...form}>
@@ -708,16 +614,6 @@ export default function Page() {
                                         />
                                     </form>
                                 </Form>
-
-                                <Alert variant="neutral">
-                                    <InfoIcon className="h-4 w-4" />
-                                    <AlertTitle className="font-semibold">
-                                        {t("idpOidcConfigureAlert")}
-                                    </AlertTitle>
-                                    <AlertDescription>
-                                        {t("idpOidcConfigureAlertDescription")}
-                                    </AlertDescription>
-                                </Alert>
                             </SettingsSectionBody>
                         </SettingsSection>
 
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index a5ed14a6e..d02925976 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -25,7 +25,6 @@ import {
     SettingsSectionDescription,
     SettingsSectionBody,
     SettingsSectionForm,
-    SettingsSectionFooter,
     SettingsSectionGrid
 } from "@app/components/Settings";
 import { formatAxiosError } from "@app/lib/api";
@@ -33,8 +32,6 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useState, useEffect } from "react";
 import { SwitchInput } from "@app/components/SwitchInput";
-import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
-import { InfoIcon, ExternalLink } from "lucide-react";
 import {
     InfoSection,
     InfoSectionContent,
@@ -42,8 +39,7 @@ import {
     InfoSectionTitle
 } from "@app/components/InfoSection";
 import CopyToClipboard from "@app/components/CopyToClipboard";
-import { Badge } from "@app/components/ui/badge";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
+import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { useTranslations } from "next-intl";
 
 export default function GeneralPage() {
@@ -53,12 +49,12 @@ export default function GeneralPage() {
     const { idpId } = useParams();
     const [loading, setLoading] = useState(false);
     const [initialLoading, setInitialLoading] = useState(true);
-    const { isUnlocked } = useLicenseStatusContext();
+    const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
 
     const redirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
     const t = useTranslations();
 
-    const GeneralFormSchema = z.object({
+    const OidcFormSchema = z.object({
         name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
         clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
         clientSecret: z
@@ -73,10 +69,46 @@ export default function GeneralPage() {
         autoProvision: z.boolean().default(false)
     });
 
-    type GeneralFormValues = z.infer<typeof GeneralFormSchema>;
+    const GoogleFormSchema = z.object({
+        name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
+        clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
+        clientSecret: z
+            .string()
+            .min(1, { message: t("idpClientSecretRequired") }),
+        autoProvision: z.boolean().default(false)
+    });
 
-    const form = useForm({
-        resolver: zodResolver(GeneralFormSchema),
+    const AzureFormSchema = z.object({
+        name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
+        clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
+        clientSecret: z
+            .string()
+            .min(1, { message: t("idpClientSecretRequired") }),
+        tenantId: z.string().min(1, { message: t("idpTenantIdRequired") }),
+        autoProvision: z.boolean().default(false)
+    });
+
+    type OidcFormValues = z.infer<typeof OidcFormSchema>;
+    type GoogleFormValues = z.infer<typeof GoogleFormSchema>;
+    type AzureFormValues = z.infer<typeof AzureFormSchema>;
+    type GeneralFormValues =
+        | OidcFormValues
+        | GoogleFormValues
+        | AzureFormValues;
+
+    const getFormSchema = () => {
+        switch (variant) {
+            case "google":
+                return GoogleFormSchema;
+            case "azure":
+                return AzureFormSchema;
+            default:
+                return OidcFormSchema;
+        }
+    };
+
+    const form = useForm<GeneralFormValues>({
+        resolver: zodResolver(getFormSchema()) as never,
         defaultValues: {
             name: "",
             clientId: "",
@@ -87,28 +119,60 @@ export default function GeneralPage() {
             emailPath: "email",
             namePath: "name",
             scopes: "openid profile email",
-            autoProvision: true
+            autoProvision: true,
+            tenantId: ""
         }
     });
 
+    useEffect(() => {
+        form.clearErrors();
+    }, [variant, form]);
+
     useEffect(() => {
         const loadIdp = async () => {
             try {
                 const res = await api.get(`/idp/${idpId}`);
                 if (res.status === 200) {
                     const data = res.data.data;
-                    form.reset({
+                    const idpVariant =
+                        (data.idpOidcConfig?.variant as
+                            | "oidc"
+                            | "google"
+                            | "azure") || "oidc";
+                    setVariant(idpVariant);
+
+                    let tenantId = "";
+                    if (idpVariant === "azure" && data.idpOidcConfig?.authUrl) {
+                        const tenantMatch = data.idpOidcConfig.authUrl.match(
+                            /login\.microsoftonline\.com\/([^/]+)\/oauth2/
+                        );
+                        if (tenantMatch) {
+                            tenantId = tenantMatch[1];
+                        }
+                    }
+
+                    const formData: Record<string, unknown> = {
                         name: data.idp.name,
                         clientId: data.idpOidcConfig.clientId,
                         clientSecret: data.idpOidcConfig.clientSecret,
-                        authUrl: data.idpOidcConfig.authUrl,
-                        tokenUrl: data.idpOidcConfig.tokenUrl,
-                        identifierPath: data.idpOidcConfig.identifierPath,
-                        emailPath: data.idpOidcConfig.emailPath,
-                        namePath: data.idpOidcConfig.namePath,
-                        scopes: data.idpOidcConfig.scopes,
                         autoProvision: data.idp.autoProvision
-                    });
+                    };
+
+                    if (idpVariant === "oidc") {
+                        formData.authUrl = data.idpOidcConfig.authUrl;
+                        formData.tokenUrl = data.idpOidcConfig.tokenUrl;
+                        formData.identifierPath =
+                            data.idpOidcConfig.identifierPath;
+                        formData.emailPath =
+                            data.idpOidcConfig.emailPath ?? undefined;
+                        formData.namePath =
+                            data.idpOidcConfig.namePath ?? undefined;
+                        formData.scopes = data.idpOidcConfig.scopes;
+                    } else if (idpVariant === "azure") {
+                        formData.tenantId = tenantId;
+                    }
+
+                    form.reset(formData as GeneralFormValues);
                 }
             } catch (e) {
                 toast({
@@ -123,25 +187,76 @@ export default function GeneralPage() {
         };
 
         loadIdp();
-    }, [idpId, api, form, router]);
+    }, [idpId]);
 
     async function onSubmit(data: GeneralFormValues) {
         setLoading(true);
 
         try {
-            const payload = {
+            const schema = getFormSchema();
+            const validationResult = schema.safeParse(data);
+
+            if (!validationResult.success) {
+                const errors = validationResult.error.flatten().fieldErrors;
+                Object.keys(errors).forEach((key) => {
+                    const fieldName = key as keyof GeneralFormValues;
+                    const errorMessage =
+                        (errors as Record<string, string[] | undefined>)[
+                            key
+                        ]?.[0] || t("invalidValue");
+                    form.setError(fieldName, {
+                        type: "manual",
+                        message: errorMessage
+                    });
+                });
+                setLoading(false);
+                return;
+            }
+
+            let payload: Record<string, unknown> = {
                 name: data.name,
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
-                authUrl: data.authUrl,
-                tokenUrl: data.tokenUrl,
-                identifierPath: data.identifierPath,
-                emailPath: data.emailPath,
-                namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                scopes: data.scopes
+                variant
             };
 
+            if (variant === "oidc") {
+                const oidcData = data as OidcFormValues;
+                payload = {
+                    ...payload,
+                    authUrl: oidcData.authUrl,
+                    tokenUrl: oidcData.tokenUrl,
+                    identifierPath: oidcData.identifierPath,
+                    emailPath: oidcData.emailPath ?? "",
+                    namePath: oidcData.namePath ?? "",
+                    scopes: oidcData.scopes
+                };
+            } else if (variant === "azure") {
+                const azureData = data as AzureFormValues;
+                const authUrl = `https://login.microsoftonline.com/${azureData.tenantId}/oauth2/v2.0/authorize`;
+                const tokenUrl = `https://login.microsoftonline.com/${azureData.tenantId}/oauth2/v2.0/token`;
+                payload = {
+                    ...payload,
+                    authUrl,
+                    tokenUrl,
+                    identifierPath: "email",
+                    emailPath: "email",
+                    namePath: "name",
+                    scopes: "openid profile email"
+                };
+            } else if (variant === "google") {
+                payload = {
+                    ...payload,
+                    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+                    tokenUrl: "https://oauth2.googleapis.com/token",
+                    identifierPath: "email",
+                    emailPath: "email",
+                    namePath: "name",
+                    scopes: "openid profile email"
+                };
+            }
+
             const res = await api.post(`/idp/${idpId}/oidc`, payload);
 
             if (res.status === 200) {
@@ -190,6 +305,13 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
+                        <div className="flex items-center space-x-2 mb-4">
+                            <span className="text-sm font-medium text-muted-foreground">
+                                {t("idpTypeLabel")}:
+                            </span>
+                            <IdpTypeBadge type={variant} />
+                        </div>
+
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -215,62 +337,80 @@ export default function GeneralPage() {
                                             </FormItem>
                                         )}
                                     />
-
-                                    <div className="flex items-start mb-0">
-                                        <SwitchInput
-                                            id="auto-provision-toggle"
-                                            label={t("idpAutoProvisionUsers")}
-                                            defaultChecked={form.getValues(
-                                                "autoProvision"
-                                            )}
-                                            onCheckedChange={(checked) => {
-                                                form.setValue(
-                                                    "autoProvision",
-                                                    checked
-                                                );
-                                            }}
-                                        />
-                                    </div>
-                                    <div className="flex flex-col gap-2">
-                                        <span className="text-sm text-muted-foreground">
-                                            {t(
-                                                "idpAutoProvisionUsersDescription"
-                                            )}
-                                        </span>
-                                        {form.watch("autoProvision") && (
-                                            <FormDescription>
-                                                {t.rich(
-                                                    "idpAdminAutoProvisionPoliciesTabHint",
-                                                    {
-                                                        policiesTabLink: (
-                                                            chunks
-                                                        ) => (
-                                                            <Link
-                                                                href={`/admin/idp/${idpId}/policies`}
-                                                                className="text-primary hover:underline inline-flex items-center gap-1"
-                                                            >
-                                                                {chunks}
-                                                            </Link>
-                                                        )
-                                                    }
-                                                )}
-                                            </FormDescription>
-                                        )}
-                                    </div>
                                 </form>
                             </Form>
                         </SettingsSectionForm>
                     </SettingsSectionBody>
                 </SettingsSection>
 
-                <SettingsSectionGrid cols={2}>
+                <SettingsSection>
+                    <SettingsSectionHeader>
+                        <SettingsSectionTitle>
+                            {t("idpAutoProvisionUsers")}
+                        </SettingsSectionTitle>
+                        <SettingsSectionDescription>
+                            {t("idpAutoProvisionUsersDescription")}
+                        </SettingsSectionDescription>
+                    </SettingsSectionHeader>
+                    <SettingsSectionBody>
+                        <Form {...form}>
+                            <form
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                                id="general-settings-form"
+                            >
+                                <div className="flex items-start mb-0">
+                                    <SwitchInput
+                                        id="auto-provision-toggle"
+                                        label={t("idpAutoProvisionUsers")}
+                                        defaultChecked={form.getValues(
+                                            "autoProvision"
+                                        )}
+                                        onCheckedChange={(checked) => {
+                                            form.setValue(
+                                                "autoProvision",
+                                                checked
+                                            );
+                                        }}
+                                    />
+                                </div>
+                                <div className="flex flex-col gap-2">
+                                    <span className="text-sm text-muted-foreground">
+                                        {t("idpAutoProvisionUsersDescription")}
+                                    </span>
+                                    {form.watch("autoProvision") && (
+                                        <FormDescription>
+                                            {t.rich(
+                                                "idpAdminAutoProvisionPoliciesTabHint",
+                                                {
+                                                    policiesTabLink: (
+                                                        chunks
+                                                    ) => (
+                                                        <Link
+                                                            href={`/admin/idp/${idpId}/policies`}
+                                                            className="text-primary hover:underline inline-flex items-center gap-1"
+                                                        >
+                                                            {chunks}
+                                                        </Link>
+                                                    )
+                                                }
+                                            )}
+                                        </FormDescription>
+                                    )}
+                                </div>
+                            </form>
+                        </Form>
+                    </SettingsSectionBody>
+                </SettingsSection>
+
+                {variant === "google" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
                             <SettingsSectionTitle>
-                                {t("idpOidcConfigure")}
+                                {t("idpGoogleConfiguration")}
                             </SettingsSectionTitle>
                             <SettingsSectionDescription>
-                                {t("idpOidcConfigureDescription")}
+                                {t("idpGoogleConfigurationDescription")}
                             </SettingsSectionDescription>
                         </SettingsSectionHeader>
                         <SettingsSectionBody>
@@ -294,7 +434,7 @@ export default function GeneralPage() {
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpClientIdDescription"
+                                                            "idpGoogleClientIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -318,49 +458,7 @@ export default function GeneralPage() {
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="authUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpAuthUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAuthUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="tokenUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTokenUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpTokenUrlDescription"
+                                                            "idpGoogleClientSecretDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -372,14 +470,16 @@ export default function GeneralPage() {
                             </SettingsSectionForm>
                         </SettingsSectionBody>
                     </SettingsSection>
+                )}
 
+                {variant === "azure" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
                             <SettingsSectionTitle>
-                                {t("idpToken")}
+                                {t("idpAzureConfiguration")}
                             </SettingsSectionTitle>
                             <SettingsSectionDescription>
-                                {t("idpTokenDescription")}
+                                {t("idpAzureConfigurationDescription")}
                             </SettingsSectionDescription>
                         </SettingsSectionHeader>
                         <SettingsSectionBody>
@@ -392,18 +492,18 @@ export default function GeneralPage() {
                                     >
                                         <FormField
                                             control={form.control}
-                                            name="identifierPath"
+                                            name="tenantId"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t("idpJmespathLabel")}
+                                                        {t("idpTenantId")}
                                                     </FormLabel>
                                                     <FormControl>
                                                         <Input {...field} />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathLabelDescription"
+                                                            "idpAzureTenantIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -413,20 +513,18 @@ export default function GeneralPage() {
 
                                         <FormField
                                             control={form.control}
-                                            name="emailPath"
+                                            name="clientId"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptional"
-                                                        )}
+                                                        {t("idpClientId")}
                                                     </FormLabel>
                                                     <FormControl>
                                                         <Input {...field} />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathEmailPathOptionalDescription"
+                                                            "idpAzureClientIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -436,43 +534,21 @@ export default function GeneralPage() {
 
                                         <FormField
                                             control={form.control}
-                                            name="namePath"
+                                            name="clientSecret"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t(
-                                                            "idpJmespathNamePathOptional"
-                                                        )}
+                                                        {t("idpClientSecret")}
                                                     </FormLabel>
                                                     <FormControl>
-                                                        <Input {...field} />
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathNamePathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="scopes"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpOidcConfigureScopes"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpOidcConfigureScopesDescription"
+                                                            "idpAzureClientSecretDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -484,15 +560,263 @@ export default function GeneralPage() {
                             </SettingsSectionForm>
                         </SettingsSectionBody>
                     </SettingsSection>
-                </SettingsSectionGrid>
+                )}
+
+                {variant === "oidc" && (
+                    <SettingsSectionGrid cols={2}>
+                        <SettingsSection>
+                            <SettingsSectionHeader>
+                                <SettingsSectionTitle>
+                                    {t("idpOidcConfigure")}
+                                </SettingsSectionTitle>
+                                <SettingsSectionDescription>
+                                    {t("idpOidcConfigureDescription")}
+                                </SettingsSectionDescription>
+                            </SettingsSectionHeader>
+                            <SettingsSectionBody>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                            className="space-y-4"
+                                            id="general-settings-form"
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="authUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpAuthUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAuthUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="tokenUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpTokenUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpTokenUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
+                            </SettingsSectionBody>
+                        </SettingsSection>
+
+                        <SettingsSection>
+                            <SettingsSectionHeader>
+                                <SettingsSectionTitle>
+                                    {t("idpToken")}
+                                </SettingsSectionTitle>
+                                <SettingsSectionDescription>
+                                    {t("idpTokenDescription")}
+                                </SettingsSectionDescription>
+                            </SettingsSectionHeader>
+                            <SettingsSectionBody>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                            className="space-y-4"
+                                            id="general-settings-form"
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="identifierPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathLabelDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="emailPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                {...field}
+                                                                value={
+                                                                    field.value ||
+                                                                    ""
+                                                                }
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="namePath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathNamePathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                {...field}
+                                                                value={
+                                                                    field.value ||
+                                                                    ""
+                                                                }
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathNamePathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="scopes"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpOidcConfigureScopes"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpOidcConfigureScopesDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
+                            </SettingsSectionBody>
+                        </SettingsSection>
+                    </SettingsSectionGrid>
+                )}
             </SettingsContainer>
 
             <div className="flex justify-end mt-8">
                 <Button
-                    type="submit"
+                    type="button"
                     form="general-settings-form"
                     loading={loading}
                     disabled={loading}
+                    onClick={() => {
+                        form.handleSubmit(onSubmit)();
+                    }}
                 >
                     {t("saveGeneralSettings")}
                 </Button>
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index 086074e2d..57ee3cf7b 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -575,7 +575,7 @@ export default function PoliciesPage() {
                     }
                 }}
             >
-                <CredenzaContent className="max-w-4xl w-[calc(100vw-2rem)] sm:w-full">
+                <CredenzaContent className="max-w-4xl sm:w-full">
                     <CredenzaHeader>
                         <CredenzaTitle>
                             {editingPolicy
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 91b55da23..40d4a3b32 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -1,5 +1,7 @@
 "use client";
 
+import { OidcIdpProviderTypeSelect } from "@app/components/idp/OidcIdpProviderTypeSelect";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import {
     SettingsContainer,
     SettingsSection,
@@ -20,70 +22,63 @@ import {
     FormMessage
 } from "@app/components/ui/form";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
-import { z } from "zod";
-import { createElement, useEffect, useState } from "react";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { Input } from "@app/components/ui/input";
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
-import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { Input } from "@app/components/ui/input";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
-import { useRouter } from "next/navigation";
-import { Checkbox } from "@app/components/ui/checkbox";
-import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
-import { InfoIcon, ExternalLink } from "lucide-react";
-import { StrategySelect } from "@app/components/StrategySelect";
-import { SwitchInput } from "@app/components/SwitchInput";
-import { Badge } from "@app/components/ui/badge";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { applyOidcIdpProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
 
 export default function Page() {
     const { env } = useEnvContext();
     const api = createApiClient({ env });
     const router = useRouter();
     const [createLoading, setCreateLoading] = useState(false);
-    const { isUnlocked } = useLicenseStatusContext();
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     const createIdpFormSchema = z.object({
         name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
-        type: z.enum(["oidc"]),
+        type: z.enum(["oidc", "google", "azure"]),
         clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
         clientSecret: z
             .string()
             .min(1, { message: t("idpClientSecretRequired") }),
-        authUrl: z.url({ message: t("idpErrorAuthUrlInvalid") }),
-        tokenUrl: z.url({ message: t("idpErrorTokenUrlInvalid") }),
-        identifierPath: z.string().min(1, { message: t("idpPathRequired") }),
+        authUrl: z.url({ message: t("idpErrorAuthUrlInvalid") }).optional(),
+        tokenUrl: z.url({ message: t("idpErrorTokenUrlInvalid") }).optional(),
+        identifierPath: z
+            .string()
+            .min(1, { message: t("idpPathRequired") })
+            .optional(),
         emailPath: z.string().optional(),
         namePath: z.string().optional(),
-        scopes: z.string().min(1, { message: t("idpScopeRequired") }),
+        scopes: z
+            .string()
+            .min(1, { message: t("idpScopeRequired") })
+            .optional(),
+        tenantId: z.string().optional(),
         autoProvision: z.boolean().default(false)
     });
 
     type CreateIdpFormValues = z.infer<typeof createIdpFormSchema>;
 
-    interface ProviderTypeOption {
-        id: "oidc";
-        title: string;
-        description: string;
-    }
-
-    const providerTypes: ReadonlyArray<ProviderTypeOption> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        }
-    ];
-
     const form = useForm({
         resolver: zodResolver(createIdpFormSchema),
         defaultValues: {
             name: "",
-            type: "oidc",
+            type: "oidc" as const,
             clientId: "",
             clientSecret: "",
             authUrl: "",
@@ -92,25 +87,46 @@ export default function Page() {
             namePath: "name",
             emailPath: "email",
             scopes: "openid profile email",
+            tenantId: "",
             autoProvision: false
         }
     });
 
+    const watchedType = form.watch("type");
+
+    useEffect(() => {
+        if (
+            !templatesPaid &&
+            (watchedType === "google" || watchedType === "azure")
+        ) {
+            applyOidcIdpProviderType(form.setValue, "oidc");
+        }
+    }, [templatesPaid, watchedType, form.setValue]);
+
     async function onSubmit(data: CreateIdpFormValues) {
         setCreateLoading(true);
 
         try {
+            let authUrl = data.authUrl;
+            let tokenUrl = data.tokenUrl;
+
+            if (data.type === "azure" && data.tenantId) {
+                authUrl = authUrl?.replace("{{TENANT_ID}}", data.tenantId);
+                tokenUrl = tokenUrl?.replace("{{TENANT_ID}}", data.tenantId);
+            }
+
             const payload = {
                 name: data.name,
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
-                authUrl: data.authUrl,
-                tokenUrl: data.tokenUrl,
+                authUrl: authUrl,
+                tokenUrl: tokenUrl,
                 identifierPath: data.identifierPath,
                 emailPath: data.emailPath,
                 namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                scopes: data.scopes
+                scopes: data.scopes,
+                variant: data.type
             };
 
             const res = await api.put("/idp/oidc", payload);
@@ -150,6 +166,10 @@ export default function Page() {
                 </Button>
             </div>
 
+            {!templatesPaid ? (
+                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+            ) : null}
+
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -161,6 +181,14 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
+                        <OidcIdpProviderTypeSelect
+                            value={watchedType}
+                            templatesPaid={templatesPaid}
+                            onTypeChange={(next) => {
+                                applyOidcIdpProviderType(form.setValue, next);
+                            }}
+                        />
+
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -208,27 +236,169 @@ export default function Page() {
                                 </form>
                             </Form>
                         </SettingsSectionForm>
-
-                        {/* <div> */}
-                        {/*     <div className="mb-2"> */}
-                        {/*         <span className="text-sm font-medium"> */}
-                        {/*             {t("idpType")} */}
-                        {/*         </span> */}
-                        {/*     </div> */}
-                        {/*  */}
-                        {/*     <StrategySelect */}
-                        {/*         options={providerTypes} */}
-                        {/*         defaultValue={form.getValues("type")} */}
-                        {/*         onChange={(value) => { */}
-                        {/*             form.setValue("type", value as "oidc"); */}
-                        {/*         }} */}
-                        {/*         cols={3} */}
-                        {/*     /> */}
-                        {/* </div> */}
                     </SettingsSectionBody>
                 </SettingsSection>
 
-                {form.watch("type") === "oidc" && (
+                {watchedType === "google" && (
+                    <SettingsSection>
+                        <SettingsSectionHeader>
+                            <SettingsSectionTitle>
+                                {t("idpGoogleConfigurationTitle")}
+                            </SettingsSectionTitle>
+                            <SettingsSectionDescription>
+                                {t("idpGoogleConfigurationDescription")}
+                            </SettingsSectionDescription>
+                        </SettingsSectionHeader>
+                        <SettingsSectionBody>
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="clientId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientId")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpGoogleClientIdDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientSecret"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientSecret")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpGoogleClientSecretDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </SettingsSectionBody>
+                    </SettingsSection>
+                )}
+
+                {watchedType === "azure" && (
+                    <SettingsSection>
+                        <SettingsSectionHeader>
+                            <SettingsSectionTitle>
+                                {t("idpAzureConfigurationTitle")}
+                            </SettingsSectionTitle>
+                            <SettingsSectionDescription>
+                                {t("idpAzureConfigurationDescription")}
+                            </SettingsSectionDescription>
+                        </SettingsSectionHeader>
+                        <SettingsSectionBody>
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="tenantId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpTenantIdLabel")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureTenantIdDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientId")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureClientIdDescription2"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientSecret"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientSecret")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureClientSecretDescription2"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </SettingsSectionBody>
+                    </SettingsSection>
+                )}
+
+                {watchedType === "oidc" && (
                     <SettingsSectionGrid cols={2}>
                         <SettingsSection>
                             <SettingsSectionHeader>
diff --git a/src/app/admin/layout.tsx b/src/app/admin/layout.tsx
index 44d85b99e..5f35ee4cd 100644
--- a/src/app/admin/layout.tsx
+++ b/src/app/admin/layout.tsx
@@ -12,6 +12,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { Layout } from "@app/components/Layout";
 import { adminNavSections } from "../navigation";
 import { pullEnv } from "@app/lib/pullEnv";
+import SubscriptionStatusProvider from "@app/providers/SubscriptionStatusProvider";
 
 export const dynamic = "force-dynamic";
 
@@ -51,9 +52,15 @@ export default async function AdminLayout(props: LayoutProps) {
 
     return (
         <UserProvider user={user}>
-            <Layout orgs={orgs} navItems={adminNavSections(env)}>
-                {props.children}
-            </Layout>
+            <SubscriptionStatusProvider
+                subscriptionStatus={null}
+                env={env.app.environment}
+                sandbox_mode={env.app.sandbox_mode}
+            >
+                <Layout orgs={orgs} navItems={adminNavSections(env)}>
+                    {props.children}
+                </Layout>
+            </SubscriptionStatusProvider>
         </UserProvider>
     );
 }
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
index 4fe1a037b..deb2cc9ac 100644
--- a/src/components/RoleMappingConfigFields.tsx
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -166,7 +166,7 @@ export default function RoleMappingConfigFields({
             )}
 
             {roleMappingMode === "mappingBuilder" && (
-                <div className="space-y-4 rounded-md border p-3 min-w-0 max-w-full">
+                <div className="space-y-4 min-w-0 max-w-full">
                     <div className="space-y-2">
                         <FormLabel>{t("roleMappingClaimPath")}</FormLabel>
                         <Input
diff --git a/src/components/idp/OidcIdpProviderTypeSelect.tsx b/src/components/idp/OidcIdpProviderTypeSelect.tsx
new file mode 100644
index 000000000..f69c005ad
--- /dev/null
+++ b/src/components/idp/OidcIdpProviderTypeSelect.tsx
@@ -0,0 +1,75 @@
+"use client";
+
+import {
+    StrategySelect,
+    type StrategyOption
+} from "@app/components/StrategySelect";
+import type { IdpOidcProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
+import { useTranslations } from "next-intl";
+import Image from "next/image";
+
+type Props = {
+    value: IdpOidcProviderType;
+    onTypeChange: (type: IdpOidcProviderType) => void;
+    templatesPaid: boolean;
+};
+
+export function OidcIdpProviderTypeSelect({
+    value,
+    onTypeChange,
+    templatesPaid
+}: Props) {
+    const t = useTranslations();
+
+    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> = [
+        {
+            id: "oidc",
+            title: "OAuth2/OIDC",
+            description: t("idpOidcDescription")
+        },
+        {
+            id: "google",
+            title: t("idpGoogleTitle"),
+            description: t("idpGoogleDescription"),
+            disabled: !templatesPaid,
+            icon: (
+                <Image
+                    src="/idp/google.png"
+                    alt={t("idpGoogleAlt")}
+                    width={24}
+                    height={24}
+                    className="rounded"
+                />
+            )
+        },
+        {
+            id: "azure",
+            title: t("idpAzureTitle"),
+            description: t("idpAzureDescription"),
+            disabled: !templatesPaid,
+            icon: (
+                <Image
+                    src="/idp/azure.png"
+                    alt={t("idpAzureAlt")}
+                    width={24}
+                    height={24}
+                    className="rounded"
+                />
+            )
+        }
+    ];
+
+    return (
+        <div>
+            <div className="mb-2">
+                <span className="text-sm font-medium">{t("idpType")}</span>
+            </div>
+            <StrategySelect
+                value={value}
+                options={options}
+                onChange={onTypeChange}
+                cols={3}
+            />
+        </div>
+    );
+}
diff --git a/src/lib/idp/oidcIdpProviderDefaults.ts b/src/lib/idp/oidcIdpProviderDefaults.ts
new file mode 100644
index 000000000..3608c6882
--- /dev/null
+++ b/src/lib/idp/oidcIdpProviderDefaults.ts
@@ -0,0 +1,46 @@
+import type { FieldValues, UseFormSetValue } from "react-hook-form";
+
+export type IdpOidcProviderType = "oidc" | "google" | "azure";
+
+export function applyOidcIdpProviderType<T extends FieldValues>(
+    setValue: UseFormSetValue<T>,
+    provider: IdpOidcProviderType
+): void {
+    setValue("type" as never, provider as never);
+
+    if (provider === "google") {
+        setValue(
+            "authUrl" as never,
+            "https://accounts.google.com/o/oauth2/v2/auth" as never
+        );
+        setValue(
+            "tokenUrl" as never,
+            "https://oauth2.googleapis.com/token" as never
+        );
+        setValue("identifierPath" as never, "email" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+    } else if (provider === "azure") {
+        setValue(
+            "authUrl" as never,
+            "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/authorize" as never
+        );
+        setValue(
+            "tokenUrl" as never,
+            "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token" as never
+        );
+        setValue("identifierPath" as never, "email" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+        setValue("tenantId" as never, "" as never);
+    } else {
+        setValue("authUrl" as never, "" as never);
+        setValue("tokenUrl" as never, "" as never);
+        setValue("identifierPath" as never, "sub" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+    }
+}

From 8e160902af7b5fc16f0fef4faa0c6a6e8a425472 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 28 Mar 2026 18:37:06 +0000
Subject: [PATCH 142/314] Bump path-to-regexp from 8.3.0 to 8.4.0

Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) from 8.3.0 to 8.4.0.
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v8.3.0...v8.4.0)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-version: 8.4.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..deefd24a2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -16337,9 +16337,9 @@
             }
         },
         "node_modules/path-to-regexp": {
-            "version": "8.3.0",
-            "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
-            "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+            "version": "8.4.0",
+            "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz",
+            "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==",
             "license": "MIT",
             "funding": {
                 "type": "opencollective",

From c6f269b3fa4a5c9b11c41e52942e4fb75b132179 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 17:29:01 -0700
Subject: [PATCH 143/314] set roles 1:1 on auto provision

---
 server/routers/idp/validateOidcCallback.ts | 34 ++++++++++------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 86545269b..7f39aa38d 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -579,30 +579,28 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
-                const userRolesInOrgs = await trx
-                    .select()
-                    .from(userOrgRoles)
-                    .where(eq(userOrgRoles.userId, userId!));
+                // Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
                 for (const currentOrg of autoProvisionedOrgs) {
                     const newRole = userOrgInfo.find(
                         (newOrg) => newOrg.orgId === currentOrg.orgId
                     );
                     if (!newRole) continue;
-                    const currentRolesInOrg = userRolesInOrgs.filter(
-                        (r) => r.orgId === currentOrg.orgId
-                    );
-                    for (const roleId of newRole.roleIds) {
-                        const hasIdpRole = currentRolesInOrg.some(
-                            (r) => r.roleId === roleId
+
+                    await trx
+                        .delete(userOrgRoles)
+                        .where(
+                            and(
+                                eq(userOrgRoles.userId, userId!),
+                                eq(userOrgRoles.orgId, currentOrg.orgId)
+                            )
                         );
-                        if (!hasIdpRole) {
-                            await trx.insert(userOrgRoles).values({
-                                userId: userId!,
-                                orgId: currentOrg.orgId,
-                                roleId
-                            });
-                        }
+
+                    for (const roleId of newRole.roleIds) {
+                        await trx.insert(userOrgRoles).values({
+                            userId: userId!,
+                            orgId: currentOrg.orgId,
+                            roleId
+                        });
                     }
                 }
 

From 6ab05551487a4ff5f5f2cec85177be512ddf0c69 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:09:36 -0700
Subject: [PATCH 144/314] respect full rbac feature in auto provisioning

---
 messages/en-US.json                           |   1 +
 server/lib/billing/tierMatrix.ts              |   6 +-
 .../routers/billing/featureLifecycle.ts       |  13 +-
 server/routers/idp/validateOidcCallback.ts    |  15 +-
 .../users/[userId]/access-controls/page.tsx   |   5 +-
 src/components/RoleMappingConfigFields.tsx    | 193 ++++++++++++++----
 6 files changed, 178 insertions(+), 55 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 505378b7f..673ce4949 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1956,6 +1956,7 @@
     "roleMappingAssignRoles": "Assign Roles",
     "roleMappingAddMappingRule": "Add Mapping Rule",
     "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expression must evaluate to a string (a single role name).",
     "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
     "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
     "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index c08bcea71..a66f566a9 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -15,7 +15,8 @@ export enum TierFeature {
     SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
     PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
+    FullRbac = "fullRbac"
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -48,5 +49,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
         "enterprise"
     ],
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"]
 };
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index 9536a87f0..330cf6e03 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -26,9 +26,10 @@ import {
     orgs,
     resources,
     roles,
-    siteResources
+    siteResources,
+    userOrgRoles
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 /**
  * Get the maximum allowed retention days for a given tier
@@ -291,6 +292,10 @@ async function disableFeature(
                 await disableSshPam(orgId);
                 break;
 
+            case TierFeature.FullRbac:
+                await disableFullRbac(orgId);
+                break;
+
             default:
                 logger.warn(
                     `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -326,6 +331,10 @@ async function disableSshPam(orgId: string): Promise<void> {
     );
 }
 
+async function disableFullRbac(orgId: string): Promise<void> {
+    logger.info(`Disabled full RBAC for org ${orgId}`);
+}
+
 async function disableLoginPageBranding(orgId: string): Promise<void> {
     const [existingBranding] = await db
         .select()
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 7f39aa38d..4de52f530 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -36,6 +36,7 @@ import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
     assignUserToOrg,
@@ -415,7 +416,15 @@ export async function validateOidcCallback(
                         roleMappingResult
                     );
 
-                    if (!roleNames.length) {
+                    const supportsMultiRole = await isLicensedOrSubscribed(
+                        org.orgId,
+                        tierMatrix.fullRbac
+                    );
+                    const effectiveRoleNames = supportsMultiRole
+                        ? roleNames
+                        : roleNames.slice(0, 1);
+
+                    if (!effectiveRoleNames.length) {
                         logger.error("Role mapping returned no valid roles", {
                             roleMappingResult
                         });
@@ -428,14 +437,14 @@ export async function validateOidcCallback(
                         .where(
                             and(
                                 eq(roles.orgId, org.orgId),
-                                inArray(roles.name, roleNames)
+                                inArray(roles.name, effectiveRoleNames)
                             )
                         );
 
                     if (!roleRes.length) {
                         logger.error("No mapped roles found in organization", {
                             orgId: org.orgId,
-                            roleNames
+                            roleNames: effectiveRoleNames
                         });
                         continue;
                     }
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index c9ed7d561..eb280f2f3 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -69,10 +69,7 @@ export default function AccessControlsPage() {
     const t = useTranslations();
     const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
         usePaidStatus();
-    const multiRoleFeatureTiers = Array.from(
-        new Set([...tierMatrix.sshPam, ...tierMatrix.orgOidc])
-    );
-    const isPaid = isPaidUser(multiRoleFeatureTiers);
+    const isPaid = isPaidUser(tierMatrix.fullRbac);
     const supportsMultipleRolesPerUser = isPaid;
     const showMultiRolePaywallMessage =
         !env.flags.disableEnterpriseFeatures &&
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
index deb2cc9ac..12790d4aa 100644
--- a/src/components/RoleMappingConfigFields.tsx
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -5,13 +5,17 @@ import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { useMemo, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import {
     createMappingBuilderRule,
     MappingBuilderRule,
     RoleMappingMode
 } from "@app/lib/idpRoleMapping";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { build } from "@server/build";
 
 export type RoleMappingRoleOption = {
     roleId: number;
@@ -52,10 +56,17 @@ export default function RoleMappingConfigFields({
     showFreeformRoleNamesHint = false
 }: RoleMappingConfigFieldsProps) {
     const t = useTranslations();
+    const { env } = useEnvContext();
+    const { isPaidUser } = usePaidStatus();
     const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
         number | null
     >(null);
 
+    const supportsMultipleRolesPerUser = isPaidUser(tierMatrix.fullRbac);
+    const showSingleRoleDisclaimer =
+        !env.flags.disableEnterpriseFeatures &&
+        !isPaidUser(tierMatrix.fullRbac);
+
     const restrictToOrgRoles = roles.length > 0;
 
     const roleOptions = useMemo(
@@ -67,13 +78,40 @@ export default function RoleMappingConfigFields({
         [roles]
     );
 
+    useEffect(() => {
+        if (
+            !supportsMultipleRolesPerUser &&
+            mappingBuilderRules.length > 1
+        ) {
+            onMappingBuilderRulesChange([mappingBuilderRules[0]]);
+        }
+    }, [
+        supportsMultipleRolesPerUser,
+        mappingBuilderRules,
+        onMappingBuilderRulesChange
+    ]);
+
+    useEffect(() => {
+        if (!supportsMultipleRolesPerUser && fixedRoleNames.length > 1) {
+            onFixedRoleNamesChange([fixedRoleNames[0]]);
+        }
+    }, [
+        supportsMultipleRolesPerUser,
+        fixedRoleNames,
+        onFixedRoleNamesChange
+    ]);
+
     const fixedRadioId = `${fieldIdPrefix}-fixed-roles-mode`;
     const builderRadioId = `${fieldIdPrefix}-mapping-builder-mode`;
     const rawRadioId = `${fieldIdPrefix}-raw-expression-mode`;
 
+    const mappingBuilderShowsRemoveColumn =
+        supportsMultipleRolesPerUser || mappingBuilderRules.length > 1;
+
     /** Same template on header + rows so 1fr/1.75fr columns line up (auto third col differs per row otherwise). */
-    const mappingRulesGridClass =
-        "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3";
+    const mappingRulesGridClass = mappingBuilderShowsRemoveColumn
+        ? "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3"
+        : "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)] md:gap-x-3";
 
     return (
         <div className="space-y-4">
@@ -119,6 +157,13 @@ export default function RoleMappingConfigFields({
                         </label>
                     </div>
                 </RadioGroup>
+                {showSingleRoleDisclaimer && (
+                    <FormDescription className="mt-3">
+                        {build === "saas"
+                            ? t("singleRolePerUserPlanNotice")
+                            : t("singleRolePerUserEditionNotice")}
+                    </FormDescription>
+                )}
             </div>
 
             {roleMappingMode === "fixedRoles" && (
@@ -129,19 +174,37 @@ export default function RoleMappingConfigFields({
                             text: name
                         }))}
                         setTags={(nextTags) => {
+                            const prevTags = fixedRoleNames.map((name) => ({
+                                id: name,
+                                text: name
+                            }));
                             const next =
                                 typeof nextTags === "function"
-                                    ? nextTags(
-                                          fixedRoleNames.map((name) => ({
-                                              id: name,
-                                              text: name
-                                          }))
-                                      )
+                                    ? nextTags(prevTags)
                                     : nextTags;
 
-                            onFixedRoleNamesChange([
+                            let names = [
                                 ...new Set(next.map((tag) => tag.text))
-                            ]);
+                            ];
+
+                            if (!supportsMultipleRolesPerUser) {
+                                if (
+                                    names.length === 0 &&
+                                    fixedRoleNames.length > 0
+                                ) {
+                                    onFixedRoleNamesChange([
+                                        fixedRoleNames[
+                                            fixedRoleNames.length - 1
+                                        ]!
+                                    ]);
+                                    return;
+                                }
+                                if (names.length > 1) {
+                                    names = [names[names.length - 1]!];
+                                }
+                            }
+
+                            onFixedRoleNamesChange(names);
                         }}
                         activeTagIndex={activeFixedRoleTagIndex}
                         setActiveTagIndex={setActiveFixedRoleTagIndex}
@@ -191,7 +254,9 @@ export default function RoleMappingConfigFields({
                             <FormLabel className="min-w-0">
                                 {t("roleMappingAssignRoles")}
                             </FormLabel>
-                            <span aria-hidden className="min-w-0" />
+                            {mappingBuilderShowsRemoveColumn ? (
+                                <span aria-hidden className="min-w-0" />
+                            ) : null}
                         </div>
 
                         {mappingBuilderRules.map((rule, index) => (
@@ -204,6 +269,10 @@ export default function RoleMappingConfigFields({
                                 showFreeformRoleNamesHint={
                                     showFreeformRoleNamesHint
                                 }
+                                supportsMultipleRolesPerUser={
+                                    supportsMultipleRolesPerUser
+                                }
+                                showRemoveButton={mappingBuilderShowsRemoveColumn}
                                 rule={rule}
                                 onChange={(nextRule) => {
                                     const nextRules = mappingBuilderRules.map(
@@ -227,18 +296,20 @@ export default function RoleMappingConfigFields({
                         ))}
                     </div>
 
-                    <Button
-                        type="button"
-                        variant="outline"
-                        onClick={() => {
-                            onMappingBuilderRulesChange([
-                                ...mappingBuilderRules,
-                                createMappingBuilderRule()
-                            ]);
-                        }}
-                    >
-                        {t("roleMappingAddMappingRule")}
-                    </Button>
+                    {supportsMultipleRolesPerUser ? (
+                        <Button
+                            type="button"
+                            variant="outline"
+                            onClick={() => {
+                                onMappingBuilderRulesChange([
+                                    ...mappingBuilderRules,
+                                    createMappingBuilderRule()
+                                ]);
+                            }}
+                        >
+                            {t("roleMappingAddMappingRule")}
+                        </Button>
+                    ) : null}
                 </div>
             )}
 
@@ -250,7 +321,11 @@ export default function RoleMappingConfigFields({
                         placeholder={t("roleMappingExpressionPlaceholder")}
                     />
                     <FormDescription>
-                        {t("roleMappingRawExpressionResultDescription")}
+                        {supportsMultipleRolesPerUser
+                            ? t("roleMappingRawExpressionResultDescription")
+                            : t(
+                                  "roleMappingRawExpressionResultDescriptionSingleRole"
+                              )}
                     </FormDescription>
                 </div>
             )}
@@ -265,6 +340,8 @@ function BuilderRuleRow({
     showFreeformRoleNamesHint,
     fieldIdPrefix,
     mappingRulesGridClass,
+    supportsMultipleRolesPerUser,
+    showRemoveButton,
     onChange,
     onRemove
 }: {
@@ -274,6 +351,8 @@ function BuilderRuleRow({
     showFreeformRoleNamesHint: boolean;
     fieldIdPrefix: string;
     mappingRulesGridClass: string;
+    supportsMultipleRolesPerUser: boolean;
+    showRemoveButton: boolean;
     onChange: (rule: MappingBuilderRule) => void;
     onRemove: () => void;
 }) {
@@ -311,20 +390,44 @@ function BuilderRuleRow({
                             text: name
                         }))}
                         setTags={(nextTags) => {
+                            const prevRoleTags = rule.roleNames.map(
+                                (name) => ({
+                                    id: name,
+                                    text: name
+                                })
+                            );
                             const next =
                                 typeof nextTags === "function"
-                                    ? nextTags(
-                                          rule.roleNames.map((name) => ({
-                                              id: name,
-                                              text: name
-                                          }))
-                                      )
+                                    ? nextTags(prevRoleTags)
                                     : nextTags;
+
+                            let names = [
+                                ...new Set(next.map((tag) => tag.text))
+                            ];
+
+                            if (!supportsMultipleRolesPerUser) {
+                                if (
+                                    names.length === 0 &&
+                                    rule.roleNames.length > 0
+                                ) {
+                                    onChange({
+                                        ...rule,
+                                        roleNames: [
+                                            rule.roleNames[
+                                                rule.roleNames.length - 1
+                                            ]!
+                                        ]
+                                    });
+                                    return;
+                                }
+                                if (names.length > 1) {
+                                    names = [names[names.length - 1]!];
+                                }
+                            }
+
                             onChange({
                                 ...rule,
-                                roleNames: [
-                                    ...new Set(next.map((tag) => tag.text))
-                                ]
+                                roleNames: names
                             });
                         }}
                         activeTagIndex={activeTagIndex}
@@ -351,16 +454,18 @@ function BuilderRuleRow({
                     </p>
                 )}
             </div>
-            <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
-                <Button
-                    type="button"
-                    variant="outline"
-                    className="h-9 shrink-0 px-2"
-                    onClick={onRemove}
-                >
-                    {t("roleMappingRemoveRule")}
-                </Button>
-            </div>
+            {showRemoveButton ? (
+                <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
+                    <Button
+                        type="button"
+                        variant="outline"
+                        className="h-9 shrink-0 px-2"
+                        onClick={onRemove}
+                    >
+                        {t("roleMappingRemoveRule")}
+                    </Button>
+                </div>
+            ) : null}
         </div>
     );
 }

From ba529ad14ed582b1e23f01656e70168b9b54b7e1 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:20:56 -0700
Subject: [PATCH 145/314] hide google and azure idp properly

---
 .../settings/(private)/idp/create/page.tsx    |   2 -
 src/app/admin/idp/create/page.tsx             | 135 ++++++++++--------
 .../idp/OidcIdpProviderTypeSelect.tsx         |  96 +++++++------
 3 files changed, 128 insertions(+), 105 deletions(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 17adcb6b6..c0fc30a8f 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -219,7 +219,6 @@ export default function Page() {
     }
 
     const disabled = !isPaidUser(tierMatrix.orgOidc);
-    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     return (
         <>
@@ -254,7 +253,6 @@ export default function Page() {
                     <SettingsSectionBody>
                         <OidcIdpProviderTypeSelect
                             value={form.watch("type")}
-                            templatesPaid={templatesPaid}
                             onTypeChange={(next) => {
                                 applyOidcIdpProviderType(form.setValue, next);
                             }}
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 40d4a3b32..5039d255c 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -36,7 +36,7 @@ import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
-import { useEffect, useState } from "react";
+import { useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 
@@ -93,17 +93,18 @@ export default function Page() {
     });
 
     const watchedType = form.watch("type");
-
-    useEffect(() => {
-        if (
-            !templatesPaid &&
-            (watchedType === "google" || watchedType === "azure")
-        ) {
-            applyOidcIdpProviderType(form.setValue, "oidc");
-        }
-    }, [templatesPaid, watchedType, form.setValue]);
+    const templatesLocked =
+        !templatesPaid &&
+        (watchedType === "google" || watchedType === "azure");
 
     async function onSubmit(data: CreateIdpFormValues) {
+        if (
+            !templatesPaid &&
+            (data.type === "google" || data.type === "azure")
+        ) {
+            return;
+        }
+
         setCreateLoading(true);
 
         try {
@@ -166,10 +167,6 @@ export default function Page() {
                 </Button>
             </div>
 
-            {!templatesPaid ? (
-                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
-            ) : null}
-
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -181,64 +178,79 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
+                        {templatesLocked ? (
+                            <div className="mb-4">
+                                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+                            </div>
+                        ) : null}
                         <OidcIdpProviderTypeSelect
                             value={watchedType}
-                            templatesPaid={templatesPaid}
                             onTypeChange={(next) => {
                                 applyOidcIdpProviderType(form.setValue, next);
                             }}
                         />
 
-                        <SettingsSectionForm>
-                            <Form {...form}>
-                                <form
-                                    className="space-y-4"
-                                    id="create-idp-form"
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                >
-                                    <FormField
-                                        control={form.control}
-                                        name="name"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("name")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t("idpDisplayName")}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
-
-                                    <div className="flex items-start mb-0">
-                                        <SwitchInput
-                                            id="auto-provision-toggle"
-                                            label={t("idpAutoProvisionUsers")}
-                                            defaultChecked={form.getValues(
-                                                "autoProvision"
+                        <fieldset
+                            disabled={templatesLocked}
+                            className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
+                        >
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="name"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("name")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t("idpDisplayName")}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
                                             )}
-                                            onCheckedChange={(checked) => {
-                                                form.setValue(
-                                                    "autoProvision",
-                                                    checked
-                                                );
-                                            }}
                                         />
-                                    </div>
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+
+                                        <div className="flex items-start mb-0">
+                                            <SwitchInput
+                                                id="auto-provision-toggle"
+                                                label={t("idpAutoProvisionUsers")}
+                                                defaultChecked={form.getValues(
+                                                    "autoProvision"
+                                                )}
+                                                onCheckedChange={(checked) => {
+                                                    form.setValue(
+                                                        "autoProvision",
+                                                        checked
+                                                    );
+                                                }}
+                                            />
+                                        </div>
+                                        <span className="text-sm text-muted-foreground">
+                                            {t(
+                                                "idpAutoProvisionUsersDescription"
+                                            )}
+                                        </span>
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </fieldset>
                     </SettingsSectionBody>
                 </SettingsSection>
 
+                <fieldset
+                    disabled={templatesLocked}
+                    className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
+                >
                 {watchedType === "google" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
@@ -624,6 +636,7 @@ export default function Page() {
                         </SettingsSection>
                     </SettingsSectionGrid>
                 )}
+                </fieldset>
             </SettingsContainer>
 
             <div className="flex justify-end space-x-2 mt-8">
@@ -638,7 +651,7 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading}
+                    disabled={createLoading || templatesLocked}
                     loading={createLoading}
                     onClick={form.handleSubmit(onSubmit)}
                 >
diff --git a/src/components/idp/OidcIdpProviderTypeSelect.tsx b/src/components/idp/OidcIdpProviderTypeSelect.tsx
index f69c005ad..4665d9c0d 100644
--- a/src/components/idp/OidcIdpProviderTypeSelect.tsx
+++ b/src/components/idp/OidcIdpProviderTypeSelect.tsx
@@ -4,60 +4,72 @@ import {
     StrategySelect,
     type StrategyOption
 } from "@app/components/StrategySelect";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 import type { IdpOidcProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
 import { useTranslations } from "next-intl";
 import Image from "next/image";
+import { useEffect, useMemo } from "react";
 
 type Props = {
     value: IdpOidcProviderType;
     onTypeChange: (type: IdpOidcProviderType) => void;
-    templatesPaid: boolean;
 };
 
-export function OidcIdpProviderTypeSelect({
-    value,
-    onTypeChange,
-    templatesPaid
-}: Props) {
+export function OidcIdpProviderTypeSelect({ value, onTypeChange }: Props) {
     const t = useTranslations();
+    const { env } = useEnvContext();
+    const hideTemplates = env.flags.disableEnterpriseFeatures;
 
-    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        },
-        {
-            id: "google",
-            title: t("idpGoogleTitle"),
-            description: t("idpGoogleDescription"),
-            disabled: !templatesPaid,
-            icon: (
-                <Image
-                    src="/idp/google.png"
-                    alt={t("idpGoogleAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        },
-        {
-            id: "azure",
-            title: t("idpAzureTitle"),
-            description: t("idpAzureDescription"),
-            disabled: !templatesPaid,
-            icon: (
-                <Image
-                    src="/idp/azure.png"
-                    alt={t("idpAzureAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
+    useEffect(() => {
+        if (hideTemplates && (value === "google" || value === "azure")) {
+            onTypeChange("oidc");
         }
-    ];
+    }, [hideTemplates, value, onTypeChange]);
+
+    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> =
+        useMemo(() => {
+            const base: StrategyOption<IdpOidcProviderType>[] = [
+                {
+                    id: "oidc",
+                    title: "OAuth2/OIDC",
+                    description: t("idpOidcDescription")
+                }
+            ];
+            if (hideTemplates) {
+                return base;
+            }
+            return [
+                ...base,
+                {
+                    id: "google",
+                    title: t("idpGoogleTitle"),
+                    description: t("idpGoogleDescription"),
+                    icon: (
+                        <Image
+                            src="/idp/google.png"
+                            alt={t("idpGoogleAlt")}
+                            width={24}
+                            height={24}
+                            className="rounded"
+                        />
+                    )
+                },
+                {
+                    id: "azure",
+                    title: t("idpAzureTitle"),
+                    description: t("idpAzureDescription"),
+                    icon: (
+                        <Image
+                            src="/idp/azure.png"
+                            alt={t("idpAzureAlt")}
+                            width={24}
+                            height={24}
+                            className="rounded"
+                        />
+                    )
+                }
+            ];
+        }, [hideTemplates, t]);
 
     return (
         <div>

From 50ee28b1f7c4be179e2e698592fdb3d7ce12176b Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:23:07 -0700
Subject: [PATCH 146/314] fix no admin user in roles dropdown

---
 .../access/users/[userId]/access-controls/page.tsx | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index eb280f2f3..16ae0b3a5 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -126,16 +126,10 @@ export default function AccessControlsPage() {
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    const allRoleOptions = useMemo(
-        () =>
-            roles
-                .map((role) => ({
-                    id: role.roleId.toString(),
-                    text: role.name
-                }))
-                .filter((role) => role.text !== "Admin"),
-        [roles]
-    );
+    const allRoleOptions = roles.map((role) => ({
+        id: role.roleId.toString(),
+        text: role.name
+    }));
 
     function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
         const prev = form.getValues("roles");

From d1b2105c805ad360585477e0dd9fb8dc9042b89c Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:29:40 -0700
Subject: [PATCH 147/314] support search in tags input

---
 src/components/tags/autocomplete.tsx | 277 ++++++++++++---------------
 src/components/tags/tag-input.tsx    |  16 +-
 src/components/tags/tag-popover.tsx  |  99 +++++-----
 3 files changed, 177 insertions(+), 215 deletions(-)

diff --git a/src/components/tags/autocomplete.tsx b/src/components/tags/autocomplete.tsx
index ee865eb61..916e7aeed 100644
--- a/src/components/tags/autocomplete.tsx
+++ b/src/components/tags/autocomplete.tsx
@@ -1,10 +1,23 @@
-import React, { useCallback, useEffect, useRef, useState } from "react";
-// import { Command, CommandList, CommandItem, CommandGroup, CommandEmpty } from '../ui/command';
+import React, { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { TagInputStyleClassesProps, type Tag as TagType } from "./tag-input";
-import { Popover, PopoverContent, PopoverTrigger } from "../ui/popover";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "../ui/command";
+import {
+    Popover,
+    PopoverAnchor,
+    PopoverContent,
+    PopoverTrigger
+} from "../ui/popover";
 import { Button } from "../ui/button";
 import { cn } from "@app/lib/cn";
 import { useTranslations } from "next-intl";
+import { Check } from "lucide-react";
 
 type AutocompleteProps = {
     tags: TagType[];
@@ -20,6 +33,8 @@ type AutocompleteProps = {
     inlineTags?: boolean;
     classStyleProps: TagInputStyleClassesProps["autoComplete"];
     usePortal?: boolean;
+    /** Narrows the dropdown list from the main field (cmdk search filters further). */
+    filterQuery?: string;
 };
 
 export const Autocomplete: React.FC<AutocompleteProps> = ({
@@ -35,10 +50,10 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
     inlineTags,
     children,
     classStyleProps,
-    usePortal
+    usePortal,
+    filterQuery = ""
 }) => {
     const triggerContainerRef = useRef<HTMLDivElement | null>(null);
-    const triggerRef = useRef<HTMLButtonElement | null>(null);
     const inputRef = useRef<HTMLInputElement | null>(null);
     const popoverContentRef = useRef<HTMLDivElement | null>(null);
     const t = useTranslations();
@@ -46,17 +61,21 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
     const [popoverWidth, setPopoverWidth] = useState<number>(0);
     const [isPopoverOpen, setIsPopoverOpen] = useState(false);
     const [inputFocused, setInputFocused] = useState(false);
-    const [popooverContentTop, setPopoverContentTop] = useState<number>(0);
-    const [selectedIndex, setSelectedIndex] = useState<number>(-1);
+    const [commandResetKey, setCommandResetKey] = useState(0);
 
-    // Dynamically calculate the top position for the popover content
-    useEffect(() => {
-        if (!triggerContainerRef.current || !triggerRef.current) return;
-        setPopoverContentTop(
-            triggerContainerRef.current?.getBoundingClientRect().bottom -
-                triggerRef.current?.getBoundingClientRect().bottom
+    const visibleOptions = useMemo(() => {
+        const q = filterQuery.trim().toLowerCase();
+        if (!q) return autocompleteOptions;
+        return autocompleteOptions.filter((option) =>
+            option.text.toLowerCase().includes(q)
         );
-    }, [tags]);
+    }, [autocompleteOptions, filterQuery]);
+
+    useEffect(() => {
+        if (isPopoverOpen) {
+            setCommandResetKey((k) => k + 1);
+        }
+    }, [isPopoverOpen]);
 
     // Close the popover when clicking outside of it
     useEffect(() => {
@@ -135,36 +154,6 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
         if (userOnBlur) userOnBlur(event);
     };
 
-    const handleKeyDown = (event: React.KeyboardEvent<HTMLInputElement>) => {
-        if (!isPopoverOpen) return;
-
-        switch (event.key) {
-            case "ArrowUp":
-                event.preventDefault();
-                setSelectedIndex((prevIndex) =>
-                    prevIndex <= 0
-                        ? autocompleteOptions.length - 1
-                        : prevIndex - 1
-                );
-                break;
-            case "ArrowDown":
-                event.preventDefault();
-                setSelectedIndex((prevIndex) =>
-                    prevIndex === autocompleteOptions.length - 1
-                        ? 0
-                        : prevIndex + 1
-                );
-                break;
-            case "Enter":
-                event.preventDefault();
-                if (selectedIndex !== -1) {
-                    toggleTag(autocompleteOptions[selectedIndex]);
-                    setSelectedIndex(-1);
-                }
-                break;
-        }
-    };
-
     const toggleTag = (option: TagType) => {
         // Check if the tag already exists in the array
         const index = tags.findIndex((tag) => tag.text === option.text);
@@ -197,18 +186,25 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
                 }
             }
         }
-        setSelectedIndex(-1);
     };
 
-    const childrenWithProps = React.cloneElement(
-        children as React.ReactElement<any>,
-        {
-            onKeyDown: handleKeyDown,
-            onFocus: handleInputFocus,
-            onBlur: handleInputBlur,
-            ref: inputRef
+    const child = children as React.ReactElement<
+        React.InputHTMLAttributes<HTMLInputElement> & {
+            ref?: React.Ref<HTMLInputElement>;
         }
-    );
+    >;
+    const userOnKeyDown = child.props.onKeyDown;
+
+    const childrenWithProps = React.cloneElement(child, {
+        onKeyDown: userOnKeyDown,
+        onFocus: handleInputFocus,
+        onBlur: handleInputBlur,
+        ref: inputRef
+    } as Partial<
+        React.InputHTMLAttributes<HTMLInputElement> & {
+            ref?: React.Ref<HTMLInputElement>;
+        }
+    >);
 
     return (
         <div
@@ -222,132 +218,105 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
                 onOpenChange={handleOpenChange}
                 modal={usePortal}
             >
-                <div
-                    className="relative h-full flex items-center rounded-md border border-input bg-transparent pr-3"
-                    ref={triggerContainerRef}
-                >
-                    {childrenWithProps}
-                    <PopoverTrigger asChild ref={triggerRef}>
-                        <Button
-                            variant="ghost"
-                            size="icon"
-                            role="combobox"
-                            className={cn(
-                                `hover:bg-transparent ${!inlineTags ? "ml-auto" : ""}`,
-                                classStyleProps?.popoverTrigger
-                            )}
-                            onClick={() => {
-                                setIsPopoverOpen(!isPopoverOpen);
-                            }}
-                        >
-                            <svg
-                                xmlns="http://www.w3.org/2000/svg"
-                                width="24"
-                                height="24"
-                                viewBox="0 0 24 24"
-                                fill="none"
-                                stroke="currentColor"
-                                strokeWidth="2"
-                                strokeLinecap="round"
-                                strokeLinejoin="round"
-                                className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                <PopoverAnchor asChild>
+                    <div
+                        className="relative h-full flex items-center rounded-md border border-input bg-transparent pr-3"
+                        ref={triggerContainerRef}
+                    >
+                        {childrenWithProps}
+                        <PopoverTrigger asChild>
+                            <Button
+                                variant="ghost"
+                                size="icon"
+                                role="combobox"
+                                className={cn(
+                                    `hover:bg-transparent ${!inlineTags ? "ml-auto" : ""}`,
+                                    classStyleProps?.popoverTrigger
+                                )}
+                                onClick={() => {
+                                    setIsPopoverOpen(!isPopoverOpen);
+                                }}
                             >
-                                <path d="m6 9 6 6 6-6"></path>
-                            </svg>
-                        </Button>
-                    </PopoverTrigger>
-                </div>
+                                <svg
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    width="24"
+                                    height="24"
+                                    viewBox="0 0 24 24"
+                                    fill="none"
+                                    stroke="currentColor"
+                                    strokeWidth="2"
+                                    strokeLinecap="round"
+                                    strokeLinejoin="round"
+                                    className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                                >
+                                    <path d="m6 9 6 6 6-6"></path>
+                                </svg>
+                            </Button>
+                        </PopoverTrigger>
+                    </div>
+                </PopoverAnchor>
                 <PopoverContent
                     ref={popoverContentRef}
                     side="bottom"
                     align="start"
                     forceMount
                     className={cn(
-                        `p-0 relative`,
+                        "p-0",
                         classStyleProps?.popoverContent
                     )}
                     style={{
-                        top: `${popooverContentTop}px`,
-                        marginLeft: `calc(-${popoverWidth}px + 36px)`,
                         width: `${popoverWidth}px`,
                         minWidth: `${popoverWidth}px`,
                         zIndex: 9999
                     }}
                 >
-                    <div
+                    <Command
+                        key={commandResetKey}
                         className={cn(
-                            "max-h-[300px] overflow-y-auto overflow-x-hidden",
-                            classStyleProps?.commandList
+                            "rounded-lg border-0 shadow-none",
+                            classStyleProps?.command
                         )}
-                        style={{
-                            minHeight: "68px"
-                        }}
-                        key={autocompleteOptions.length}
                     >
-                        {autocompleteOptions.length > 0 ? (
-                            <div
-                                key={autocompleteOptions.length}
-                                role="group"
-                                className={cn(
-                                    "overflow-y-auto overflow-hidden p-1 text-foreground",
-                                    classStyleProps?.commandGroup
-                                )}
-                                style={{
-                                    minHeight: "68px"
-                                }}
+                        <CommandInput
+                            placeholder={t("searchPlaceholder")}
+                            className="h-9"
+                        />
+                        <CommandList
+                            className={cn(
+                                "max-h-[300px]",
+                                classStyleProps?.commandList
+                            )}
+                        >
+                            <CommandEmpty>{t("noResults")}</CommandEmpty>
+                            <CommandGroup
+                                className={classStyleProps?.commandGroup}
                             >
-                                <span className="text-muted-foreground font-medium text-sm py-1.5 px-2 pb-2">
-                                    Suggestions
-                                </span>
-                                <div role="separator" className="py-0.5" />
-                                {autocompleteOptions.map((option, index) => {
-                                    const isSelected = index === selectedIndex;
+                                {visibleOptions.map((option) => {
+                                    const isChosen = tags.some(
+                                        (tag) => tag.text === option.text
+                                    );
                                     return (
-                                        <div
+                                        <CommandItem
                                             key={option.id}
-                                            role="option"
-                                            aria-selected={isSelected}
-                                            className={cn(
-                                                "relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none aria-selected:bg-accent aria-selected:text-accent-foreground data-disabled:pointer-events-none data-disabled:opacity-50 hover:bg-accent",
-                                                isSelected &&
-                                                    "bg-accent text-accent-foreground",
-                                                classStyleProps?.commandItem
-                                            )}
-                                            data-value={option.text}
-                                            onClick={() => toggleTag(option)}
+                                            value={`${option.text} ${option.id}`}
+                                            onSelect={() => toggleTag(option)}
+                                            className={classStyleProps?.commandItem}
                                         >
-                                            <div className="w-full flex items-center gap-2">
-                                                {option.text}
-                                                {tags.some(
-                                                    (tag) =>
-                                                        tag.text === option.text
-                                                ) && (
-                                                    <svg
-                                                        xmlns="http://www.w3.org/2000/svg"
-                                                        width="14"
-                                                        height="14"
-                                                        viewBox="0 0 24 24"
-                                                        fill="none"
-                                                        stroke="currentColor"
-                                                        strokeWidth="2"
-                                                        strokeLinecap="round"
-                                                        strokeLinejoin="round"
-                                                        className="lucide lucide-check"
-                                                    >
-                                                        <path d="M20 6 9 17l-5-5"></path>
-                                                    </svg>
+                                            <Check
+                                                className={cn(
+                                                    "mr-2 h-4 w-4 shrink-0",
+                                                    isChosen
+                                                        ? "opacity-100"
+                                                        : "opacity-0"
                                                 )}
-                                            </div>
-                                        </div>
+                                            />
+                                            {option.text}
+                                        </CommandItem>
                                     );
                                 })}
-                            </div>
-                        ) : (
-                            <div className="py-6 text-center text-sm">
-                                {t("noResults")}
-                            </div>
-                        )}
-                    </div>
+                            </CommandGroup>
+                        </CommandList>
+                    </Command>
                 </PopoverContent>
             </Popover>
         </div>
diff --git a/src/components/tags/tag-input.tsx b/src/components/tags/tag-input.tsx
index 269967ccb..e8cfa370a 100644
--- a/src/components/tags/tag-input.tsx
+++ b/src/components/tags/tag-input.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import React, { useMemo } from "react";
+import React from "react";
 import { Input } from "../ui/input";
 import { Button } from "../ui/button";
 import { type VariantProps } from "class-variance-authority";
@@ -434,14 +434,6 @@ const TagInput = React.forwardRef<HTMLInputElement, TagInputProps>(
         // const filteredAutocompleteOptions = autocompleteFilter
         //   ? autocompleteOptions?.filter((option) => autocompleteFilter(option.text))
         //   : autocompleteOptions;
-        const filteredAutocompleteOptions = useMemo(() => {
-            return (autocompleteOptions || []).filter((option) =>
-                option.text
-                    .toLowerCase()
-                    .includes(inputValue ? inputValue.toLowerCase() : "")
-            );
-        }, [inputValue, autocompleteOptions]);
-
         const displayedTags = sortTags ? [...tags].sort() : tags;
 
         const truncatedTags = truncate
@@ -571,9 +563,9 @@ const TagInput = React.forwardRef<HTMLInputElement, TagInputProps>(
                             tags={tags}
                             setTags={setTags}
                             setInputValue={setInputValue}
-                            autocompleteOptions={
-                                filteredAutocompleteOptions as Tag[]
-                            }
+                            autocompleteOptions={(autocompleteOptions ||
+                                []) as Tag[]}
+                            filterQuery={inputValue}
                             setTagCount={setTagCount}
                             maxTags={maxTags}
                             onTagAdd={onTagAdd}
diff --git a/src/components/tags/tag-popover.tsx b/src/components/tags/tag-popover.tsx
index 533619a7c..93f5e2c04 100644
--- a/src/components/tags/tag-popover.tsx
+++ b/src/components/tags/tag-popover.tsx
@@ -1,5 +1,10 @@
 import React, { useCallback, useEffect, useRef, useState } from "react";
-import { Popover, PopoverContent, PopoverTrigger } from "../ui/popover";
+import {
+    Popover,
+    PopoverAnchor,
+    PopoverContent,
+    PopoverTrigger
+} from "../ui/popover";
 import { TagInputStyleClassesProps, type Tag as TagType } from "./tag-input";
 import { TagList, TagListProps } from "./tag-list";
 import { Button } from "../ui/button";
@@ -33,33 +38,27 @@ export const TagPopover: React.FC<TagPopoverProps> = ({
     ...tagProps
 }) => {
     const triggerContainerRef = useRef<HTMLDivElement | null>(null);
-    const triggerRef = useRef<HTMLButtonElement | null>(null);
     const popoverContentRef = useRef<HTMLDivElement | null>(null);
     const inputRef = useRef<HTMLInputElement | null>(null);
 
     const [popoverWidth, setPopoverWidth] = useState<number>(0);
     const [isPopoverOpen, setIsPopoverOpen] = useState(false);
     const [inputFocused, setInputFocused] = useState(false);
-    const [sideOffset, setSideOffset] = useState<number>(0);
 
     const t = useTranslations();
 
     useEffect(() => {
         const handleResize = () => {
-            if (triggerContainerRef.current && triggerRef.current) {
+            if (triggerContainerRef.current) {
                 setPopoverWidth(triggerContainerRef.current.offsetWidth);
-                setSideOffset(
-                    triggerContainerRef.current.offsetWidth -
-                        triggerRef?.current?.offsetWidth
-                );
             }
         };
 
-        handleResize(); // Call on mount and layout changes
+        handleResize();
 
-        window.addEventListener("resize", handleResize); // Adjust on window resize
+        window.addEventListener("resize", handleResize);
         return () => window.removeEventListener("resize", handleResize);
-    }, [triggerContainerRef, triggerRef]);
+    }, []);
 
     // Close the popover when clicking outside of it
     useEffect(() => {
@@ -135,52 +134,54 @@ export const TagPopover: React.FC<TagPopoverProps> = ({
             onOpenChange={handleOpenChange}
             modal={usePortal}
         >
-            <div
-                className="relative flex items-center rounded-md border border-input bg-transparent pr-3"
-                ref={triggerContainerRef}
-            >
-                {React.cloneElement(children as React.ReactElement<any>, {
-                    onFocus: handleInputFocus,
-                    onBlur: handleInputBlur,
-                    ref: inputRef
-                })}
-                <PopoverTrigger asChild>
-                    <Button
-                        ref={triggerRef}
-                        variant="ghost"
-                        size="icon"
-                        role="combobox"
-                        className={cn(
-                            `hover:bg-transparent`,
-                            classStyleProps?.popoverClasses?.popoverTrigger
-                        )}
-                        onClick={() => setIsPopoverOpen(!isPopoverOpen)}
-                    >
-                        <svg
-                            xmlns="http://www.w3.org/2000/svg"
-                            width="24"
-                            height="24"
-                            viewBox="0 0 24 24"
-                            fill="none"
-                            stroke="currentColor"
-                            strokeWidth="2"
-                            strokeLinecap="round"
-                            strokeLinejoin="round"
-                            className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+            <PopoverAnchor asChild>
+                <div
+                    className="relative flex items-center rounded-md border border-input bg-transparent pr-3"
+                    ref={triggerContainerRef}
+                >
+                    {React.cloneElement(children as React.ReactElement<any>, {
+                        onFocus: handleInputFocus,
+                        onBlur: handleInputBlur,
+                        ref: inputRef
+                    })}
+                    <PopoverTrigger asChild>
+                        <Button
+                            variant="ghost"
+                            size="icon"
+                            role="combobox"
+                            className={cn(
+                                `hover:bg-transparent`,
+                                classStyleProps?.popoverClasses?.popoverTrigger
+                            )}
+                            onClick={() => setIsPopoverOpen(!isPopoverOpen)}
                         >
-                            <path d="m6 9 6 6 6-6"></path>
-                        </svg>
-                    </Button>
-                </PopoverTrigger>
-            </div>
+                            <svg
+                                xmlns="http://www.w3.org/2000/svg"
+                                width="24"
+                                height="24"
+                                viewBox="0 0 24 24"
+                                fill="none"
+                                stroke="currentColor"
+                                strokeWidth="2"
+                                strokeLinecap="round"
+                                strokeLinejoin="round"
+                                className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                            >
+                                <path d="m6 9 6 6 6-6"></path>
+                            </svg>
+                        </Button>
+                    </PopoverTrigger>
+                </div>
+            </PopoverAnchor>
             <PopoverContent
                 ref={popoverContentRef}
+                align="start"
+                side="bottom"
                 className={cn(
                     `w-full space-y-3`,
                     classStyleProps?.popoverClasses?.popoverContent
                 )}
                 style={{
-                    marginLeft: `-${sideOffset}px`,
                     width: `${popoverWidth}px`
                 }}
             >

From 00ef6d617f3ff321482941e4146ce72ac6a71e17 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 17:12:21 -0700
Subject: [PATCH 148/314] Handle the roles better in the verify session

---
 server/db/queries/verifySessionQueries.ts |  23 ++-
 server/lib/userOrgRoles.ts                |  16 +-
 server/private/routers/hybrid.ts          | 226 +++++++++++++++++++++-
 server/routers/badger/verifySession.ts    |  39 ++--
 4 files changed, 266 insertions(+), 38 deletions(-)

diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 66f968b02..989e111a7 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
+import {
+    db,
+    loginPage,
+    LoginPage,
+    loginPageOrg,
+    Org,
+    orgs,
+    roles
+} from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -12,14 +20,12 @@ import {
     resources,
     roleResources,
     sessions,
-    userOrgRoles,
-    userOrgs,
     userResources,
     users,
     ResourceHeaderAuthExtendedCompatibility,
     resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 
 export type ResourceWithAuth = {
     resource: Resource | null;
@@ -121,7 +127,7 @@ export async function getRoleName(roleId: number): Promise<string | null> {
  */
 export async function getRoleResourceAccess(
     resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
     const roleResourceAccess = await db
         .select()
@@ -129,12 +135,11 @@ export async function getRoleResourceAccess(
         .where(
             and(
                 eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
             )
-        )
-        .limit(1);
+        );
 
-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }
 
 /**
diff --git a/server/lib/userOrgRoles.ts b/server/lib/userOrgRoles.ts
index 5a4d75659..c3db64af3 100644
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -1,4 +1,4 @@
-import { db, userOrgRoles } from "@server/db";
+import { db, roles, userOrgRoles } from "@server/db";
 import { and, eq } from "drizzle-orm";
 
 /**
@@ -20,3 +20,17 @@ export async function getUserOrgRoleIds(
         );
     return rows.map((r) => r.roleId);
 }
+
+export async function getUserOrgRoles(
+    userId: string,
+    orgId: string
+): Promise<{ roleId: number; roleName: string }[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
+        .from(userOrgRoles)
+        .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId))
+        );
+    return rows;
+}
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 5ca720594..71fdc7e72 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -124,6 +124,23 @@ const getRoleResourceAccessParamsSchema = z.strictObject({
         .pipe(z.int().positive("Resource ID must be a positive integer"))
 });
 
+const getResourceAccessParamsSchema = z.strictObject({
+    resourceId: z
+        .string()
+        .transform(Number)
+        .pipe(z.int().positive("Resource ID must be a positive integer"))
+});
+
+const getResourceAccessQuerySchema = z.strictObject({
+    roleIds: z
+        .union([z.array(z.string()), z.string()])
+        .transform((val) =>
+            (Array.isArray(val) ? val : [val])
+                .map(Number)
+                .filter((n) => !isNaN(n))
+        )
+});
+
 const getUserResourceAccessParamsSchema = z.strictObject({
     userId: z.string().min(1, "User ID is required"),
     resourceId: z
@@ -769,7 +786,7 @@ hybridRouter.get(
 
 // Get user organization role
 hybridRouter.get(
-    "/user/:userId/org/:orgId/role",
+    "/user/:userId/org/:orgId/roles",
     async (req: Request, res: Response, next: NextFunction) => {
         try {
             const parsedParams = getUserOrgRoleParamsSchema.safeParse(
@@ -805,6 +822,80 @@ hybridRouter.get(
                 );
             }
 
+            const userOrgRoleRows = await db
+                .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
+                .from(userOrgRoles)
+                .innerJoin(roles, eq(roles.roleId, userOrgRoles.roleId))
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
+
+            return response<{ roleId: number, roleName: string }[]>(res, {
+                data: userOrgRoleRows,
+                success: true,
+                error: false,
+                message:
+                    userOrgRoleRows.length > 0
+                        ? "User org roles retrieved successfully"
+                        : "User has no roles in this organization",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
+// DEPRICATED Get user organization role
+// used for backward compatibility with old remote nodes
+hybridRouter.get(
+    "/user/:userId/org/:orgId/role", // <- note the missing s
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgRoleParamsSchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            // get the roles on the user
+
             const userOrgRoleRows = await db
                 .select({ roleId: userOrgRoles.roleId })
                 .from(userOrgRoles)
@@ -817,8 +908,35 @@ hybridRouter.get(
 
             const roleIds = userOrgRoleRows.map((r) => r.roleId);
 
-            return response<number[]>(res, {
-                data: roleIds,
+            let roleId: number | null = null;
+
+            if (userOrgRoleRows.length === 0) {
+                // User has no roles in this organization
+                roleId = null;
+            } else if (userOrgRoleRows.length === 1) {
+                // User has exactly one role, return it
+                roleId = userOrgRoleRows[0].roleId;
+            } else {
+                // User has multiple roles
+                // Check if any of these roles are also assigned to a resource
+                // If we find a match, prefer that role; otherwise return the first role
+                // Get all resources that have any of these roles assigned
+                const roleResourceMatches = await db
+                    .select({ roleId: roleResources.roleId })
+                    .from(roleResources)
+                    .where(inArray(roleResources.roleId, roleIds))
+                    .limit(1);
+                if (roleResourceMatches.length > 0) {
+                    // Return the first role that's also on a resource
+                    roleId = roleResourceMatches[0].roleId;
+                } else {
+                    // No resource match found, return the first role
+                    roleId = userOrgRoleRows[0].roleId;
+                }
+            }
+
+            return response<{ roleId: number | null }>(res, {
+                data: { roleId },
                 success: true,
                 error: false,
                 message:
@@ -939,7 +1057,9 @@ hybridRouter.get(
                 data: role?.name ?? null,
                 success: true,
                 error: false,
-                message: role ? "Role name retrieved successfully" : "Role not found",
+                message: role
+                    ? "Role name retrieved successfully"
+                    : "Role not found",
                 status: HttpCode.OK
             });
         } catch (error) {
@@ -1039,6 +1159,101 @@ hybridRouter.get(
     }
 );
 
+// Check if role has access to resource
+hybridRouter.get(
+    "/resource/:resourceId/access",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getResourceAccessParamsSchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { resourceId } = parsedParams.data;
+            const parsedQuery = getResourceAccessQuerySchema.safeParse(
+                req.query
+            );
+            const roleIds = parsedQuery.success ? parsedQuery.data.roleIds : [];
+
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode?.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            const [resource] = await db
+                .select()
+                .from(resources)
+                .where(eq(resources.resourceId, resourceId))
+                .limit(1);
+
+            if (
+                await checkExitNodeOrg(
+                    remoteExitNode.exitNodeId,
+                    resource.orgId
+                )
+            ) {
+                // If the exit node is not allowed for the org, return an error
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Exit node not allowed for this organization"
+                    )
+                );
+            }
+
+            const roleResourceAccess = await db
+                .select({
+                    resourceId: roleResources.resourceId,
+                    roleId: roleResources.roleId
+                })
+                .from(roleResources)
+                .where(
+                    and(
+                        eq(roleResources.resourceId, resourceId),
+                        inArray(roleResources.roleId, roleIds)
+                    )
+                );
+
+            const result =
+                roleResourceAccess.length > 0 ? roleResourceAccess : null;
+
+            return response<{ resourceId: number; roleId: number }[] | null>(
+                res,
+                {
+                    data: result,
+                    success: true,
+                    error: false,
+                    message: result
+                        ? "Role resource access retrieved successfully"
+                        : "Role resource access not found",
+                    status: HttpCode.OK
+                }
+            );
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get role resource access"
+                )
+            );
+        }
+    }
+);
+
 // Check if user has direct access to resource
 hybridRouter.get(
     "/user/:userId/resource/:resourceId/access",
@@ -1937,7 +2152,8 @@ hybridRouter.post(
                     // userAgent: data.userAgent, // TODO: add this
                     // headers: data.body.headers,
                     // query: data.body.query,
-                    originalRequestURL: sanitizeString(logEntry.originalRequestURL) ?? "",
+                    originalRequestURL:
+                        sanitizeString(logEntry.originalRequestURL) ?? "",
                     scheme: sanitizeString(logEntry.scheme) ?? "",
                     host: sanitizeString(logEntry.host) ?? "",
                     path: sanitizeString(logEntry.path) ?? "",
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 182b35dcb..7ea281c9b 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -9,7 +9,7 @@ import {
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getUserOrgRoles } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -798,7 +798,8 @@ async function notAllowed(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed( // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
+            // this is fine because the org login page is only a saas feature
             orgId,
             tierMatrix.loginPageDomain
         );
@@ -855,7 +856,10 @@ async function headerAuthChallenged(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain); // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
+            orgId,
+            tierMatrix.loginPageDomain
+        ); // this is fine because the org login page is only a saas feature
         if (subscribed) {
             loginPage = await getOrgLoginPage(orgId);
         }
@@ -917,9 +921,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
+    const userOrgRoles = await getUserOrgRoles(user.userId, resource.orgId);
 
-    if (!userOrgRoleIds.length) {
+    if (!userOrgRoles.length) {
         return null;
     }
 
@@ -935,23 +939,16 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleNames: string[] = [];
-    for (const roleId of userOrgRoleIds) {
-        const roleResourceAccess = await getRoleResourceAccess(
-            resource.resourceId,
-            roleId
-        );
-        if (roleResourceAccess) {
-            const roleName = await getRoleName(roleId);
-            if (roleName) roleNames.push(roleName);
-        }
-    }
-    if (roleNames.length > 0) {
+    const roleResourceAccess = await getRoleResourceAccess(
+        resource.resourceId,
+        userOrgRoles.map((r) => r.roleId)
+    );
+    if (roleResourceAccess && roleResourceAccess.length > 0) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: roleNames.join(", ")
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
         };
     }
 
@@ -961,15 +958,11 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
-        const names = await Promise.all(
-            userOrgRoleIds.map((id) => getRoleName(id))
-        );
-        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
         };
     }
 

From 757bb39622182378fc49a75584306ae69b23f356 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:23:59 -0700
Subject: [PATCH 149/314] Support overriding badger for testing

---
 server/lib/readConfigFile.ts                    |  1 +
 server/private/routers/hybrid.ts                |  2 ++
 server/routers/badger/verifySession.ts          |  2 --
 server/routers/traefik/traefikConfigProvider.ts | 17 ++++++++++-------
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index f6c8592e9..c3e796fc1 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -79,6 +79,7 @@ export const configSchema = z
                     .default(3001)
                     .transform(stoi)
                     .pipe(portSchema),
+                badger_override: z.string().optional(),
                 next_port: portSchema
                     .optional()
                     .default(3002)
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 71fdc7e72..13a6f70e0 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -833,6 +833,8 @@ hybridRouter.get(
                     )
                 );
 
+            logger.debug(`User ${userId} has roles in org ${orgId}:`, userOrgRoleRows);
+
             return response<{ roleId: number, roleName: string }[]>(res, {
                 data: userOrgRoleRows,
                 success: true,
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 7ea281c9b..0b1cc1183 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,7 +3,6 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
-    getRoleName,
     getRoleResourceAccess,
     getUserResourceAccess,
     getOrgLoginPage,
@@ -31,7 +30,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getAsnForIp } from "@server/lib/asn";
-import { getOrgTierData } from "#dynamic/lib/billing";
 import { verifyPassword } from "@server/auth/password";
 import {
     checkOrgAccessPolicy,
diff --git a/server/routers/traefik/traefikConfigProvider.ts b/server/routers/traefik/traefikConfigProvider.ts
index fa76190ff..02f890604 100644
--- a/server/routers/traefik/traefikConfigProvider.ts
+++ b/server/routers/traefik/traefikConfigProvider.ts
@@ -30,12 +30,15 @@ export async function traefikConfigProvider(
             traefikConfig.http.middlewares[badgerMiddlewareName] = {
                 plugin: {
                     [badgerMiddlewareName]: {
-                        apiBaseUrl: new URL(
-                            "/api/v1",
-                            `http://${
-                                config.getRawConfig().server.internal_hostname
-                            }:${config.getRawConfig().server.internal_port}`
-                        ).href,
+                        apiBaseUrl:
+                            config.getRawConfig().server.badger_override ||
+                            new URL(
+                                "/api/v1",
+                                `http://${
+                                    config.getRawConfig().server
+                                        .internal_hostname
+                                }:${config.getRawConfig().server.internal_port}`
+                            ).href,
                         userSessionCookieName:
                             config.getRawConfig().server.session_cookie_name,
 
@@ -61,7 +64,7 @@ export async function traefikConfigProvider(
 
         return res.status(HttpCode.OK).json(traefikConfig);
     } catch (e) {
-        logger.error(`Failed to build Traefik config: ${e}`);
+        logger.error(e);
         return res.status(HttpCode.INTERNAL_SERVER_ERROR).json({
             error: "Failed to build Traefik config"
         });

From 6f71af278e3e6192aec9e61417d17be9f7fa329a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:29:32 -0700
Subject: [PATCH 150/314] Add basic migration files

---
 server/setup/migrationsPg.ts         |  4 +++-
 server/setup/migrationsSqlite.ts     |  4 +++-
 server/setup/scriptsPg/1.17.0.ts     | 22 ++++++++++++++++++++++
 server/setup/scriptsSqlite/1.17.0.ts | 28 ++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 server/setup/scriptsPg/1.17.0.ts
 create mode 100644 server/setup/scriptsSqlite/1.17.0.ts

diff --git a/server/setup/migrationsPg.ts b/server/setup/migrationsPg.ts
index 1ace73474..9ba0b9767 100644
--- a/server/setup/migrationsPg.ts
+++ b/server/setup/migrationsPg.ts
@@ -21,6 +21,7 @@ import m12 from "./scriptsPg/1.15.0";
 import m13 from "./scriptsPg/1.15.3";
 import m14 from "./scriptsPg/1.15.4";
 import m15 from "./scriptsPg/1.16.0";
+import m16 from "./scriptsPg/1.17.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -41,7 +42,8 @@ const migrations = [
     { version: "1.15.0", run: m12 },
     { version: "1.15.3", run: m13 },
     { version: "1.15.4", run: m14 },
-    { version: "1.16.0", run: m15 }
+    { version: "1.16.0", run: m15 },
+    { version: "1.17.0", run: m16 }
     // Add new migrations here as they are created
 ] as {
     version: string;
diff --git a/server/setup/migrationsSqlite.ts b/server/setup/migrationsSqlite.ts
index da7e6b6d1..45a29ec29 100644
--- a/server/setup/migrationsSqlite.ts
+++ b/server/setup/migrationsSqlite.ts
@@ -39,6 +39,7 @@ import m33 from "./scriptsSqlite/1.15.0";
 import m34 from "./scriptsSqlite/1.15.3";
 import m35 from "./scriptsSqlite/1.15.4";
 import m36 from "./scriptsSqlite/1.16.0";
+import m37 from "./scriptsSqlite/1.17.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -75,7 +76,8 @@ const migrations = [
     { version: "1.15.0", run: m33 },
     { version: "1.15.3", run: m34 },
     { version: "1.15.4", run: m35 },
-    { version: "1.16.0", run: m36 }
+    { version: "1.16.0", run: m36 },
+    { version: "1.17.0", run: m37 }
     // Add new migrations here as they are created
 ] as const;
 
diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
new file mode 100644
index 000000000..6fb3105d5
--- /dev/null
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -0,0 +1,22 @@
+import { db } from "@server/db/pg/driver";
+import { sql } from "drizzle-orm";
+
+const version = "1.17.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    try {
+        await db.execute(sql`BEGIN`);
+
+        await db.execute(sql`COMMIT`);
+        console.log("Migrated database");
+    } catch (e) {
+        await db.execute(sql`ROLLBACK`);
+        console.log("Unable to migrate database");
+        console.log(e);
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
new file mode 100644
index 000000000..07bd44aec
--- /dev/null
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -0,0 +1,28 @@
+import { APP_PATH } from "@server/lib/consts";
+import Database from "better-sqlite3";
+import path from "path";
+
+const version = "1.17.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    const location = path.join(APP_PATH, "db", "db.sqlite");
+    const db = new Database(location);
+
+    try {
+        db.pragma("foreign_keys = OFF");
+
+        db.transaction(() => {
+        })();
+
+        db.pragma("foreign_keys = ON");
+
+        console.log(`Migrated database`);
+    } catch (e) {
+        console.log("Failed to migrate db:", e);
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}

From 8e821b397fec1b6a57f8a0a434ec6f2831fa3a63 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:41:21 -0700
Subject: [PATCH 151/314] Add migration

---
 server/setup/scriptsPg/1.17.0.ts     | 53 ++++++++++++++++++++-
 server/setup/scriptsSqlite/1.17.0.ts | 70 +++++++++++++++++++++++++++-
 2 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 6fb3105d5..81c42e1a9 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -6,9 +6,37 @@ const version = "1.17.0";
 export default async function migration() {
     console.log(`Running setup script ${version}...`);
 
+    // Query existing roleId data from userOrgs before the transaction destroys it
+    const existingRolesQuery = await db.execute(
+        sql`SELECT "userId", "orgId", "roleId" FROM "userOrgs" WHERE "roleId" IS NOT NULL`
+    );
+    const existingUserOrgRoles = existingRolesQuery.rows as {
+        userId: string;
+        orgId: string;
+        roleId: number;
+    }[];
+
+    console.log(
+        `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
+    );
+
     try {
         await db.execute(sql`BEGIN`);
 
+        await db.execute(sql`
+            CREATE TABLE "userOrgRoles" (
+               	"userId" varchar NOT NULL,
+               	"orgId" varchar NOT NULL,
+               	"roleId" integer NOT NULL,
+               	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
+            );
+        `);
+        await db.execute(sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgs" DROP COLUMN "roleId";`);
+
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
     } catch (e) {
@@ -18,5 +46,28 @@ export default async function migration() {
         throw e;
     }
 
+    // Re-insert the preserved role assignments into the new userOrgRoles table
+    if (existingUserOrgRoles.length > 0) {
+        try {
+            for (const row of existingUserOrgRoles) {
+                await db.execute(sql`
+                    INSERT INTO "userOrgRoles" ("userId", "orgId", "roleId")
+                    VALUES (${row.userId}, ${row.orgId}, ${row.roleId})
+                    ON CONFLICT DO NOTHING
+                `);
+            }
+
+            console.log(
+                `Migrated ${existingUserOrgRoles.length} role assignment(s) into userOrgRoles`
+            );
+        } catch (e) {
+            console.error(
+                "Error while migrating role assignments into userOrgRoles:",
+                e
+            );
+            throw e;
+        }
+    }
+
     console.log(`${version} migration complete`);
-}
+}
\ No newline at end of file
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 07bd44aec..fe7d82de0 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -13,11 +13,79 @@ export default async function migration() {
     try {
         db.pragma("foreign_keys = OFF");
 
+        // Query existing roleId data from userOrgs before the transaction destroys it
+        const existingUserOrgRoles = db
+            .prepare(
+                `SELECT "userId", "orgId", "roleId" FROM 'userOrgs' WHERE "roleId" IS NOT NULL`
+            )
+            .all() as { userId: string; orgId: string; roleId: number }[];
+
+        console.log(
+            `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
+        );
+
         db.transaction(() => {
+            db.prepare(
+                `
+                CREATE TABLE 'userOrgRoles' (
+                   	'userId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'roleId' integer NOT NULL,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('roleId') REFERENCES 'roles'('roleId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(
+                `CREATE UNIQUE INDEX 'userOrgRoles_userId_orgId_roleId_unique' ON 'userOrgRoles' ('userId','orgId','roleId');`
+            ).run();
+
+            db.prepare(
+                `
+                CREATE TABLE '__new_userOrgs' (
+                   	'userId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'isOwner' integer DEFAULT false NOT NULL,
+                   	'autoProvisioned' integer DEFAULT false,
+                   	'pamUsername' text,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(
+                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs';`
+            ).run();
+            db.prepare(`DROP TABLE 'userOrgs';`).run();
+            db.prepare(
+                `ALTER TABLE '__new_userOrgs' RENAME TO 'userOrgs';`
+            ).run();
         })();
 
         db.pragma("foreign_keys = ON");
 
+        // Re-insert the preserved role assignments into the new userOrgRoles table
+        if (existingUserOrgRoles.length > 0) {
+            const insertUserOrgRole = db.prepare(
+                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId") VALUES (?, ?, ?)`
+            );
+
+            const insertAll = db.transaction(() => {
+                for (const row of existingUserOrgRoles) {
+                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId);
+                }
+            });
+
+            insertAll();
+
+            console.log(
+                `Migrated ${existingUserOrgRoles.length} role assignment(s) into userOrgRoles`
+            );
+        }
+
         console.log(`Migrated database`);
     } catch (e) {
         console.log("Failed to migrate db:", e);
@@ -25,4 +93,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
+}
\ No newline at end of file

From bff2ba7cc2ad7706582abeb68eb90c74d53e5460 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 29 Mar 2026 11:34:07 -0700
Subject: [PATCH 152/314] add learn more link

---
 .../(private)/idp/[idpId]/general/page.tsx    |   3 +-
 .../settings/(private)/idp/create/page.tsx    |   3 +-
 src/app/admin/idp/[idpId]/general/page.tsx    |   6 +-
 src/app/admin/idp/create/page.tsx             | 749 +++++++++---------
 src/components/AutoProvisionConfigWidget.tsx  |   9 +-
 .../IdpAutoProvisionUsersDescription.tsx      |  29 +
 src/components/IdpCreateWizard.tsx            |   4 +-
 7 files changed, 420 insertions(+), 383 deletions(-)
 create mode 100644 src/components/IdpAutoProvisionUsersDescription.tsx

diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 37cf400a5..37334e342 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -45,6 +45,7 @@ import { useTranslations } from "next-intl";
 import { AxiosResponse } from "axios";
 import { ListRolesResponse } from "@server/routers/role";
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
@@ -493,7 +494,7 @@ export default function GeneralPage() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index c0fc30a8f..10d86b976 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import {
     SettingsContainer,
@@ -296,7 +297,7 @@ export default function Page() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index d02925976..c9506b027 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -31,6 +31,7 @@ import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useState, useEffect } from "react";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import {
     InfoSection,
@@ -349,7 +350,7 @@ export default function GeneralPage() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
@@ -375,9 +376,6 @@ export default function GeneralPage() {
                                     />
                                 </div>
                                 <div className="flex flex-col gap-2">
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
                                     {form.watch("autoProvision") && (
                                         <FormDescription>
                                             {t.rich(
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 5039d255c..82036c510 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -22,6 +22,7 @@ import {
     FormMessage
 } from "@app/components/ui/form";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
@@ -94,8 +95,7 @@ export default function Page() {
 
     const watchedType = form.watch("type");
     const templatesLocked =
-        !templatesPaid &&
-        (watchedType === "google" || watchedType === "azure");
+        !templatesPaid && (watchedType === "google" || watchedType === "azure");
 
     async function onSubmit(data: CreateIdpFormValues) {
         if (
@@ -223,7 +223,9 @@ export default function Page() {
                                         <div className="flex items-start mb-0">
                                             <SwitchInput
                                                 id="auto-provision-toggle"
-                                                label={t("idpAutoProvisionUsers")}
+                                                label={t(
+                                                    "idpAutoProvisionUsers"
+                                                )}
                                                 defaultChecked={form.getValues(
                                                     "autoProvision"
                                                 )}
@@ -235,11 +237,6 @@ export default function Page() {
                                                 }}
                                             />
                                         </div>
-                                        <span className="text-sm text-muted-foreground">
-                                            {t(
-                                                "idpAutoProvisionUsersDescription"
-                                            )}
-                                        </span>
                                     </form>
                                 </Form>
                             </SettingsSectionForm>
@@ -251,391 +248,409 @@ export default function Page() {
                     disabled={templatesLocked}
                     className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
                 >
-                {watchedType === "google" && (
-                    <SettingsSection>
-                        <SettingsSectionHeader>
-                            <SettingsSectionTitle>
-                                {t("idpGoogleConfigurationTitle")}
-                            </SettingsSectionTitle>
-                            <SettingsSectionDescription>
-                                {t("idpGoogleConfigurationDescription")}
-                            </SettingsSectionDescription>
-                        </SettingsSectionHeader>
-                        <SettingsSectionBody>
-                            <SettingsSectionForm>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpGoogleClientIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpGoogleClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
-                            </SettingsSectionForm>
-                        </SettingsSectionBody>
-                    </SettingsSection>
-                )}
-
-                {watchedType === "azure" && (
-                    <SettingsSection>
-                        <SettingsSectionHeader>
-                            <SettingsSectionTitle>
-                                {t("idpAzureConfigurationTitle")}
-                            </SettingsSectionTitle>
-                            <SettingsSectionDescription>
-                                {t("idpAzureConfigurationDescription")}
-                            </SettingsSectionDescription>
-                        </SettingsSectionHeader>
-                        <SettingsSectionBody>
-                            <SettingsSectionForm>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="tenantId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTenantIdLabel")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureTenantIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureClientIdDescription2"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureClientSecretDescription2"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
-                            </SettingsSectionForm>
-                        </SettingsSectionBody>
-                    </SettingsSection>
-                )}
-
-                {watchedType === "oidc" && (
-                    <SettingsSectionGrid cols={2}>
+                    {watchedType === "google" && (
                         <SettingsSection>
                             <SettingsSectionHeader>
                                 <SettingsSectionTitle>
-                                    {t("idpOidcConfigure")}
+                                    {t("idpGoogleConfigurationTitle")}
                                 </SettingsSectionTitle>
                                 <SettingsSectionDescription>
-                                    {t("idpOidcConfigureDescription")}
+                                    {t("idpGoogleConfigurationDescription")}
                                 </SettingsSectionDescription>
                             </SettingsSectionHeader>
                             <SettingsSectionBody>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpClientIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
                                             )}
-                                        />
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpGoogleClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="authUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpAuthUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            placeholder="https://your-idp.com/oauth2/authorize"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAuthUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="tokenUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTokenUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            placeholder="https://your-idp.com/oauth2/token"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpTokenUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpGoogleClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
                             </SettingsSectionBody>
                         </SettingsSection>
+                    )}
 
+                    {watchedType === "azure" && (
                         <SettingsSection>
                             <SettingsSectionHeader>
                                 <SettingsSectionTitle>
-                                    {t("idpToken")}
+                                    {t("idpAzureConfigurationTitle")}
                                 </SettingsSectionTitle>
                                 <SettingsSectionDescription>
-                                    {t("idpTokenDescription")}
+                                    {t("idpAzureConfigurationDescription")}
                                 </SettingsSectionDescription>
                             </SettingsSectionHeader>
                             <SettingsSectionBody>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="identifierPath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpJmespathLabel")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathLabelDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
                                             )}
-                                        />
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="tenantId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpTenantIdLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureTenantIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="emailPath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptional"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureClientIdDescription2"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="namePath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpJmespathNamePathOptional"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathNamePathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="scopes"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpOidcConfigureScopes"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpOidcConfigureScopesDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureClientSecretDescription2"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
                             </SettingsSectionBody>
                         </SettingsSection>
-                    </SettingsSectionGrid>
-                )}
+                    )}
+
+                    {watchedType === "oidc" && (
+                        <SettingsSectionGrid cols={2}>
+                            <SettingsSection>
+                                <SettingsSectionHeader>
+                                    <SettingsSectionTitle>
+                                        {t("idpOidcConfigure")}
+                                    </SettingsSectionTitle>
+                                    <SettingsSectionDescription>
+                                        {t("idpOidcConfigureDescription")}
+                                    </SettingsSectionDescription>
+                                </SettingsSectionHeader>
+                                <SettingsSectionBody>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="authUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpAuthUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                placeholder="https://your-idp.com/oauth2/authorize"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAuthUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="tokenUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpTokenUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                placeholder="https://your-idp.com/oauth2/token"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpTokenUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionBody>
+                            </SettingsSection>
+
+                            <SettingsSection>
+                                <SettingsSectionHeader>
+                                    <SettingsSectionTitle>
+                                        {t("idpToken")}
+                                    </SettingsSectionTitle>
+                                    <SettingsSectionDescription>
+                                        {t("idpTokenDescription")}
+                                    </SettingsSectionDescription>
+                                </SettingsSectionHeader>
+                                <SettingsSectionBody>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="identifierPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathLabelDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="emailPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="namePath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathNamePathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathNamePathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="scopes"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpOidcConfigureScopes"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpOidcConfigureScopesDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionBody>
+                            </SettingsSection>
+                        </SettingsSectionGrid>
+                    )}
                 </fieldset>
             </SettingsContainer>
 
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index 59849989a..d4df3f50d 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,14 +1,12 @@
 "use client";
 
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { FormDescription } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { useTranslations } from "next-intl";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import {
-    MappingBuilderRule,
-    RoleMappingMode
-} from "@app/lib/idpRoleMapping";
+import { MappingBuilderRule, RoleMappingMode } from "@app/lib/idpRoleMapping";
 import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
 
 type Role = {
@@ -60,9 +58,6 @@ export default function AutoProvisionConfigWidget({
                     onCheckedChange={onAutoProvisionChange}
                     disabled={!isPaidUser(tierMatrix.autoProvisioning)}
                 />
-                <FormDescription className="text-sm text-muted-foreground">
-                    {t("idpAutoProvisionUsersDescription")}
-                </FormDescription>
             </div>
 
             {autoProvision && (
diff --git a/src/components/IdpAutoProvisionUsersDescription.tsx b/src/components/IdpAutoProvisionUsersDescription.tsx
new file mode 100644
index 000000000..6839ff245
--- /dev/null
+++ b/src/components/IdpAutoProvisionUsersDescription.tsx
@@ -0,0 +1,29 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+const AUTO_PROVISION_DOCS_URL =
+    "https://docs.pangolin.net/manage/identity-providers/auto-provisioning";
+
+type IdpAutoProvisionUsersDescriptionProps = {
+    className?: string;
+};
+
+export default function IdpAutoProvisionUsersDescription({
+    className
+}: IdpAutoProvisionUsersDescriptionProps) {
+    const t = useTranslations();
+    return (
+        <span className={className}>
+            {t("idpAutoProvisionUsersDescription")}{" "}
+            <a
+                href={AUTO_PROVISION_DOCS_URL}
+                target="_blank"
+                rel="noopener noreferrer"
+                className="text-primary hover:underline"
+            >
+                {t("learnMore")}
+            </a>
+        </span>
+    );
+}
diff --git a/src/components/IdpCreateWizard.tsx b/src/components/IdpCreateWizard.tsx
index 3fe7e174f..cddad3287 100644
--- a/src/components/IdpCreateWizard.tsx
+++ b/src/components/IdpCreateWizard.tsx
@@ -27,6 +27,7 @@ import { Checkbox } from "@app/components/ui/checkbox";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon, ExternalLink } from "lucide-react";
 import { StrategySelect } from "@app/components/StrategySelect";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { Badge } from "@app/components/ui/badge";
 import { useTranslations } from "next-intl";
@@ -163,9 +164,6 @@ export function IdpCreateWizard({
                                         disabled={loading}
                                     />
                                 </div>
-                                <span className="text-sm text-muted-foreground">
-                                    {t("idpAutoProvisionUsersDescription")}
-                                </span>
                             </form>
                         </Form>
                     </SettingsSectionForm>

From bdc45887f9b1229309009cc506aa6109be682d2e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Sun, 29 Mar 2026 12:08:29 -0700
Subject: [PATCH 153/314] Add chainId to dedup messages (#2737)

* ChainId send through on sensitive messages
---
 server/routers/newt/handleGetConfigMessage.ts | 21 +++----------------
 .../newt/handleNewtPingRequestMessage.ts      |  5 +++--
 .../routers/newt/handleNewtRegisterMessage.ts |  5 +++--
 .../routers/olm/handleOlmRegisterMessage.ts   |  6 ++++--
 4 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index d536e9828..6df0a8f82 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -8,13 +8,6 @@ import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { canCompress } from "@server/lib/clientVersionChecks";
 
-const inputSchema = z.object({
-    publicKey: z.string(),
-    port: z.int().positive()
-});
-
-type Input = z.infer<typeof inputSchema>;
-
 export const handleGetConfigMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;
     const newt = client as Newt;
@@ -33,16 +26,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         return;
     }
 
-    const parsed = inputSchema.safeParse(message.data);
-    if (!parsed.success) {
-        logger.error(
-            "handleGetConfigMessage: Invalid input: " +
-                fromError(parsed.error).toString()
-        );
-        return;
-    }
-
-    const { publicKey, port } = message.data as Input;
+    const { publicKey, port, chainId } = message.data;
     const siteId = newt.siteId;
 
     // Get the current site data
@@ -133,7 +117,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
             data: {
                 ipAddress: site.address,
                 peers,
-                targets
+                targets,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/newt/handleNewtPingRequestMessage.ts b/server/routers/newt/handleNewtPingRequestMessage.ts
index b75ddd5e4..8f6df4bec 100644
--- a/server/routers/newt/handleNewtPingRequestMessage.ts
+++ b/server/routers/newt/handleNewtPingRequestMessage.ts
@@ -33,7 +33,7 @@ export const handleNewtPingRequestMessage: MessageHandler = async (context) => {
         return;
     }
 
-    const { noCloud } = message.data;
+    const { noCloud, chainId } = message.data;
 
     const exitNodesList = await listExitNodes(
         site.orgId,
@@ -98,7 +98,8 @@ export const handleNewtPingRequestMessage: MessageHandler = async (context) => {
         message: {
             type: "newt/ping/exitNodes",
             data: {
-                exitNodes: filteredExitNodes
+                exitNodes: filteredExitNodes,
+                chainId: chainId
             }
         },
         broadcast: false, // Send to all clients
diff --git a/server/routers/newt/handleNewtRegisterMessage.ts b/server/routers/newt/handleNewtRegisterMessage.ts
index 90034cfbf..fce42caa3 100644
--- a/server/routers/newt/handleNewtRegisterMessage.ts
+++ b/server/routers/newt/handleNewtRegisterMessage.ts
@@ -43,7 +43,7 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
 
     const siteId = newt.siteId;
 
-    const { publicKey, pingResults, newtVersion, backwardsCompatible } =
+    const { publicKey, pingResults, newtVersion, backwardsCompatible, chainId } =
         message.data;
     if (!publicKey) {
         logger.warn("Public key not provided");
@@ -211,7 +211,8 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
                     udp: udpTargets,
                     tcp: tcpTargets
                 },
-                healthCheckTargets: validHealthCheckTargets
+                healthCheckTargets: validHealthCheckTargets,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 5439245c4..26dbff1bd 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -41,7 +41,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         orgId,
         userToken,
         fingerprint,
-        postures
+        postures,
+        chainId
     } = message.data;
 
     if (!olm.clientId) {
@@ -293,7 +294,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             data: {
                 sites: siteConfigurations,
                 tunnelIP: client.subnet,
-                utilitySubnet: org.utilitySubnet
+                utilitySubnet: org.utilitySubnet,
+                chainId: chainId
             }
         },
         options: {

From 2828dee94c9fa6ed4f2df1867bc97a207558f037 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 29 Mar 2026 12:11:22 -0700
Subject: [PATCH 154/314] support multi role on create user and invites

---
 server/db/pg/schema/schema.ts                 |  20 +-
 server/db/sqlite/schema/schema.ts             |  20 +-
 server/lib/userOrg.ts                         |  19 +-
 server/routers/idp/validateOidcCallback.ts    |  14 +-
 server/routers/user/acceptInvite.ts           |  43 ++-
 server/routers/user/createOrgUser.ts          |  94 ++++--
 server/routers/user/inviteUser.ts             |  83 +++--
 server/routers/user/listInvitations.ts        |  64 +++-
 .../settings/access/invitations/page.tsx      |  12 +-
 .../users/[userId]/access-controls/page.tsx   | 107 ++-----
 .../settings/access/users/create/page.tsx     | 288 ++++++++----------
 src/components/InvitationsTable.tsx           |  14 +-
 src/components/OrgRolesTagField.tsx           | 117 +++++++
 src/components/RegenerateInvitationForm.tsx   |  18 +-
 src/components/UserRoleBadges.tsx             |  69 +++++
 src/components/UsersTable.tsx                 |  63 +---
 16 files changed, 629 insertions(+), 416 deletions(-)
 create mode 100644 src/components/OrgRolesTagField.tsx
 create mode 100644 src/components/UserRoleBadges.tsx

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index 0346495e3..2bd9624e7 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -6,6 +6,7 @@ import {
     index,
     integer,
     pgTable,
+    primaryKey,
     real,
     serial,
     text,
@@ -467,12 +468,22 @@ export const userInvites = pgTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: varchar("email").notNull(),
     expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: varchar("token").notNull()
 });
 
+export const userInviteRoles = pgTable(
+    "userInviteRoles",
+    {
+        inviteId: varchar("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = pgTable("resourcePincode", {
     pincodeId: serial("pincodeId").primaryKey(),
     resourceId: integer("resourceId")
@@ -1048,6 +1059,7 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index a4a0c6b8e..b43f3b4a6 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -3,6 +3,7 @@ import { InferSelectModel } from "drizzle-orm";
 import {
     index,
     integer,
+    primaryKey,
     sqliteTable,
     text,
     unique
@@ -804,12 +805,22 @@ export const userInvites = sqliteTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: text("token").notNull()
 });
 
+export const userInviteRoles = sqliteTable(
+    "userInviteRoles",
+    {
+        inviteId: text("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = sqliteTable("resourcePincode", {
     pincodeId: integer("pincodeId").primaryKey({
         autoIncrement: true
@@ -1152,6 +1163,7 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
diff --git a/server/lib/userOrg.ts b/server/lib/userOrg.ts
index fb0b88c2b..809266b73 100644
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -19,15 +19,22 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
-    roleId: number,
+    roleIds: number[],
     trx: Transaction | typeof db = db
 ) {
+    const uniqueRoleIds = [...new Set(roleIds)];
+    if (uniqueRoleIds.length === 0) {
+        throw new Error("assignUserToOrg requires at least one roleId");
+    }
+
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
-    await trx.insert(userOrgRoles).values({
-        userId: userOrg.userId,
-        orgId: userOrg.orgId,
-        roleId
-    });
+    await trx.insert(userOrgRoles).values(
+        uniqueRoleIds.map((roleId) => ({
+            userId: userOrg.userId,
+            orgId: userOrg.orgId,
+            roleId
+        }))
+    );
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 4de52f530..7c9e53cf2 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -623,9 +623,7 @@ export async function validateOidcCallback(
 
                 if (orgsToAdd.length > 0) {
                     for (const org of orgsToAdd) {
-                        const [initialRoleId, ...additionalRoleIds] =
-                            org.roleIds;
-                        if (!initialRoleId) {
+                        if (org.roleIds.length === 0) {
                             continue;
                         }
 
@@ -641,17 +639,9 @@ export async function validateOidcCallback(
                                     userId: userId!,
                                     autoProvisioned: true,
                                 },
-                                initialRoleId,
+                                org.roleIds,
                                 trx
                             );
-
-                            for (const roleId of additionalRoleIds) {
-                                await trx.insert(userOrgRoles).values({
-                                    userId: userId!,
-                                    orgId: org.orgId,
-                                    roleId
-                                });
-                            }
                         }
                     }
                 }
diff --git a/server/routers/user/acceptInvite.ts b/server/routers/user/acceptInvite.ts
index 30d3be7b9..88010e580 100644
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, UserOrg } from "@server/db";
-import { roles, userInvites, userOrgs, users } from "@server/db";
-import { eq, and, inArray, ne } from "drizzle-orm";
+import { db, orgs } from "@server/db";
+import { roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -141,17 +141,34 @@ export async function acceptInvite(
             );
         }
 
-        let roleId: number;
-        // get the role to make sure it exists
-        const existingRole = await db
+        const inviteRoleRows = await db
+            .select({ roleId: userInviteRoles.roleId })
+            .from(userInviteRoles)
+            .where(eq(userInviteRoles.inviteId, inviteId));
+
+        const inviteRoleIds = [
+            ...new Set(inviteRoleRows.map((r) => r.roleId))
+        ];
+        if (inviteRoleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "This invitation has no roles. Please contact an admin."
+                )
+            );
+        }
+
+        const existingRoles = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, existingInvite.roleId))
-            .limit(1);
-        if (existingRole.length) {
-            roleId = existingRole[0].roleId;
-        } else {
-            // TODO: use the default role on the org instead of failing
+            .where(
+                and(
+                    eq(roles.orgId, existingInvite.orgId),
+                    inArray(roles.roleId, inviteRoleIds)
+                )
+            );
+
+        if (existingRoles.length !== inviteRoleIds.length) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
@@ -167,7 +184,7 @@ export async function acceptInvite(
                     userId: existingUser[0].userId,
                     orgId: existingInvite.orgId
                 },
-                existingInvite.roleId,
+                inviteRoleIds,
                 trx
             );
 
diff --git a/server/routers/user/createOrgUser.ts b/server/routers/user/createOrgUser.ts
index 237b7111e..ddc37d3a2 100644
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -6,8 +6,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, orgs, UserOrg } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { db, orgs } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
 import { usageService } from "@server/lib/billing/usageService";
@@ -15,21 +15,43 @@ import { FeatureId } from "@server/lib/billing";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { assignUserToOrg } from "@server/lib/userOrg";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
 });
 
-const bodySchema = z.strictObject({
-    email: z.string().email().toLowerCase().optional(),
-    username: z.string().nonempty().toLowerCase(),
-    name: z.string().optional(),
-    type: z.enum(["internal", "oidc"]).optional(),
-    idpId: z.number().optional(),
-    roleId: z.number()
-});
+const bodySchema = z
+    .strictObject({
+        email: z.string().email().toLowerCase().optional(),
+        username: z.string().nonempty().toLowerCase(),
+        name: z.string().optional(),
+        type: z.enum(["internal", "oidc"]).optional(),
+        idpId: z.number().optional(),
+        roleIds: z.array(z.number().int().positive()).min(1).optional(),
+        roleId: z.number().int().positive().optional()
+    })
+    .refine(
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        { message: "roleIds or roleId is required", path: ["roleIds"] }
+    )
+    .transform((data) => ({
+        email: data.email,
+        username: data.username,
+        name: data.name,
+        type: data.type,
+        idpId: data.idpId,
+        roleIds: [
+            ...new Set(
+                data.roleIds && data.roleIds.length > 0
+                    ? data.roleIds
+                    : [data.roleId!]
+            )
+        ]
+    }));
 
 export type CreateOrgUserResponse = {};
 
@@ -78,7 +100,8 @@ export async function createOrgUser(
         }
 
         const { orgId } = parsedParams.data;
-        const { username, email, name, type, idpId, roleId } = parsedBody.data;
+        const { username, email, name, type, idpId, roleIds: uniqueRoleIds } =
+            parsedBody.data;
 
         if (build == "saas") {
             const usage = await usageService.getUsage(orgId, FeatureId.USERS);
@@ -109,17 +132,6 @@ export async function createOrgUser(
             }
         }
 
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, roleId));
-
-        if (!role) {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Role ID not found")
-            );
-        }
-
         if (type === "internal") {
             return next(
                 createHttpError(
@@ -152,6 +164,38 @@ export async function createOrgUser(
                 );
             }
 
+            const supportsMultiRole = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix[TierFeature.FullRbac]
+            );
+            if (!supportsMultiRole && uniqueRoleIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Multiple roles per user require a subscription or license that includes full RBAC."
+                    )
+                );
+            }
+
+            const orgRoles = await db
+                .select({ roleId: roles.roleId })
+                .from(roles)
+                .where(
+                    and(
+                        eq(roles.orgId, orgId),
+                        inArray(roles.roleId, uniqueRoleIds)
+                    )
+                );
+
+            if (orgRoles.length !== uniqueRoleIds.length) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid role ID or role does not belong to this organization"
+                    )
+                );
+            }
+
             const [org] = await db
                 .select()
                 .from(orgs)
@@ -228,7 +272,7 @@ export async function createOrgUser(
                             userId: existingUser.userId,
                             autoProvisioned: false,
                         },
-                        role.roleId,
+                        uniqueRoleIds,
                         trx
                     );
                 } else {
@@ -255,7 +299,7 @@ export async function createOrgUser(
                                 userId: newUser.userId,
                                 autoProvisioned: false,
                             },
-                            role.roleId,
+                            uniqueRoleIds,
                             trx
                         );
                 }
diff --git a/server/routers/user/inviteUser.ts b/server/routers/user/inviteUser.ts
index b0632da9e..7ac1849b9 100644
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { orgs, roles, userInvites, userOrgs, users } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { orgs, roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -18,22 +18,44 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { UserType } from "@server/types/UserTypes";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { build } from "@server/build";
 import cache from "#dynamic/lib/cache";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 
 const inviteUserParamsSchema = z.strictObject({
     orgId: z.string()
 });
 
-const inviteUserBodySchema = z.strictObject({
-    email: z.email().toLowerCase(),
-    roleId: z.number(),
-    validHours: z.number().gt(0).lte(168),
-    sendEmail: z.boolean().optional(),
-    regenerate: z.boolean().optional()
-});
+const inviteUserBodySchema = z
+    .strictObject({
+        email: z.email().toLowerCase(),
+        roleIds: z.array(z.number().int().positive()).min(1).optional(),
+        roleId: z.number().int().positive().optional(),
+        validHours: z.number().gt(0).lte(168),
+        sendEmail: z.boolean().optional(),
+        regenerate: z.boolean().optional()
+    })
+    .refine(
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        { message: "roleIds or roleId is required", path: ["roleIds"] }
+    )
+    .transform((data) => ({
+        email: data.email,
+        validHours: data.validHours,
+        sendEmail: data.sendEmail,
+        regenerate: data.regenerate,
+        roleIds: [
+            ...new Set(
+                data.roleIds && data.roleIds.length > 0
+                    ? data.roleIds
+                    : [data.roleId!]
+            )
+        ]
+    }));
 
-export type InviteUserBody = z.infer<typeof inviteUserBodySchema>;
+export type InviteUserBody = z.input<typeof inviteUserBodySchema>;
 
 export type InviteUserResponse = {
     inviteLink: string;
@@ -88,7 +110,7 @@ export async function inviteUser(
         const {
             email,
             validHours,
-            roleId,
+            roleIds: uniqueRoleIds,
             sendEmail: doEmail,
             regenerate
         } = parsedBody.data;
@@ -105,14 +127,30 @@ export async function inviteUser(
             );
         }
 
-        // Validate that the roleId belongs to the target organization
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, orgId)))
-            .limit(1);
+        const supportsMultiRole = await isLicensedOrSubscribed(
+            orgId,
+            tierMatrix[TierFeature.FullRbac]
+        );
+        if (!supportsMultiRole && uniqueRoleIds.length > 1) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Multiple roles per user require a subscription or license that includes full RBAC."
+                )
+            );
+        }
 
-        if (!role) {
+        const orgRoles = await db
+            .select({ roleId: roles.roleId })
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, orgId),
+                    inArray(roles.roleId, uniqueRoleIds)
+                )
+            );
+
+        if (orgRoles.length !== uniqueRoleIds.length) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
@@ -191,7 +229,8 @@ export async function inviteUser(
         }
 
         if (existingInvite.length) {
-            const attempts = (await cache.get<number>(email)) || 0;
+            const attempts =
+                (await cache.get<number>("regenerateInvite:" + email)) || 0;
             if (attempts >= 3) {
                 return next(
                     createHttpError(
@@ -273,9 +312,11 @@ export async function inviteUser(
                 orgId,
                 email,
                 expiresAt,
-                tokenHash,
-                roleId
+                tokenHash
             });
+            await trx.insert(userInviteRoles).values(
+                uniqueRoleIds.map((roleId) => ({ inviteId, roleId }))
+            );
         });
 
         const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${encodeURIComponent(email)}`;
diff --git a/server/routers/user/listInvitations.ts b/server/routers/user/listInvitations.ts
index 2733c8395..1f4bcc02c 100644
--- a/server/routers/user/listInvitations.ts
+++ b/server/routers/user/listInvitations.ts
@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userInvites, roles } from "@server/db";
+import { userInvites, userInviteRoles, roles } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { sql, eq, and, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -29,24 +29,66 @@ const listInvitationsQuerySchema = z.strictObject({
         .pipe(z.int().nonnegative())
 });
 
-async function queryInvitations(orgId: string, limit: number, offset: number) {
-    return await db
+export type InvitationListRow = {
+    inviteId: string;
+    email: string;
+    expiresAt: number;
+    roles: { roleId: number; roleName: string | null }[];
+};
+
+async function queryInvitations(
+    orgId: string,
+    limit: number,
+    offset: number
+): Promise<InvitationListRow[]> {
+    const inviteRows = await db
         .select({
             inviteId: userInvites.inviteId,
             email: userInvites.email,
-            expiresAt: userInvites.expiresAt,
-            roleId: userInvites.roleId,
-            roleName: roles.name
+            expiresAt: userInvites.expiresAt
         })
         .from(userInvites)
-        .leftJoin(roles, sql`${userInvites.roleId} = ${roles.roleId}`)
-        .where(sql`${userInvites.orgId} = ${orgId}`)
+        .where(eq(userInvites.orgId, orgId))
         .limit(limit)
         .offset(offset);
+
+    if (inviteRows.length === 0) {
+        return [];
+    }
+
+    const inviteIds = inviteRows.map((r) => r.inviteId);
+    const roleRows = await db
+        .select({
+            inviteId: userInviteRoles.inviteId,
+            roleId: userInviteRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userInviteRoles)
+        .innerJoin(roles, eq(userInviteRoles.roleId, roles.roleId))
+        .where(
+            and(eq(roles.orgId, orgId), inArray(userInviteRoles.inviteId, inviteIds))
+        );
+
+    const rolesByInvite = new Map<
+        string,
+        { roleId: number; roleName: string | null }[]
+    >();
+    for (const row of roleRows) {
+        const list = rolesByInvite.get(row.inviteId) ?? [];
+        list.push({ roleId: row.roleId, roleName: row.roleName });
+        rolesByInvite.set(row.inviteId, list);
+    }
+
+    return inviteRows.map((inv) => ({
+        inviteId: inv.inviteId,
+        email: inv.email,
+        expiresAt: inv.expiresAt,
+        roles: rolesByInvite.get(inv.inviteId) ?? []
+    }));
 }
 
 export type ListInvitationsResponse = {
-    invitations: NonNullable<Awaited<ReturnType<typeof queryInvitations>>>;
+    invitations: InvitationListRow[];
     pagination: { total: number; limit: number; offset: number };
 };
 
@@ -95,7 +137,7 @@ export async function listInvitations(
         const [{ count }] = await db
             .select({ count: sql<number>`count(*)` })
             .from(userInvites)
-            .where(sql`${userInvites.orgId} = ${orgId}`);
+            .where(eq(userInvites.orgId, orgId));
 
         return response<ListInvitationsResponse>(res, {
             data: {
diff --git a/src/app/[orgId]/settings/access/invitations/page.tsx b/src/app/[orgId]/settings/access/invitations/page.tsx
index b6ee14484..00cb0ffc8 100644
--- a/src/app/[orgId]/settings/access/invitations/page.tsx
+++ b/src/app/[orgId]/settings/access/invitations/page.tsx
@@ -29,9 +29,8 @@ export default async function InvitationsPage(props: InvitationsPageProps) {
     let invitations: {
         inviteId: string;
         email: string;
-        expiresAt: string;
-        roleId: number;
-        roleName?: string;
+        expiresAt: number;
+        roles: { roleId: number; roleName: string | null }[];
     }[] = [];
     let hasInvitations = false;
 
@@ -66,12 +65,15 @@ export default async function InvitationsPage(props: InvitationsPageProps) {
     }
 
     const invitationRows: InvitationRow[] = invitations.map((invite) => {
+        const names = invite.roles
+            .map((r) => r.roleName || t("accessRoleUnknown"))
+            .filter(Boolean);
         return {
             id: invite.inviteId,
             email: invite.email,
             expiresAt: new Date(Number(invite.expiresAt)).toISOString(),
-            role: invite.roleName || t("accessRoleUnknown"),
-            roleId: invite.roleId
+            roleLabels: names,
+            roleIds: invite.roles.map((r) => r.roleId)
         };
     });
 
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 16ae0b3a5..9ab9e93fa 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -3,18 +3,17 @@
 import {
     Form,
     FormControl,
-    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
 import { Checkbox } from "@app/components/ui/checkbox";
-import { Tag, TagInput } from "@app/components/tags/tag-input";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AxiosResponse } from "axios";
-import { useEffect, useMemo, useState } from "react";
+import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { ListRolesResponse } from "@server/routers/role";
@@ -67,8 +66,7 @@ export default function AccessControlsPage() {
     );
 
     const t = useTranslations();
-    const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
-        usePaidStatus();
+    const { isPaidUser } = usePaidStatus();
     const isPaid = isPaidUser(tierMatrix.fullRbac);
     const supportsMultipleRolesPerUser = isPaid;
     const showMultiRolePaywallMessage =
@@ -131,40 +129,10 @@ export default function AccessControlsPage() {
         text: role.name
     }));
 
-    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
-        const prev = form.getValues("roles");
-        const nextValue =
-            typeof updater === "function" ? updater(prev) : updater;
-        const next = supportsMultipleRolesPerUser
-            ? nextValue
-            : nextValue.length > 1
-              ? [nextValue[nextValue.length - 1]]
-              : nextValue;
-
-        // In single-role mode, selecting the currently selected role can transiently
-        // emit an empty tag list from TagInput; keep the prior selection.
-        if (
-            !supportsMultipleRolesPerUser &&
-            next.length === 0 &&
-            prev.length > 0
-        ) {
-            form.setValue("roles", [prev[prev.length - 1]], {
-                shouldDirty: true
-            });
-            return;
-        }
-
-        if (next.length === 0) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: t("accessRoleSelectPlease")
-            });
-            return;
-        }
-
-        form.setValue("roles", next, { shouldDirty: true });
-    }
+    const paywallMessage =
+        build === "saas"
+            ? t("singleRolePerUserPlanNotice")
+            : t("singleRolePerUserEditionNotice");
 
     async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
         if (values.roles.length === 0) {
@@ -255,53 +223,22 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormField
-                                    control={form.control}
+                                <OrgRolesTagField
+                                    form={form}
                                     name="roles"
-                                    render={({ field }) => (
-                                        <FormItem className="flex flex-col items-start">
-                                            <FormLabel>{t("roles")}</FormLabel>
-                                            <FormControl>
-                                                <TagInput
-                                                    {...field}
-                                                    activeTagIndex={
-                                                        activeRoleTagIndex
-                                                    }
-                                                    setActiveTagIndex={
-                                                        setActiveRoleTagIndex
-                                                    }
-                                                    placeholder={t(
-                                                        "accessRoleSelect2"
-                                                    )}
-                                                    size="sm"
-                                                    tags={field.value}
-                                                    setTags={setRoleTags}
-                                                    enableAutocomplete={true}
-                                                    autocompleteOptions={
-                                                        allRoleOptions
-                                                    }
-                                                    allowDuplicates={false}
-                                                    restrictTagsToAutocompleteOptions={
-                                                        true
-                                                    }
-                                                    sortTags={true}
-                                                    disabled={loading}
-                                                />
-                                            </FormControl>
-                                            {showMultiRolePaywallMessage && (
-                                                <FormDescription>
-                                                    {build === "saas"
-                                                        ? t(
-                                                              "singleRolePerUserPlanNotice"
-                                                          )
-                                                        : t(
-                                                              "singleRolePerUserEditionNotice"
-                                                          )}
-                                                </FormDescription>
-                                            )}
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                    label={t("roles")}
+                                    placeholder={t("accessRoleSelect2")}
+                                    allRoleOptions={allRoleOptions}
+                                    supportsMultipleRolesPerUser={
+                                        supportsMultipleRolesPerUser
+                                    }
+                                    showMultiRolePaywallMessage={
+                                        showMultiRolePaywallMessage
+                                    }
+                                    paywallMessage={paywallMessage}
+                                    loading={loading}
+                                    activeTagIndex={activeRoleTagIndex}
+                                    setActiveTagIndex={setActiveRoleTagIndex}
                                 />
 
                                 {user.idpAutoProvision && (
diff --git a/src/app/[orgId]/settings/access/users/create/page.tsx b/src/app/[orgId]/settings/access/users/create/page.tsx
index 08737f5e2..0263d2b72 100644
--- a/src/app/[orgId]/settings/access/users/create/page.tsx
+++ b/src/app/[orgId]/settings/access/users/create/page.tsx
@@ -32,7 +32,7 @@ import {
 } from "@app/components/ui/select";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { InviteUserBody, InviteUserResponse } from "@server/routers/user";
+import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect } from "react";
 import { useForm } from "react-hook-form";
@@ -49,6 +49,7 @@ import { build } from "@server/build";
 import Image from "next/image";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
 
 type UserType = "internal" | "oidc";
 
@@ -76,7 +77,14 @@ export default function Page() {
     const api = createApiClient({ env });
     const t = useTranslations();
 
-    const { hasSaasSubscription } = usePaidStatus();
+    const { hasSaasSubscription, isPaidUser } = usePaidStatus();
+    const isPaid = isPaidUser(tierMatrix.fullRbac);
+    const supportsMultipleRolesPerUser = isPaid;
+    const showMultiRolePaywallMessage =
+        !env.flags.disableEnterpriseFeatures &&
+        ((build === "saas" && !isPaid) ||
+            (build === "enterprise" && !isPaid) ||
+            (build === "oss" && !isPaid));
 
     const [selectedOption, setSelectedOption] = useState<string | null>(
         "internal"
@@ -89,19 +97,34 @@ export default function Page() {
     const [sendEmail, setSendEmail] = useState(env.email.emailEnabled);
     const [userOptions, setUserOptions] = useState<UserOption[]>([]);
     const [dataLoaded, setDataLoaded] = useState(false);
+    const [activeInviteRoleTagIndex, setActiveInviteRoleTagIndex] = useState<
+        number | null
+    >(null);
+    const [activeOidcRoleTagIndex, setActiveOidcRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const roleTagsFieldSchema = z
+        .array(
+            z.object({
+                id: z.string(),
+                text: z.string()
+            })
+        )
+        .min(1, { message: t("accessRoleSelectPlease") });
 
     const internalFormSchema = z.object({
         email: z.email({ message: t("emailInvalid") }),
         validForHours: z
             .string()
             .min(1, { message: t("inviteValidityDuration") }),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const googleAzureFormSchema = z.object({
         email: z.email({ message: t("emailInvalid") }),
         name: z.string().optional(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const genericOidcFormSchema = z.object({
@@ -111,7 +134,7 @@ export default function Page() {
             .optional()
             .or(z.literal("")),
         name: z.string().optional(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const formatIdpType = (type: string) => {
@@ -166,12 +189,22 @@ export default function Page() {
         { hours: 168, name: t("day", { count: 7 }) }
     ];
 
+    const allRoleOptions = roles.map((role) => ({
+        id: role.roleId.toString(),
+        text: role.name
+    }));
+
+    const invitePaywallMessage =
+        build === "saas"
+            ? t("singleRolePerUserPlanNotice")
+            : t("singleRolePerUserEditionNotice");
+
     const internalForm = useForm({
         resolver: zodResolver(internalFormSchema),
         defaultValues: {
             email: "",
             validForHours: "72",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -180,7 +213,7 @@ export default function Page() {
         defaultValues: {
             email: "",
             name: "",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -190,7 +223,7 @@ export default function Page() {
             username: "",
             email: "",
             name: "",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -305,16 +338,17 @@ export default function Page() {
     ) {
         setLoading(true);
 
-        const res = await api
-            .post<AxiosResponse<InviteUserResponse>>(
-                `/org/${orgId}/create-invite`,
-                {
-                    email: values.email,
-                    roleId: parseInt(values.roleId),
-                    validHours: parseInt(values.validForHours),
-                    sendEmail: sendEmail
-                } as InviteUserBody
-            )
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
+        const res = await api.post<AxiosResponse<InviteUserResponse>>(
+            `/org/${orgId}/create-invite`,
+            {
+                email: values.email,
+                roleIds,
+                validHours: parseInt(values.validForHours),
+                sendEmail
+            }
+        )
             .catch((e) => {
                 if (e.response?.status === 409) {
                     toast({
@@ -358,6 +392,8 @@ export default function Page() {
 
         setLoading(true);
 
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
         const res = await api
             .put(`/org/${orgId}/user`, {
                 username: values.email, // Use email as username for Google/Azure
@@ -365,7 +401,7 @@ export default function Page() {
                 name: values.name,
                 type: "oidc",
                 idpId: selectedUserOption.idpId,
-                roleId: parseInt(values.roleId)
+                roleIds
             })
             .catch((e) => {
                 toast({
@@ -400,6 +436,8 @@ export default function Page() {
 
         setLoading(true);
 
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
         const res = await api
             .put(`/org/${orgId}/user`, {
                 username: values.username,
@@ -407,7 +445,7 @@ export default function Page() {
                 name: values.name,
                 type: "oidc",
                 idpId: selectedUserOption.idpId,
-                roleId: parseInt(values.roleId)
+                roleIds
             })
             .catch((e) => {
                 toast({
@@ -575,52 +613,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            internalForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={internalForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeInviteRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveInviteRoleTagIndex
+                                                        }
                                                     />
 
                                                     {env.email.emailEnabled && (
@@ -764,52 +782,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            googleAzureForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={googleAzureForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeOidcRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveOidcRoleTagIndex
+                                                        }
                                                     />
                                                 </form>
                                             </Form>
@@ -909,52 +907,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            genericOidcForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={genericOidcForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeOidcRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveOidcRoleTagIndex
+                                                        }
                                                     />
                                                 </form>
                                             </Form>
diff --git a/src/components/InvitationsTable.tsx b/src/components/InvitationsTable.tsx
index 0d2d3e9b6..4fec9e5fc 100644
--- a/src/components/InvitationsTable.tsx
+++ b/src/components/InvitationsTable.tsx
@@ -1,6 +1,5 @@
 "use client";
 
-import { ColumnDef } from "@tanstack/react-table";
 import { ExtendedColumnDef } from "@app/components/ui/data-table";
 import {
     DropdownMenu,
@@ -21,13 +20,14 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import moment from "moment";
 import { useRouter } from "next/navigation";
+import UserRoleBadges from "@app/components/UserRoleBadges";
 
 export type InvitationRow = {
     id: string;
     email: string;
     expiresAt: string;
-    role: string;
-    roleId: number;
+    roleLabels: string[];
+    roleIds: number[];
 };
 
 type InvitationsTableProps = {
@@ -90,9 +90,13 @@ export default function InvitationsTable({
             }
         },
         {
-            accessorKey: "role",
+            id: "roles",
+            accessorFn: (row) => row.roleLabels.join(", "),
             friendlyName: t("role"),
-            header: () => <span className="p-3">{t("role")}</span>
+            header: () => <span className="p-3">{t("role")}</span>,
+            cell: ({ row }) => (
+                <UserRoleBadges roleLabels={row.original.roleLabels} />
+            )
         },
         {
             id: "dots",
diff --git a/src/components/OrgRolesTagField.tsx b/src/components/OrgRolesTagField.tsx
new file mode 100644
index 000000000..dcd679663
--- /dev/null
+++ b/src/components/OrgRolesTagField.tsx
@@ -0,0 +1,117 @@
+"use client";
+
+import {
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import { toast } from "@app/hooks/useToast";
+import { useTranslations } from "next-intl";
+import type { Dispatch, SetStateAction } from "react";
+import type { FieldValues, Path, UseFormReturn } from "react-hook-form";
+
+export type RoleTag = {
+    id: string;
+    text: string;
+};
+
+type OrgRolesTagFieldProps<TFieldValues extends FieldValues> = {
+    form: Pick<UseFormReturn<TFieldValues>, "control" | "getValues" | "setValue">;
+    /** Field in the form that holds Tag[] (role tags). Default: `"roles"`. */
+    name?: Path<TFieldValues>;
+    label: string;
+    placeholder: string;
+    allRoleOptions: Tag[];
+    supportsMultipleRolesPerUser: boolean;
+    showMultiRolePaywallMessage: boolean;
+    paywallMessage: string;
+    loading?: boolean;
+    activeTagIndex: number | null;
+    setActiveTagIndex: Dispatch<SetStateAction<number | null>>;
+};
+
+export default function OrgRolesTagField<TFieldValues extends FieldValues>({
+    form,
+    name = "roles" as Path<TFieldValues>,
+    label,
+    placeholder,
+    allRoleOptions,
+    supportsMultipleRolesPerUser,
+    showMultiRolePaywallMessage,
+    paywallMessage,
+    loading = false,
+    activeTagIndex,
+    setActiveTagIndex
+}: OrgRolesTagFieldProps<TFieldValues>) {
+    const t = useTranslations();
+
+    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
+        const prev = form.getValues(name) as Tag[];
+        const nextValue =
+            typeof updater === "function" ? updater(prev) : updater;
+        const next = supportsMultipleRolesPerUser
+            ? nextValue
+            : nextValue.length > 1
+              ? [nextValue[nextValue.length - 1]]
+              : nextValue;
+
+        if (
+            !supportsMultipleRolesPerUser &&
+            next.length === 0 &&
+            prev.length > 0
+        ) {
+            form.setValue(name, [prev[prev.length - 1]] as never, {
+                shouldDirty: true
+            });
+            return;
+        }
+
+        if (next.length === 0) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: t("accessRoleSelectPlease")
+            });
+            return;
+        }
+
+        form.setValue(name, next as never, { shouldDirty: true });
+    }
+
+    return (
+        <FormField
+            control={form.control}
+            name={name}
+            render={({ field }) => (
+                <FormItem className="flex flex-col items-start">
+                    <FormLabel>{label}</FormLabel>
+                    <FormControl>
+                        <TagInput
+                            {...field}
+                            activeTagIndex={activeTagIndex}
+                            setActiveTagIndex={setActiveTagIndex}
+                            placeholder={placeholder}
+                            size="sm"
+                            tags={field.value}
+                            setTags={setRoleTags}
+                            enableAutocomplete={true}
+                            autocompleteOptions={allRoleOptions}
+                            allowDuplicates={false}
+                            restrictTagsToAutocompleteOptions={true}
+                            sortTags={true}
+                            disabled={loading}
+                        />
+                    </FormControl>
+                    {showMultiRolePaywallMessage && (
+                        <FormDescription>{paywallMessage}</FormDescription>
+                    )}
+                    <FormMessage />
+                </FormItem>
+            )}
+        />
+    );
+}
diff --git a/src/components/RegenerateInvitationForm.tsx b/src/components/RegenerateInvitationForm.tsx
index 5d067e7d8..ce261d02e 100644
--- a/src/components/RegenerateInvitationForm.tsx
+++ b/src/components/RegenerateInvitationForm.tsx
@@ -32,15 +32,15 @@ type RegenerateInvitationFormProps = {
     invitation: {
         id: string;
         email: string;
-        roleId: number;
-        role: string;
+        roleIds: number[];
+        roleLabels: string[];
     } | null;
     onRegenerate: (updatedInvitation: {
         id: string;
         email: string;
         expiresAt: string;
-        role: string;
-        roleId: number;
+        roleLabels: string[];
+        roleIds: number[];
     }) => void;
 };
 
@@ -94,7 +94,7 @@ export default function RegenerateInvitationForm({
         try {
             const res = await api.post(`/org/${org.org.orgId}/create-invite`, {
                 email: invitation.email,
-                roleId: invitation.roleId,
+                roleIds: invitation.roleIds,
                 validHours,
                 sendEmail,
                 regenerate: true
@@ -127,9 +127,11 @@ export default function RegenerateInvitationForm({
                 onRegenerate({
                     id: invitation.id,
                     email: invitation.email,
-                    expiresAt: res.data.data.expiresAt,
-                    role: invitation.role,
-                    roleId: invitation.roleId
+                    expiresAt: new Date(
+                        res.data.data.expiresAt
+                    ).toISOString(),
+                    roleLabels: invitation.roleLabels,
+                    roleIds: invitation.roleIds
                 });
             }
         } catch (error: any) {
diff --git a/src/components/UserRoleBadges.tsx b/src/components/UserRoleBadges.tsx
new file mode 100644
index 000000000..4888aa107
--- /dev/null
+++ b/src/components/UserRoleBadges.tsx
@@ -0,0 +1,69 @@
+"use client";
+
+import { useState } from "react";
+import { Badge, badgeVariants } from "@app/components/ui/badge";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { cn } from "@app/lib/cn";
+
+const MAX_ROLE_BADGES = 3;
+
+export default function UserRoleBadges({
+    roleLabels
+}: {
+    roleLabels: string[];
+}) {
+    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
+    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
+
+    return (
+        <div className="flex flex-wrap items-center gap-1">
+            {visible.map((label, i) => (
+                <Badge key={`${label}-${i}`} variant="secondary">
+                    {label}
+                </Badge>
+            ))}
+            {overflow.length > 0 && (
+                <OverflowRolesPopover labels={overflow} />
+            )}
+        </div>
+    );
+}
+
+function OverflowRolesPopover({ labels }: { labels: string[] }) {
+    const [open, setOpen] = useState(false);
+
+    return (
+        <Popover open={open} onOpenChange={setOpen}>
+            <PopoverTrigger asChild>
+                <button
+                    type="button"
+                    className={cn(
+                        badgeVariants({ variant: "secondary" }),
+                        "border-dashed"
+                    )}
+                    onMouseEnter={() => setOpen(true)}
+                    onMouseLeave={() => setOpen(false)}
+                >
+                    +{labels.length}
+                </button>
+            </PopoverTrigger>
+            <PopoverContent
+                align="start"
+                side="top"
+                className="w-auto max-w-xs p-2"
+                onMouseEnter={() => setOpen(true)}
+                onMouseLeave={() => setOpen(false)}
+            >
+                <ul className="space-y-1 text-sm">
+                    {labels.map((label, i) => (
+                        <li key={`${label}-${i}`}>{label}</li>
+                    ))}
+                </ul>
+            </PopoverContent>
+        </Popover>
+    );
+}
diff --git a/src/components/UsersTable.tsx b/src/components/UsersTable.tsx
index be1d6a345..3e2d4e578 100644
--- a/src/components/UsersTable.tsx
+++ b/src/components/UsersTable.tsx
@@ -12,13 +12,6 @@ import { Button } from "@app/components/ui/button";
 import { ArrowRight, ArrowUpDown, Crown, MoreHorizontal } from "lucide-react";
 import { UsersDataTable } from "@app/components/UsersDataTable";
 import { useState, useEffect } from "react";
-import {
-    Popover,
-    PopoverContent,
-    PopoverTrigger
-} from "@app/components/ui/popover";
-import { Badge, badgeVariants } from "@app/components/ui/badge";
-import { cn } from "@app/lib/cn";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
@@ -31,6 +24,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useUserContext } from "@app/hooks/useUserContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "./IdpTypeBadge";
+import UserRoleBadges from "./UserRoleBadges";
 
 export type UserRow = {
     id: string;
@@ -47,61 +41,6 @@ export type UserRow = {
     isOwner: boolean;
 };
 
-const MAX_ROLE_BADGES = 3;
-
-function UserRoleBadges({ roleLabels }: { roleLabels: string[] }) {
-    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
-    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
-
-    return (
-        <div className="flex flex-wrap items-center gap-1">
-            {visible.map((label, i) => (
-                <Badge key={`${label}-${i}`} variant="secondary">
-                    {label}
-                </Badge>
-            ))}
-            {overflow.length > 0 && (
-                <OverflowRolesPopover labels={overflow} />
-            )}
-        </div>
-    );
-}
-
-function OverflowRolesPopover({ labels }: { labels: string[] }) {
-    const [open, setOpen] = useState(false);
-
-    return (
-        <Popover open={open} onOpenChange={setOpen}>
-            <PopoverTrigger asChild>
-                <button
-                    type="button"
-                    className={cn(
-                        badgeVariants({ variant: "secondary" }),
-                        "border-dashed"
-                    )}
-                    onMouseEnter={() => setOpen(true)}
-                    onMouseLeave={() => setOpen(false)}
-                >
-                    +{labels.length}
-                </button>
-            </PopoverTrigger>
-            <PopoverContent
-                align="start"
-                side="top"
-                className="w-auto max-w-xs p-2"
-                onMouseEnter={() => setOpen(true)}
-                onMouseLeave={() => setOpen(false)}
-            >
-                <ul className="space-y-1 text-sm">
-                    {labels.map((label, i) => (
-                        <li key={`${label}-${i}`}>{label}</li>
-                    ))}
-                </ul>
-            </PopoverContent>
-        </Popover>
-    );
-}
-
 type UsersTableProps = {
     users: UserRow[];
 };

From 77cef554bef6f0aa6097530ee2ffbee2b5c98ed7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 14:20:47 -0700
Subject: [PATCH 155/314] Provisioning room basics done

---
 messages/en-US.json                           |   5 +
 server/db/pg/schema/schema.ts                 |   3 +-
 server/db/sqlite/schema/schema.ts             |   3 +-
 server/routers/newt/registerNewt.ts           |   3 +-
 server/routers/site/createSite.ts             |   9 +-
 server/routers/site/listSites.ts              |  17 +-
 server/routers/site/updateSite.ts             |   3 +-
 .../settings/provisioning/keys/page.tsx       |  56 +++
 .../[orgId]/settings/provisioning/layout.tsx  |  38 ++
 .../[orgId]/settings/provisioning/page.tsx    |  56 +--
 .../settings/provisioning/pending/page.tsx    |  82 ++++
 src/app/[orgId]/settings/sites/page.tsx       |   1 +
 src/components/PendingSitesTable.tsx          | 440 ++++++++++++++++++
 13 files changed, 654 insertions(+), 62 deletions(-)
 create mode 100644 src/app/[orgId]/settings/provisioning/keys/page.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/layout.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/pending/page.tsx
 create mode 100644 src/components/PendingSitesTable.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 7a3fde1d4..ad64cb5e2 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -331,6 +331,11 @@
     "provisioningKeysTitle": "Provisioning Key",
     "provisioningKeysManage": "Manage Provisioning Keys",
     "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
+    "provisioningManage": "Provisioning",
+    "provisioningDescription": "Manage provisioning keys and review pending sites awaiting approval.",
+    "pendingSites": "Pending Sites",
+    "siteApproveSuccess": "Site approved successfully",
+    "siteApproveError": "Error approving site",
     "provisioningKeys": "Provisioning Keys",
     "searchProvisioningKeys": "Search provisioning keys...",
     "provisioningKeysAdd": "Generate Provisioning Key",
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index bb05ca358..a64aad2ef 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -100,7 +100,8 @@ export const sites = pgTable("sites", {
     publicKey: varchar("publicKey"),
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    status: varchar("status").$type<"pending" | "accepted">()
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 5d7c01377..52969d183 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -110,7 +110,8 @@ export const sites = sqliteTable("sites", {
     listenPort: integer("listenPort"),
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
-        .default(true)
+        .default(true),
+    status: text("status").$type<"pending" | "accepted">()
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 427ac173f..4923fb88e 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -196,7 +196,8 @@ export async function registerNewt(
                     name: niceId,
                     niceId,
                     type: "newt",
-                    dockerSocketEnabled: true
+                    dockerSocketEnabled: true,
+                    status: "pending"
                 })
                 .returning();
 
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index 4edebb080..bf62e93cd 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -298,7 +298,8 @@ export async function createSite(
                         niceId,
                         address: updatedAddress || null,
                         type,
-                        dockerSocketEnabled: true
+                        dockerSocketEnabled: true,
+                        status: "accepted"
                     })
                     .returning();
             } else if (type == "wireguard") {
@@ -355,7 +356,8 @@ export async function createSite(
                         niceId,
                         subnet,
                         type,
-                        pubKey: pubKey || null
+                        pubKey: pubKey || null,
+                        status: "accepted"
                     })
                     .returning();
             } else if (type == "local") {
@@ -370,7 +372,8 @@ export async function createSite(
                         type,
                         dockerSocketEnabled: false,
                         online: true,
-                        subnet: "0.0.0.0/32"
+                        subnet: "0.0.0.0/32",
+                        status: "accepted"
                     })
                     .returning();
             } else {
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index a244c650c..1d7e99042 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -135,6 +135,15 @@ const listSitesSchema = z.object({
         .openapi({
             type: "boolean",
             description: "Filter by online status"
+        }),
+    status: z
+        .enum(["pending", "accepted"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["pending", "accepted"],
+            description: "Filter by site status"
         })
 });
 
@@ -156,7 +165,8 @@ function querySitesBase() {
             exitNodeId: sites.exitNodeId,
             exitNodeName: exitNodes.name,
             exitNodeEndpoint: exitNodes.endpoint,
-            remoteExitNodeId: remoteExitNodes.remoteExitNodeId
+            remoteExitNodeId: remoteExitNodes.remoteExitNodeId,
+            status: sites.status
         })
         .from(sites)
         .leftJoin(orgs, eq(sites.orgId, orgs.orgId))
@@ -245,7 +255,7 @@ export async function listSites(
                 .where(eq(sites.orgId, orgId));
         }
 
-        const { pageSize, page, query, sort_by, order, online } =
+        const { pageSize, page, query, sort_by, order, online, status } =
             parsedQuery.data;
 
         const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
@@ -273,6 +283,9 @@ export async function listSites(
         if (typeof online !== "undefined") {
             conditions.push(eq(sites.online, online));
         }
+        if (typeof status !== "undefined") {
+            conditions.push(eq(sites.status, status));
+        }
 
         const baseQuery = querySitesBase().where(and(...conditions));
 
diff --git a/server/routers/site/updateSite.ts b/server/routers/site/updateSite.ts
index ca0f76783..244adf7b8 100644
--- a/server/routers/site/updateSite.ts
+++ b/server/routers/site/updateSite.ts
@@ -19,7 +19,8 @@ const updateSiteBodySchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
         niceId: z.string().min(1).max(255).optional(),
-        dockerSocketEnabled: z.boolean().optional()
+        dockerSocketEnabled: z.boolean().optional(),
+        status: z.enum(["pending", "accepted"]).optional(),
         // remoteSubnets: z.string().optional()
         // subdomain: z
         //     .string()
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
new file mode 100644
index 000000000..1cfbf5b05
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -0,0 +1,56 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { AxiosResponse } from "axios";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import SiteProvisioningKeysTable, {
+    SiteProvisioningKeyRow
+} from "../../../../../components/SiteProvisioningKeysTable";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
+import { getTranslations } from "next-intl/server";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+
+type ProvisioningKeysPageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function ProvisioningKeysPage(
+    props: ProvisioningKeysPageProps
+) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
+        [];
+    try {
+        const res = await internal.get<
+            AxiosResponse<ListSiteProvisioningKeysResponse>
+        >(
+            `/org/${params.orgId}/site-provisioning-keys`,
+            await authCookieHeader()
+        );
+        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
+    } catch (e) {}
+
+    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
+        name: k.name,
+        id: k.siteProvisioningKeyId,
+        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
+        createdAt: k.createdAt,
+        lastUsed: k.lastUsed,
+        maxBatchSize: k.maxBatchSize,
+        numUsed: k.numUsed,
+        validUntil: k.validUntil
+    }));
+
+    return (
+        <>
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
+            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/layout.tsx b/src/app/[orgId]/settings/provisioning/layout.tsx
new file mode 100644
index 000000000..bd2da7812
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/layout.tsx
@@ -0,0 +1,38 @@
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { getTranslations } from "next-intl/server";
+
+interface ProvisioningLayoutProps {
+    children: React.ReactNode;
+    params: Promise<{ orgId: string }>;
+}
+
+export default async function ProvisioningLayout({
+    children,
+    params
+}: ProvisioningLayoutProps) {
+    const { orgId } = await params;
+    const t = await getTranslations();
+
+    const navItems = [
+        {
+            title: t("provisioningKeys"),
+            href: `/${orgId}/settings/provisioning/keys`
+        },
+        {
+            title: t("pendingSites"),
+            href: `/${orgId}/settings/provisioning/pending`
+        }
+    ];
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("provisioningManage")}
+                description={t("provisioningDescription")}
+            />
+
+            <HorizontalTabs items={navItems}>{children}</HorizontalTabs>
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
index e8b53104f..51db66c2d 100644
--- a/src/app/[orgId]/settings/provisioning/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -1,60 +1,10 @@
-import { internal } from "@app/lib/api";
-import { authCookieHeader } from "@app/lib/api/cookies";
-import { AxiosResponse } from "axios";
-import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
-import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import SiteProvisioningKeysTable, {
-    SiteProvisioningKeyRow
-} from "../../../../components/SiteProvisioningKeysTable";
-import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
-import { getTranslations } from "next-intl/server";
-import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import { redirect } from "next/navigation";
 
 type ProvisioningPageProps = {
     params: Promise<{ orgId: string }>;
 };
 
-export const dynamic = "force-dynamic";
-
 export default async function ProvisioningPage(props: ProvisioningPageProps) {
     const params = await props.params;
-    const t = await getTranslations();
-
-    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
-        [];
-    try {
-        const res = await internal.get<
-            AxiosResponse<ListSiteProvisioningKeysResponse>
-        >(
-            `/org/${params.orgId}/site-provisioning-keys`,
-            await authCookieHeader()
-        );
-        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
-    } catch (e) {}
-
-    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
-        name: k.name,
-        id: k.siteProvisioningKeyId,
-        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
-        createdAt: k.createdAt,
-        lastUsed: k.lastUsed,
-        maxBatchSize: k.maxBatchSize,
-        numUsed: k.numUsed,
-        validUntil: k.validUntil
-    }));
-
-    return (
-        <>
-            <SettingsSectionTitle
-                title={t("provisioningKeysManage")}
-                description={t("provisioningKeysDescription")}
-            />
-
-            <PaidFeaturesAlert
-                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
-            />
-
-            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
-        </>
-    );
-}
+    redirect(`/${params.orgId}/settings/provisioning/keys`);
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
new file mode 100644
index 000000000..78178cb14
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -0,0 +1,82 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { ListSitesResponse } from "@server/routers/site";
+import { AxiosResponse } from "axios";
+import { SiteRow } from "@app/components/SitesTable";
+import PendingSitesTable from "@app/components/PendingSitesTable";
+import { getTranslations } from "next-intl/server";
+
+type PendingSitesPageProps = {
+    params: Promise<{ orgId: string }>;
+    searchParams: Promise<Record<string, string>>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function PendingSitesPage(props: PendingSitesPageProps) {
+    const params = await props.params;
+
+    const incomingSearchParams = new URLSearchParams(await props.searchParams);
+    incomingSearchParams.set("status", "pending");
+
+    let sites: ListSitesResponse["sites"] = [];
+    let pagination: ListSitesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
+
+    try {
+        const res = await internal.get<AxiosResponse<ListSitesResponse>>(
+            `/org/${params.orgId}/sites?${incomingSearchParams.toString()}`,
+            await authCookieHeader()
+        );
+        const responseData = res.data.data;
+        sites = responseData.sites;
+        pagination = responseData.pagination;
+    } catch (e) {}
+
+    const t = await getTranslations();
+
+    function formatSize(mb: number, type: string): string {
+        if (type === "local") {
+            return "-";
+        }
+        if (mb >= 1024 * 1024) {
+            return t("terabytes", { count: (mb / (1024 * 1024)).toFixed(2) });
+        } else if (mb >= 1024) {
+            return t("gigabytes", { count: (mb / 1024).toFixed(2) });
+        } else {
+            return t("megabytes", { count: mb.toFixed(2) });
+        }
+    }
+
+    const siteRows: SiteRow[] = sites.map((site) => ({
+        name: site.name,
+        id: site.siteId,
+        nice: site.niceId.toString(),
+        address: site.address?.split("/")[0],
+        mbIn: formatSize(site.megabytesIn || 0, site.type),
+        mbOut: formatSize(site.megabytesOut || 0, site.type),
+        orgId: params.orgId,
+        type: site.type as any,
+        online: site.online,
+        newtVersion: site.newtVersion || undefined,
+        newtUpdateAvailable: site.newtUpdateAvailable || false,
+        exitNodeName: site.exitNodeName || undefined,
+        exitNodeEndpoint: site.exitNodeEndpoint || undefined,
+        remoteExitNodeId: (site as any).remoteExitNodeId || undefined
+    }));
+
+    return (
+        <PendingSitesTable
+            sites={siteRows}
+            orgId={params.orgId}
+            rowCount={pagination.total}
+            pagination={{
+                pageIndex: pagination.page - 1,
+                pageSize: pagination.pageSize
+            }}
+        />
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/sites/page.tsx b/src/app/[orgId]/settings/sites/page.tsx
index 161c757f6..5839ba2be 100644
--- a/src/app/[orgId]/settings/sites/page.tsx
+++ b/src/app/[orgId]/settings/sites/page.tsx
@@ -18,6 +18,7 @@ export default async function SitesPage(props: SitesPageProps) {
     const params = await props.params;
 
     const searchParams = new URLSearchParams(await props.searchParams);
+    searchParams.set("status", "accepted");
 
     let sites: ListSitesResponse["sites"] = [];
     let pagination: ListSitesResponse["pagination"] = {
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
new file mode 100644
index 000000000..f9126a091
--- /dev/null
+++ b/src/components/PendingSitesTable.tsx
@@ -0,0 +1,440 @@
+"use client";
+
+import { Badge } from "@app/components/ui/badge";
+import { Button } from "@app/components/ui/button";
+import { InfoPopup } from "@app/components/ui/info-popup";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { useNavigationContext } from "@app/hooks/useNavigationContext";
+import { getNextSortOrder, getSortDirection } from "@app/lib/sortColumn";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { build } from "@server/build";
+import { type PaginationState } from "@tanstack/react-table";
+import {
+    ArrowDown01Icon,
+    ArrowUp10Icon,
+    ArrowUpRight,
+    Check,
+    ChevronsUpDownIcon
+} from "lucide-react";
+import { useTranslations } from "next-intl";
+import Link from "next/link";
+import { usePathname, useRouter } from "next/navigation";
+import { useState, useTransition } from "react";
+import { useDebouncedCallback } from "use-debounce";
+import z from "zod";
+import { ColumnFilterButton } from "./ColumnFilterButton";
+import {
+    ControlledDataTable,
+    type ExtendedColumnDef
+} from "./ui/controlled-data-table";
+import { SiteRow } from "./SitesTable";
+
+type PendingSitesTableProps = {
+    sites: SiteRow[];
+    pagination: PaginationState;
+    orgId: string;
+    rowCount: number;
+};
+
+export default function PendingSitesTable({
+    sites,
+    orgId,
+    pagination,
+    rowCount
+}: PendingSitesTableProps) {
+    const router = useRouter();
+    const pathname = usePathname();
+    const {
+        navigate: filter,
+        isNavigating: isFiltering,
+        searchParams
+    } = useNavigationContext();
+
+    const [isRefreshing, startTransition] = useTransition();
+    const [approvingIds, setApprovingIds] = useState<Set<number>>(new Set());
+
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+
+    const booleanSearchFilterSchema = z
+        .enum(["true", "false"])
+        .optional()
+        .catch(undefined);
+
+    function handleFilterChange(
+        column: string,
+        value: string | undefined | null
+    ) {
+        const sp = new URLSearchParams(searchParams);
+        sp.delete(column);
+        sp.delete("page");
+
+        if (value) {
+            sp.set(column, value);
+        }
+        startTransition(() => router.push(`${pathname}?${sp.toString()}`));
+    }
+
+    function refreshData() {
+        startTransition(async () => {
+            try {
+                router.refresh();
+            } catch (error) {
+                toast({
+                    title: t("error"),
+                    description: t("refreshError"),
+                    variant: "destructive"
+                });
+            }
+        });
+    }
+
+    async function approveSite(siteId: number) {
+        setApprovingIds((prev) => new Set(prev).add(siteId));
+        try {
+            await api.post(`/site/${siteId}`, { status: "accepted" });
+            toast({
+                title: t("success"),
+                description: t("siteApproveSuccess"),
+                variant: "default"
+            });
+            router.refresh();
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("siteApproveError"),
+                description: formatAxiosError(e, t("siteApproveError"))
+            });
+        } finally {
+            setApprovingIds((prev) => {
+                const next = new Set(prev);
+                next.delete(siteId);
+                return next;
+            });
+        }
+    }
+
+    const columns: ExtendedColumnDef<SiteRow>[] = [
+        {
+            accessorKey: "name",
+            enableHiding: false,
+            header: () => {
+                const nameOrder = getSortDirection("name", searchParams);
+                const Icon =
+                    nameOrder === "asc"
+                        ? ArrowDown01Icon
+                        : nameOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+
+                return (
+                    <Button
+                        variant="ghost"
+                        className="p-3"
+                        onClick={() => toggleSort("name")}
+                    >
+                        {t("name")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            id: "niceId",
+            accessorKey: "nice",
+            friendlyName: t("identifier"),
+            enableHiding: true,
+            header: () => {
+                return <span className="p-3">{t("identifier")}</span>;
+            },
+            cell: ({ row }) => {
+                return <span>{row.original.nice || "-"}</span>;
+            }
+        },
+        {
+            accessorKey: "online",
+            friendlyName: t("online"),
+            header: () => {
+                return (
+                    <ColumnFilterButton
+                        options={[
+                            { value: "true", label: t("online") },
+                            { value: "false", label: t("offline") }
+                        ]}
+                        selectedValue={booleanSearchFilterSchema.parse(
+                            searchParams.get("online")
+                        )}
+                        onValueChange={(value) =>
+                            handleFilterChange("online", value)
+                        }
+                        searchPlaceholder={t("searchPlaceholder")}
+                        emptyMessage={t("emptySearchOptions")}
+                        label={t("online")}
+                        className="p-3"
+                    />
+                );
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+                if (
+                    originalRow.type == "newt" ||
+                    originalRow.type == "wireguard"
+                ) {
+                    if (originalRow.online) {
+                        return (
+                            <span className="text-green-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-green-500 rounded-full"></div>
+                                <span>{t("online")}</span>
+                            </span>
+                        );
+                    } else {
+                        return (
+                            <span className="text-neutral-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
+                                <span>{t("offline")}</span>
+                            </span>
+                        );
+                    }
+                } else {
+                    return <span>-</span>;
+                }
+            }
+        },
+        {
+            accessorKey: "mbIn",
+            friendlyName: t("dataIn"),
+            header: () => {
+                const dataInOrder = getSortDirection(
+                    "megabytesIn",
+                    searchParams
+                );
+                const Icon =
+                    dataInOrder === "asc"
+                        ? ArrowDown01Icon
+                        : dataInOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() => toggleSort("megabytesIn")}
+                    >
+                        {t("dataIn")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "mbOut",
+            friendlyName: t("dataOut"),
+            header: () => {
+                const dataOutOrder = getSortDirection(
+                    "megabytesOut",
+                    searchParams
+                );
+                const Icon =
+                    dataOutOrder === "asc"
+                        ? ArrowDown01Icon
+                        : dataOutOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() => toggleSort("megabytesOut")}
+                    >
+                        {t("dataOut")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "type",
+            friendlyName: t("type"),
+            header: () => {
+                return <span className="p-3">{t("type")}</span>;
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+
+                if (originalRow.type === "newt") {
+                    return (
+                        <div className="flex items-center space-x-1">
+                            <Badge variant="secondary">
+                                <div className="flex items-center space-x-1">
+                                    <span>Newt</span>
+                                    {originalRow.newtVersion && (
+                                        <span>v{originalRow.newtVersion}</span>
+                                    )}
+                                </div>
+                            </Badge>
+                            {originalRow.newtUpdateAvailable && (
+                                <InfoPopup
+                                    info={t("newtUpdateAvailableInfo")}
+                                />
+                            )}
+                        </div>
+                    );
+                }
+
+                if (originalRow.type === "wireguard") {
+                    return (
+                        <div className="flex items-center space-x-2">
+                            <Badge variant="secondary">WireGuard</Badge>
+                        </div>
+                    );
+                }
+
+                if (originalRow.type === "local") {
+                    return (
+                        <div className="flex items-center space-x-2">
+                            <Badge variant="secondary">Local</Badge>
+                        </div>
+                    );
+                }
+            }
+        },
+        {
+            accessorKey: "exitNode",
+            friendlyName: t("exitNode"),
+            header: () => {
+                return <span className="p-3">{t("exitNode")}</span>;
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+                if (!originalRow.exitNodeName) {
+                    return "-";
+                }
+
+                const isCloudNode =
+                    build == "saas" &&
+                    originalRow.exitNodeName &&
+                    [
+                        "mercury",
+                        "venus",
+                        "earth",
+                        "mars",
+                        "jupiter",
+                        "saturn",
+                        "uranus",
+                        "neptune"
+                    ].includes(originalRow.exitNodeName.toLowerCase());
+
+                if (isCloudNode) {
+                    const capitalizedName =
+                        originalRow.exitNodeName.charAt(0).toUpperCase() +
+                        originalRow.exitNodeName.slice(1).toLowerCase();
+                    return (
+                        <Badge variant="secondary">
+                            Pangolin {capitalizedName}
+                        </Badge>
+                    );
+                }
+
+                if (originalRow.remoteExitNodeId) {
+                    return (
+                        <Link
+                            href={`/${originalRow.orgId}/settings/remote-exit-nodes/${originalRow.remoteExitNodeId}`}
+                        >
+                            <Button variant="outline">
+                                {originalRow.exitNodeName}
+                                <ArrowUpRight className="ml-2 h-4 w-4" />
+                            </Button>
+                        </Link>
+                    );
+                }
+
+                return <span>{originalRow.exitNodeName}</span>;
+            }
+        },
+        {
+            accessorKey: "address",
+            header: () => {
+                return <span className="p-3">{t("address")}</span>;
+            },
+            cell: ({ row }: { row: any }) => {
+                const originalRow = row.original;
+                return originalRow.address ? (
+                    <div className="flex items-center space-x-2">
+                        <span>{originalRow.address}</span>
+                    </div>
+                ) : (
+                    "-"
+                );
+            }
+        },
+        {
+            id: "actions",
+            enableHiding: false,
+            header: () => <span className="p-3"></span>,
+            cell: ({ row }) => {
+                const siteRow = row.original;
+                const isApproving = approvingIds.has(siteRow.id);
+                return (
+                    <div className="flex items-center gap-2 justify-end">
+                        <Button
+                            variant="outline"
+                            disabled={isApproving}
+                            onClick={() => approveSite(siteRow.id)}
+                        >
+                            <Check className="mr-2 w-4 h-4" />
+                            {t("approve")}
+                        </Button>
+                    </div>
+                );
+            }
+        }
+    ];
+
+    function toggleSort(column: string) {
+        const newSearch = getNextSortOrder(column, searchParams);
+
+        filter({
+            searchParams: newSearch
+        });
+    }
+
+    const handlePaginationChange = (newPage: PaginationState) => {
+        searchParams.set("page", (newPage.pageIndex + 1).toString());
+        searchParams.set("pageSize", newPage.pageSize.toString());
+        filter({
+            searchParams
+        });
+    };
+
+    const handleSearchChange = useDebouncedCallback((query: string) => {
+        searchParams.set("query", query);
+        searchParams.delete("page");
+        filter({
+            searchParams
+        });
+    }, 300);
+
+    return (
+        <ControlledDataTable
+            columns={columns}
+            rows={sites}
+            tableId="pending-sites-table"
+            searchPlaceholder={t("searchSitesProgress")}
+            pagination={pagination}
+            onPaginationChange={handlePaginationChange}
+            searchQuery={searchParams.get("query")?.toString()}
+            onSearch={handleSearchChange}
+            onRefresh={refreshData}
+            isRefreshing={isRefreshing || isFiltering}
+            rowCount={rowCount}
+            columnVisibility={{
+                niceId: false,
+                nice: false,
+                exitNode: false,
+                address: false
+            }}
+            enableColumnVisibility
+            stickyLeftColumn="name"
+            stickyRightColumn="actions"
+        />
+    );
+}
\ No newline at end of file

From fcf92d4e2c910efbe24ed650222f218eba6c18d6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 16:28:51 -0700
Subject: [PATCH 156/314] Add basic provisioning room v1 and update keys

---
 messages/en-US.json                           |  8 ++
 server/db/pg/schema/privateSchema.ts          |  3 +-
 server/db/pg/schema/schema.ts                 |  2 +-
 server/db/sqlite/schema/privateSchema.ts      |  5 +-
 server/db/sqlite/schema/schema.ts             |  2 +-
 .../createSiteProvisioningKey.ts              | 11 ++-
 .../listSiteProvisioningKeys.ts               |  3 +-
 .../updateSiteProvisioningKey.ts              | 15 ++-
 server/routers/newt/registerNewt.ts           |  5 +-
 server/routers/site/createSite.ts             |  6 +-
 server/routers/site/listSites.ts              |  4 +-
 server/routers/site/updateSite.ts             |  2 +-
 server/routers/siteProvisioning/types.ts      |  3 +
 .../settings/provisioning/keys/page.tsx       | 29 +++++-
 .../settings/provisioning/pending/page.tsx    | 48 ++++++++--
 src/app/[orgId]/settings/sites/page.tsx       |  2 +-
 .../CreateSiteProvisioningKeyCredenza.tsx     | 93 ++++++++++++-------
 .../EditSiteProvisioningKeyCredenza.tsx       | 45 ++++++++-
 src/components/PendingSitesTable.tsx          |  4 +-
 19 files changed, 219 insertions(+), 71 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index ad64cb5e2..b53c61ebe 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -365,9 +365,17 @@
     "provisioningKeysNeverUsed": "Never",
     "provisioningKeysEdit": "Edit Provisioning Key",
     "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
+    "provisioningKeysApproveNewSites": "Approve new sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatically approve sites that register with this key.",
     "provisioningKeysUpdateError": "Error updating provisioning key",
     "provisioningKeysUpdated": "Provisioning key updated",
     "provisioningKeysUpdatedDescription": "Your changes have been saved.",
+    "provisioningKeysBannerTitle": "Site Provisioning Keys",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
+    "provisioningKeysBannerButtonText": "Learn More",
+    "pendingSitesBannerTitle": "Pending Sites",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
+    "pendingSitesBannerButtonText": "Learn More",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index bb1e866c4..c83d420a2 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -391,7 +391,8 @@ export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
     lastUsed: varchar("lastUsed", { length: 255 }),
     maxBatchSize: integer("maxBatchSize"), // null = no limit
     numUsed: integer("numUsed").notNull().default(0),
-    validUntil: varchar("validUntil", { length: 255 })
+    validUntil: varchar("validUntil", { length: 255 }),
+    approveNewSites: boolean("approveNewSites").notNull().default(true)
 });
 
 export const siteProvisioningKeyOrg = pgTable(
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index a64aad2ef..29e25bbdd 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -101,7 +101,7 @@ export const sites = pgTable("sites", {
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
     dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    status: varchar("status").$type<"pending" | "accepted">()
+    status: varchar("status").$type<"pending" | "approved">()
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 5913497b3..287c53884 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -375,7 +375,10 @@ export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
     lastUsed: text("lastUsed"),
     maxBatchSize: integer("maxBatchSize"), // null = no limit
     numUsed: integer("numUsed").notNull().default(0),
-    validUntil: text("validUntil")
+    validUntil: text("validUntil"),
+    approveNewSites: integer("approveNewSites", { mode: "boolean" })
+        .notNull()
+        .default(true)
 });
 
 export const siteProvisioningKeyOrg = sqliteTable(
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 52969d183..880fab3fd 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -111,7 +111,7 @@ export const sites = sqliteTable("sites", {
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
         .default(true),
-    status: text("status").$type<"pending" | "accepted">()
+    status: text("status").$type<"pending" | "approved">()
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
index abed27550..e521eaa22 100644
--- a/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -38,7 +38,8 @@ const bodySchema = z
             z.null(),
             z.coerce.number().int().positive().max(1_000_000)
         ]),
-        validUntil: z.string().max(255).optional()
+        validUntil: z.string().max(255).optional(),
+        approveNewSites: z.boolean().optional().default(true)
     })
     .superRefine((data, ctx) => {
         const v = data.validUntil;
@@ -82,7 +83,7 @@ export async function createSiteProvisioningKey(
     }
 
     const { orgId } = parsedParams.data;
-    const { name, maxBatchSize } = parsedBody.data;
+    const { name, maxBatchSize, approveNewSites } = parsedBody.data;
     const vuRaw = parsedBody.data.validUntil;
     const validUntil =
         vuRaw == null || vuRaw.trim() === ""
@@ -106,7 +107,8 @@ export async function createSiteProvisioningKey(
             lastUsed: null,
             maxBatchSize,
             numUsed: 0,
-            validUntil
+            validUntil,
+            approveNewSites
         });
 
         await trx.insert(siteProvisioningKeyOrg).values({
@@ -127,7 +129,8 @@ export async function createSiteProvisioningKey(
                 lastUsed: null,
                 maxBatchSize,
                 numUsed: 0,
-                validUntil
+                validUntil,
+                approveNewSites
             },
             success: true,
             error: false,
diff --git a/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
index 5f7531a2c..dd51179d3 100644
--- a/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
+++ b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -57,7 +57,8 @@ function querySiteProvisioningKeys(orgId: string) {
             lastUsed: siteProvisioningKeys.lastUsed,
             maxBatchSize: siteProvisioningKeys.maxBatchSize,
             numUsed: siteProvisioningKeys.numUsed,
-            validUntil: siteProvisioningKeys.validUntil
+            validUntil: siteProvisioningKeys.validUntil,
+            approveNewSites: siteProvisioningKeys.approveNewSites
         })
         .from(siteProvisioningKeyOrg)
         .innerJoin(
diff --git a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
index 526d8bfb8..2f4dafbdf 100644
--- a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
@@ -39,16 +39,18 @@ const bodySchema = z
                 z.coerce.number().int().positive().max(1_000_000)
             ])
             .optional(),
-        validUntil: z.string().max(255).optional()
+        validUntil: z.string().max(255).optional(),
+        approveNewSites: z.boolean().optional()
     })
     .superRefine((data, ctx) => {
         if (
             data.maxBatchSize === undefined &&
-            data.validUntil === undefined
+            data.validUntil === undefined &&
+            data.approveNewSites === undefined
         ) {
             ctx.addIssue({
                 code: "custom",
-                message: "Provide maxBatchSize and/or validUntil",
+                message: "Provide maxBatchSize and/or validUntil and/or approveNewSites",
                 path: ["maxBatchSize"]
             });
         }
@@ -129,6 +131,7 @@ export async function updateSiteProvisioningKey(
         const setValues: {
             maxBatchSize?: number | null;
             validUntil?: string | null;
+            approveNewSites?: boolean;
         } = {};
         if (body.maxBatchSize !== undefined) {
             setValues.maxBatchSize = body.maxBatchSize;
@@ -139,6 +142,9 @@ export async function updateSiteProvisioningKey(
                     ? null
                     : new Date(Date.parse(body.validUntil)).toISOString();
         }
+        if (body.approveNewSites !== undefined) {
+            setValues.approveNewSites = body.approveNewSites;
+        }
 
         await db
             .update(siteProvisioningKeys)
@@ -160,7 +166,8 @@ export async function updateSiteProvisioningKey(
                 lastUsed: siteProvisioningKeys.lastUsed,
                 maxBatchSize: siteProvisioningKeys.maxBatchSize,
                 numUsed: siteProvisioningKeys.numUsed,
-                validUntil: siteProvisioningKeys.validUntil
+                validUntil: siteProvisioningKeys.validUntil,
+                approveNewSites: siteProvisioningKeys.approveNewSites
             })
             .from(siteProvisioningKeys)
             .where(
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 4923fb88e..6ad7c30a8 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -82,7 +82,8 @@ export async function registerNewt(
                 orgId: siteProvisioningKeyOrg.orgId,
                 maxBatchSize: siteProvisioningKeys.maxBatchSize,
                 numUsed: siteProvisioningKeys.numUsed,
-                validUntil: siteProvisioningKeys.validUntil
+                validUntil: siteProvisioningKeys.validUntil,
+                approveNewSites: siteProvisioningKeys.approveNewSites,
             })
             .from(siteProvisioningKeys)
             .innerJoin(
@@ -197,7 +198,7 @@ export async function registerNewt(
                     niceId,
                     type: "newt",
                     dockerSocketEnabled: true,
-                    status: "pending"
+                    status: keyRecord.approveNewSites ? "approved" : "pending",
                 })
                 .returning();
 
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index bf62e93cd..d397b2784 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -299,7 +299,7 @@ export async function createSite(
                         address: updatedAddress || null,
                         type,
                         dockerSocketEnabled: true,
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else if (type == "wireguard") {
@@ -357,7 +357,7 @@ export async function createSite(
                         subnet,
                         type,
                         pubKey: pubKey || null,
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else if (type == "local") {
@@ -373,7 +373,7 @@ export async function createSite(
                         dockerSocketEnabled: false,
                         online: true,
                         subnet: "0.0.0.0/32",
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else {
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index 1d7e99042..6f085d74d 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -137,12 +137,12 @@ const listSitesSchema = z.object({
             description: "Filter by online status"
         }),
     status: z
-        .enum(["pending", "accepted"])
+        .enum(["pending", "approved"])
         .optional()
         .catch(undefined)
         .openapi({
             type: "string",
-            enum: ["pending", "accepted"],
+            enum: ["pending", "approved"],
             description: "Filter by site status"
         })
 });
diff --git a/server/routers/site/updateSite.ts b/server/routers/site/updateSite.ts
index 244adf7b8..34d1341d7 100644
--- a/server/routers/site/updateSite.ts
+++ b/server/routers/site/updateSite.ts
@@ -20,7 +20,7 @@ const updateSiteBodySchema = z
         name: z.string().min(1).max(255).optional(),
         niceId: z.string().min(1).max(255).optional(),
         dockerSocketEnabled: z.boolean().optional(),
-        status: z.enum(["pending", "accepted"]).optional(),
+        status: z.enum(["pending", "approved"]).optional(),
         // remoteSubnets: z.string().optional()
         // subdomain: z
         //     .string()
diff --git a/server/routers/siteProvisioning/types.ts b/server/routers/siteProvisioning/types.ts
index d06c1fe26..785d9dfff 100644
--- a/server/routers/siteProvisioning/types.ts
+++ b/server/routers/siteProvisioning/types.ts
@@ -8,6 +8,7 @@ export type SiteProvisioningKeyListItem = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 export type ListSiteProvisioningKeysResponse = {
@@ -26,6 +27,7 @@ export type CreateSiteProvisioningKeyResponse = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 export type UpdateSiteProvisioningKeyResponse = {
@@ -38,4 +40,5 @@ export type UpdateSiteProvisioningKeyResponse = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 1cfbf5b05..021bb97b7 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -8,6 +8,10 @@ import SiteProvisioningKeysTable, {
 import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
 import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import DismissableBanner from "@app/components/DismissableBanner";
+import Link from "next/link";
+import { Button } from "@app/components/ui/button";
+import { ArrowRight, Plug } from "lucide-react";
 
 type ProvisioningKeysPageProps = {
     params: Promise<{ orgId: string }>;
@@ -46,6 +50,29 @@ export default async function ProvisioningKeysPage(
 
     return (
         <>
+            <DismissableBanner
+                storageKey="sites-banner-dismissed"
+                version={1}
+                title={t("provisioningKeysBannerTitle")}
+                titleIcon={<Plug className="w-5 h-5 text-primary" />}
+                description={t("provisioningKeysBannerDescription")}
+            >
+                <Link
+                    href="https://docs.pangolin.net/manage/sites/install-site"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                >
+                    <Button
+                        variant="outline"
+                        size="sm"
+                        className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                    >
+                        {t("provisioningKeysBannerButtonText")}
+                        <ArrowRight className="w-4 h-4" />
+                    </Button>
+                </Link>
+            </DismissableBanner>
+
             <PaidFeaturesAlert
                 tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
             />
@@ -53,4 +80,4 @@ export default async function ProvisioningKeysPage(
             <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
         </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
index 78178cb14..637f828b8 100644
--- a/src/app/[orgId]/settings/provisioning/pending/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -5,6 +5,10 @@ import { AxiosResponse } from "axios";
 import { SiteRow } from "@app/components/SitesTable";
 import PendingSitesTable from "@app/components/PendingSitesTable";
 import { getTranslations } from "next-intl/server";
+import DismissableBanner from "@app/components/DismissableBanner";
+import Link from "next/link";
+import { Button } from "@app/components/ui/button";
+import { ArrowRight, Plug } from "lucide-react";
 
 type PendingSitesPageProps = {
     params: Promise<{ orgId: string }>;
@@ -69,14 +73,38 @@ export default async function PendingSitesPage(props: PendingSitesPageProps) {
     }));
 
     return (
-        <PendingSitesTable
-            sites={siteRows}
-            orgId={params.orgId}
-            rowCount={pagination.total}
-            pagination={{
-                pageIndex: pagination.page - 1,
-                pageSize: pagination.pageSize
-            }}
-        />
+        <>
+            <DismissableBanner
+                storageKey="sites-banner-dismissed"
+                version={1}
+                title={t("pendingSitesBannerTitle")}
+                titleIcon={<Plug className="w-5 h-5 text-primary" />}
+                description={t("pendingSitesBannerDescription")}
+            >
+                <Link
+                    href="https://docs.pangolin.net/manage/sites/install-site"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                >
+                    <Button
+                        variant="outline"
+                        size="sm"
+                        className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                    >
+                        {t("pendingSitesBannerButtonText")}
+                        <ArrowRight className="w-4 h-4" />
+                    </Button>
+                </Link>
+            </DismissableBanner>
+            <PendingSitesTable
+                sites={siteRows}
+                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
+            />
+        </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/sites/page.tsx b/src/app/[orgId]/settings/sites/page.tsx
index 5839ba2be..38083325b 100644
--- a/src/app/[orgId]/settings/sites/page.tsx
+++ b/src/app/[orgId]/settings/sites/page.tsx
@@ -18,7 +18,7 @@ export default async function SitesPage(props: SitesPageProps) {
     const params = await props.params;
 
     const searchParams = new URLSearchParams(await props.searchParams);
-    searchParams.set("status", "accepted");
+    searchParams.set("status", "approved");
 
     let sites: ListSitesResponse["sites"] = [];
     let pagination: ListSitesResponse["pagination"] = {
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 3a1c7c372..f6b80a964 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -79,7 +79,8 @@ export default function CreateSiteProvisioningKeyCredenza({
                 .max(1_000_000, {
                     message: t("provisioningKeysMaxBatchSizeInvalid")
                 }),
-            validUntil: z.string().optional()
+            validUntil: z.string().optional(),
+            approveNewSites: z.boolean()
         })
         .superRefine((data, ctx) => {
             const v = data.validUntil;
@@ -103,7 +104,8 @@ export default function CreateSiteProvisioningKeyCredenza({
             name: "",
             unlimitedBatchSize: false,
             maxBatchSize: 100,
-            validUntil: ""
+            validUntil: "",
+            approveNewSites: true
         }
     });
 
@@ -114,7 +116,8 @@ export default function CreateSiteProvisioningKeyCredenza({
                 name: "",
                 unlimitedBatchSize: false,
                 maxBatchSize: 100,
-                validUntil: ""
+                validUntil: "",
+                approveNewSites: true
             });
         }
     }, [open, form]);
@@ -123,18 +126,21 @@ export default function CreateSiteProvisioningKeyCredenza({
         setLoading(true);
         try {
             const res = await api
-                .put<
-                    AxiosResponse<CreateSiteProvisioningKeyResponse>
-                >(`/org/${orgId}/site-provisioning-key`, {
-                    name: data.name,
-                    maxBatchSize: data.unlimitedBatchSize
-                        ? null
-                        : data.maxBatchSize,
-                    validUntil:
-                        data.validUntil == null || data.validUntil.trim() === ""
-                            ? undefined
-                            : data.validUntil
-                })
+                .put<AxiosResponse<CreateSiteProvisioningKeyResponse>>(
+                    `/org/${orgId}/site-provisioning-key`,
+                    {
+                        name: data.name,
+                        maxBatchSize: data.unlimitedBatchSize
+                            ? null
+                            : data.maxBatchSize,
+                        validUntil:
+                            data.validUntil == null ||
+                            data.validUntil.trim() === ""
+                                ? undefined
+                                : data.validUntil,
+                        approveNewSites: data.approveNewSites
+                    }
+                )
                 .catch((e) => {
                     toast({
                         variant: "destructive",
@@ -152,9 +158,7 @@ export default function CreateSiteProvisioningKeyCredenza({
         }
     }
 
-    const credential =
-        created &&
-        created.siteProvisioningKey;
+    const credential = created && created.siteProvisioningKey;
 
     const unlimitedBatchSize = form.watch("unlimitedBatchSize");
 
@@ -213,15 +217,12 @@ export default function CreateSiteProvisioningKeyCredenza({
                                                     min={1}
                                                     max={1_000_000}
                                                     autoComplete="off"
-                                                    disabled={
-                                                        unlimitedBatchSize
-                                                    }
+                                                    disabled={unlimitedBatchSize}
                                                     name={field.name}
                                                     ref={field.ref}
                                                     onBlur={field.onBlur}
                                                     onChange={(e) => {
-                                                        const v =
-                                                            e.target.value;
+                                                        const v = e.target.value;
                                                         field.onChange(
                                                             v === ""
                                                                 ? 100
@@ -269,9 +270,7 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         const dateTimeValue: DateTimeValue =
                                             (() => {
                                                 if (!field.value) return {};
-                                                const d = new Date(
-                                                    field.value
-                                                );
+                                                const d = new Date(field.value);
                                                 if (isNaN(d.getTime()))
                                                     return {};
                                                 const hours = d
@@ -313,11 +312,7 @@ export default function CreateSiteProvisioningKeyCredenza({
                                                                 value.date
                                                             );
                                                             if (value.time) {
-                                                                const [
-                                                                    h,
-                                                                    m,
-                                                                    s
-                                                                ] =
+                                                                const [h, m, s] =
                                                                     value.time.split(
                                                                         ":"
                                                                     );
@@ -352,6 +347,40 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         );
                                     }}
                                 />
+                                <FormField
+                                    control={form.control}
+                                    name="approveNewSites"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-row items-start gap-3 space-y-0">
+                                            <FormControl>
+                                                <Checkbox
+                                                    id="provisioning-approve-new-sites"
+                                                    checked={field.value}
+                                                    onCheckedChange={(c) =>
+                                                        field.onChange(
+                                                            c === true
+                                                        )
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <div className="flex flex-col gap-1">
+                                                <FormLabel
+                                                    htmlFor="provisioning-approve-new-sites"
+                                                    className="cursor-pointer font-normal !mt-0"
+                                                >
+                                                    {t(
+                                                        "provisioningKeysApproveNewSites"
+                                                    )}
+                                                </FormLabel>
+                                                <FormDescription>
+                                                    {t(
+                                                        "provisioningKeysApproveNewSitesDescription"
+                                                    )}
+                                                </FormDescription>
+                                            </div>
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                     )}
@@ -395,4 +424,4 @@ export default function CreateSiteProvisioningKeyCredenza({
             </CredenzaContent>
         </Credenza>
     );
-}
+}
\ No newline at end of file
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
index 138190edc..e0e9cdde0 100644
--- a/src/components/EditSiteProvisioningKeyCredenza.tsx
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -45,6 +45,7 @@ export type EditableSiteProvisioningKey = {
     name: string;
     maxBatchSize: number | null;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 type EditSiteProvisioningKeyCredenzaProps = {
@@ -76,7 +77,8 @@ export default function EditSiteProvisioningKeyCredenza({
                 .max(1_000_000, {
                     message: t("provisioningKeysMaxBatchSizeInvalid")
                 }),
-            validUntil: z.string().optional()
+            validUntil: z.string().optional(),
+            approveNewSites: z.boolean()
         })
         .superRefine((data, ctx) => {
             const v = data.validUntil;
@@ -100,7 +102,8 @@ export default function EditSiteProvisioningKeyCredenza({
             name: "",
             unlimitedBatchSize: false,
             maxBatchSize: 100,
-            validUntil: ""
+            validUntil: "",
+            approveNewSites: true
         }
     });
 
@@ -112,7 +115,8 @@ export default function EditSiteProvisioningKeyCredenza({
             name: provisioningKey.name,
             unlimitedBatchSize: provisioningKey.maxBatchSize == null,
             maxBatchSize: provisioningKey.maxBatchSize ?? 100,
-            validUntil: provisioningKey.validUntil ?? ""
+            validUntil: provisioningKey.validUntil ?? "",
+            approveNewSites: provisioningKey.approveNewSites
         });
     }, [open, provisioningKey, form]);
 
@@ -135,7 +139,8 @@ export default function EditSiteProvisioningKeyCredenza({
                             data.validUntil == null ||
                             data.validUntil.trim() === ""
                                 ? ""
-                                : data.validUntil
+                                : data.validUntil,
+                        approveNewSites: data.approveNewSites
                     }
                 )
                 .catch((e) => {
@@ -255,6 +260,38 @@ export default function EditSiteProvisioningKeyCredenza({
                                     </FormItem>
                                 )}
                             />
+                            <FormField
+                                control={form.control}
+                                name="approveNewSites"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-start gap-3 space-y-0">
+                                        <FormControl>
+                                            <Checkbox
+                                                id="provisioning-edit-approve-new-sites"
+                                                checked={field.value}
+                                                onCheckedChange={(c) =>
+                                                    field.onChange(c === true)
+                                                }
+                                            />
+                                        </FormControl>
+                                        <div className="flex flex-col gap-1">
+                                            <FormLabel
+                                                htmlFor="provisioning-edit-approve-new-sites"
+                                                className="cursor-pointer font-normal !mt-0"
+                                            >
+                                                {t(
+                                                    "provisioningKeysApproveNewSites"
+                                                )}
+                                            </FormLabel>
+                                            <FormDescription>
+                                                {t(
+                                                    "provisioningKeysApproveNewSitesDescription"
+                                                )}
+                                            </FormDescription>
+                                        </div>
+                                    </FormItem>
+                                )}
+                            />
                             <FormField
                                 control={form.control}
                                 name="validUntil"
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index f9126a091..ae22c1bc1 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -93,7 +93,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "accepted" });
+            await api.post(`/site/${siteId}`, { status: "approved" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
@@ -437,4 +437,4 @@ export default function PendingSitesTable({
             stickyRightColumn="actions"
         />
     );
-}
\ No newline at end of file
+}

From 11a6f1f47fd6c8fad3f33b3292349fdc13245c16 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 01:34:28 +0000
Subject: [PATCH 157/314] Bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/ba7bc0a3fef59531c69a25acd34668d6d3fe6f22...cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cicd.yml    | 2 +-
 .github/workflows/mirror.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index fff21995d..d4cde4ac4 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -415,7 +415,7 @@ jobs:
 
             - name: Install cosign
               # cosign is used to sign and verify container images (key and keyless)
-              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
             - name: Dual-sign and verify (GHCR & Docker Hub)
               # Sign each image by digest using keyless (OIDC) and key-based signing,
diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml
index d6dfdb8fb..f60922d21 100644
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
           skopeo --version
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
       - name: Input check
         run: |

From c20dfdabfb5b1be7e409d9da21d2d8d88af9e22a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 01:35:59 +0000
Subject: [PATCH 158/314] Bump the dev-patch-updates group across 1 directory
 with 3 updates

Bumps the dev-patch-updates group with 3 updates in the / directory: [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss), [esbuild](https://github.com/evanw/esbuild) and [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss).


Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `esbuild` from 0.27.3 to 0.27.4
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.27.3...v0.27.4)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

---
updated-dependencies:
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: esbuild
  dependency-version: 0.27.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 456 +++++++++++++++++++++++-----------------------
 package.json      |   8 +-
 2 files changed, 232 insertions(+), 232 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7b63f1691..68bf7acf0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -111,7 +111,7 @@
                 "@dotenvx/dotenvx": "1.54.1",
                 "@esbuild-plugins/tsconfig-paths": "0.1.2",
                 "@react-email/preview-server": "5.2.10",
-                "@tailwindcss/postcss": "4.2.1",
+                "@tailwindcss/postcss": "4.2.2",
                 "@tanstack/react-query-devtools": "5.91.3",
                 "@types/better-sqlite3": "7.6.13",
                 "@types/cookie-parser": "1.4.10",
@@ -137,14 +137,14 @@
                 "@types/yargs": "17.0.35",
                 "babel-plugin-react-compiler": "1.0.0",
                 "drizzle-kit": "0.31.10",
-                "esbuild": "0.27.3",
+                "esbuild": "0.27.4",
                 "esbuild-node-externals": "1.20.1",
                 "eslint": "10.0.3",
                 "eslint-config-next": "16.1.7",
                 "postcss": "8.5.8",
                 "prettier": "3.8.1",
                 "react-email": "5.2.10",
-                "tailwindcss": "4.2.1",
+                "tailwindcss": "4.2.2",
                 "tsc-alias": "1.8.16",
                 "tsx": "4.21.0",
                 "typescript": "5.9.3",
@@ -1577,9 +1577,9 @@
             }
         },
         "node_modules/@esbuild/aix-ppc64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-            "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+            "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
             "cpu": [
                 "ppc64"
             ],
@@ -1594,9 +1594,9 @@
             }
         },
         "node_modules/@esbuild/android-arm": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-            "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+            "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
             "cpu": [
                 "arm"
             ],
@@ -1611,9 +1611,9 @@
             }
         },
         "node_modules/@esbuild/android-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-            "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+            "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
             "cpu": [
                 "arm64"
             ],
@@ -1628,9 +1628,9 @@
             }
         },
         "node_modules/@esbuild/android-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-            "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+            "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
             "cpu": [
                 "x64"
             ],
@@ -1645,9 +1645,9 @@
             }
         },
         "node_modules/@esbuild/darwin-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-            "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+            "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
             "cpu": [
                 "arm64"
             ],
@@ -1662,9 +1662,9 @@
             }
         },
         "node_modules/@esbuild/darwin-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-            "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+            "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
             "cpu": [
                 "x64"
             ],
@@ -1679,9 +1679,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-            "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+            "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
             "cpu": [
                 "arm64"
             ],
@@ -1696,9 +1696,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-            "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+            "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
             "cpu": [
                 "x64"
             ],
@@ -1713,9 +1713,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-            "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+            "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
             "cpu": [
                 "arm"
             ],
@@ -1730,9 +1730,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-            "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+            "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
             "cpu": [
                 "arm64"
             ],
@@ -1747,9 +1747,9 @@
             }
         },
         "node_modules/@esbuild/linux-ia32": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-            "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+            "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
             "cpu": [
                 "ia32"
             ],
@@ -1764,9 +1764,9 @@
             }
         },
         "node_modules/@esbuild/linux-loong64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-            "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+            "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
             "cpu": [
                 "loong64"
             ],
@@ -1781,9 +1781,9 @@
             }
         },
         "node_modules/@esbuild/linux-mips64el": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-            "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+            "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
             "cpu": [
                 "mips64el"
             ],
@@ -1798,9 +1798,9 @@
             }
         },
         "node_modules/@esbuild/linux-ppc64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-            "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+            "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
             "cpu": [
                 "ppc64"
             ],
@@ -1815,9 +1815,9 @@
             }
         },
         "node_modules/@esbuild/linux-riscv64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-            "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+            "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
             "cpu": [
                 "riscv64"
             ],
@@ -1832,9 +1832,9 @@
             }
         },
         "node_modules/@esbuild/linux-s390x": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-            "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+            "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
             "cpu": [
                 "s390x"
             ],
@@ -1849,9 +1849,9 @@
             }
         },
         "node_modules/@esbuild/linux-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-            "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+            "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
             "cpu": [
                 "x64"
             ],
@@ -1866,9 +1866,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-            "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+            "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
             "cpu": [
                 "arm64"
             ],
@@ -1883,9 +1883,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-            "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+            "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
             "cpu": [
                 "x64"
             ],
@@ -1900,9 +1900,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-            "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+            "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
             "cpu": [
                 "arm64"
             ],
@@ -1917,9 +1917,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-            "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+            "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
             "cpu": [
                 "x64"
             ],
@@ -1934,9 +1934,9 @@
             }
         },
         "node_modules/@esbuild/openharmony-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-            "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+            "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
             "cpu": [
                 "arm64"
             ],
@@ -1951,9 +1951,9 @@
             }
         },
         "node_modules/@esbuild/sunos-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-            "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+            "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
             "cpu": [
                 "x64"
             ],
@@ -1968,9 +1968,9 @@
             }
         },
         "node_modules/@esbuild/win32-arm64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-            "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+            "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
             "cpu": [
                 "arm64"
             ],
@@ -1985,9 +1985,9 @@
             }
         },
         "node_modules/@esbuild/win32-ia32": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-            "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+            "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
             "cpu": [
                 "ia32"
             ],
@@ -2002,9 +2002,9 @@
             }
         },
         "node_modules/@esbuild/win32-x64": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-            "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+            "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
             "cpu": [
                 "x64"
             ],
@@ -8049,49 +8049,49 @@
             }
         },
         "node_modules/@tailwindcss/node": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.1.tgz",
-            "integrity": "sha512-jlx6sLk4EOwO6hHe1oCGm1Q4AN/s0rSrTTPBGPM0/RQ6Uylwq17FuU8IeJJKEjtc6K6O07zsvP+gDO6MMWo7pg==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.2.tgz",
+            "integrity": "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@jridgewell/remapping": "^2.3.5",
                 "enhanced-resolve": "^5.19.0",
                 "jiti": "^2.6.1",
-                "lightningcss": "1.31.1",
+                "lightningcss": "1.32.0",
                 "magic-string": "^0.30.21",
                 "source-map-js": "^1.2.1",
-                "tailwindcss": "4.2.1"
+                "tailwindcss": "4.2.2"
             }
         },
         "node_modules/@tailwindcss/oxide": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.1.tgz",
-            "integrity": "sha512-yv9jeEFWnjKCI6/T3Oq50yQEOqmpmpfzG1hcZsAOaXFQPfzWprWrlHSdGPEF3WQTi8zu8ohC9Mh9J470nT5pUw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.2.tgz",
+            "integrity": "sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==",
             "dev": true,
             "license": "MIT",
             "engines": {
                 "node": ">= 20"
             },
             "optionalDependencies": {
-                "@tailwindcss/oxide-android-arm64": "4.2.1",
-                "@tailwindcss/oxide-darwin-arm64": "4.2.1",
-                "@tailwindcss/oxide-darwin-x64": "4.2.1",
-                "@tailwindcss/oxide-freebsd-x64": "4.2.1",
-                "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.1",
-                "@tailwindcss/oxide-linux-arm64-gnu": "4.2.1",
-                "@tailwindcss/oxide-linux-arm64-musl": "4.2.1",
-                "@tailwindcss/oxide-linux-x64-gnu": "4.2.1",
-                "@tailwindcss/oxide-linux-x64-musl": "4.2.1",
-                "@tailwindcss/oxide-wasm32-wasi": "4.2.1",
-                "@tailwindcss/oxide-win32-arm64-msvc": "4.2.1",
-                "@tailwindcss/oxide-win32-x64-msvc": "4.2.1"
+                "@tailwindcss/oxide-android-arm64": "4.2.2",
+                "@tailwindcss/oxide-darwin-arm64": "4.2.2",
+                "@tailwindcss/oxide-darwin-x64": "4.2.2",
+                "@tailwindcss/oxide-freebsd-x64": "4.2.2",
+                "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.2",
+                "@tailwindcss/oxide-linux-arm64-gnu": "4.2.2",
+                "@tailwindcss/oxide-linux-arm64-musl": "4.2.2",
+                "@tailwindcss/oxide-linux-x64-gnu": "4.2.2",
+                "@tailwindcss/oxide-linux-x64-musl": "4.2.2",
+                "@tailwindcss/oxide-wasm32-wasi": "4.2.2",
+                "@tailwindcss/oxide-win32-arm64-msvc": "4.2.2",
+                "@tailwindcss/oxide-win32-x64-msvc": "4.2.2"
             }
         },
         "node_modules/@tailwindcss/oxide-android-arm64": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.1.tgz",
-            "integrity": "sha512-eZ7G1Zm5EC8OOKaesIKuw77jw++QJ2lL9N+dDpdQiAB/c/B2wDh0QPFHbkBVrXnwNugvrbJFk1gK2SsVjwWReg==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.2.tgz",
+            "integrity": "sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==",
             "cpu": [
                 "arm64"
             ],
@@ -8106,9 +8106,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-darwin-arm64": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.1.tgz",
-            "integrity": "sha512-q/LHkOstoJ7pI1J0q6djesLzRvQSIfEto148ppAd+BVQK0JYjQIFSK3JgYZJa+Yzi0DDa52ZsQx2rqytBnf8Hw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.2.tgz",
+            "integrity": "sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==",
             "cpu": [
                 "arm64"
             ],
@@ -8123,9 +8123,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-darwin-x64": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.1.tgz",
-            "integrity": "sha512-/f/ozlaXGY6QLbpvd/kFTro2l18f7dHKpB+ieXz+Cijl4Mt9AI2rTrpq7V+t04nK+j9XBQHnSMdeQRhbGyt6fw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.2.tgz",
+            "integrity": "sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==",
             "cpu": [
                 "x64"
             ],
@@ -8140,9 +8140,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-freebsd-x64": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.1.tgz",
-            "integrity": "sha512-5e/AkgYJT/cpbkys/OU2Ei2jdETCLlifwm7ogMC7/hksI2fC3iiq6OcXwjibcIjPung0kRtR3TxEITkqgn0TcA==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.2.tgz",
+            "integrity": "sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==",
             "cpu": [
                 "x64"
             ],
@@ -8157,9 +8157,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.1.tgz",
-            "integrity": "sha512-Uny1EcVTTmerCKt/1ZuKTkb0x8ZaiuYucg2/kImO5A5Y/kBz41/+j0gxUZl+hTF3xkWpDmHX+TaWhOtba2Fyuw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.2.tgz",
+            "integrity": "sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==",
             "cpu": [
                 "arm"
             ],
@@ -8174,9 +8174,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.1.tgz",
-            "integrity": "sha512-CTrwomI+c7n6aSSQlsPL0roRiNMDQ/YzMD9EjcR+H4f0I1SQ8QqIuPnsVp7QgMkC1Qi8rtkekLkOFjo7OlEFRQ==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.2.tgz",
+            "integrity": "sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==",
             "cpu": [
                 "arm64"
             ],
@@ -8191,9 +8191,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.1.tgz",
-            "integrity": "sha512-WZA0CHRL/SP1TRbA5mp9htsppSEkWuQ4KsSUumYQnyl8ZdT39ntwqmz4IUHGN6p4XdSlYfJwM4rRzZLShHsGAQ==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.2.tgz",
+            "integrity": "sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==",
             "cpu": [
                 "arm64"
             ],
@@ -8208,9 +8208,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.1.tgz",
-            "integrity": "sha512-qMFzxI2YlBOLW5PhblzuSWlWfwLHaneBE0xHzLrBgNtqN6mWfs+qYbhryGSXQjFYB1Dzf5w+LN5qbUTPhW7Y5g==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.2.tgz",
+            "integrity": "sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==",
             "cpu": [
                 "x64"
             ],
@@ -8225,9 +8225,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.1.tgz",
-            "integrity": "sha512-5r1X2FKnCMUPlXTWRYpHdPYUY6a1Ar/t7P24OuiEdEOmms5lyqjDRvVY1yy9Rmioh+AunQ0rWiOTPE8F9A3v5g==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.2.tgz",
+            "integrity": "sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==",
             "cpu": [
                 "x64"
             ],
@@ -8242,9 +8242,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.1.tgz",
-            "integrity": "sha512-MGFB5cVPvshR85MTJkEvqDUnuNoysrsRxd6vnk1Lf2tbiqNlXpHYZqkqOQalydienEWOHHFyyuTSYRsLfxFJ2Q==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.2.tgz",
+            "integrity": "sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==",
             "bundleDependencies": [
                 "@napi-rs/wasm-runtime",
                 "@emnapi/core",
@@ -8336,9 +8336,9 @@
             "optional": true
         },
         "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.1.tgz",
-            "integrity": "sha512-YlUEHRHBGnCMh4Nj4GnqQyBtsshUPdiNroZj8VPkvTZSoHsilRCwXcVKnG9kyi0ZFAS/3u+qKHBdDc81SADTRA==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.2.tgz",
+            "integrity": "sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==",
             "cpu": [
                 "arm64"
             ],
@@ -8353,9 +8353,9 @@
             }
         },
         "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.1.tgz",
-            "integrity": "sha512-rbO34G5sMWWyrN/idLeVxAZgAKWrn5LiR3/I90Q9MkA67s6T1oB0xtTe+0heoBvHSpbU9Mk7i6uwJnpo4u21XQ==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.2.tgz",
+            "integrity": "sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==",
             "cpu": [
                 "x64"
             ],
@@ -8370,17 +8370,17 @@
             }
         },
         "node_modules/@tailwindcss/postcss": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.2.1.tgz",
-            "integrity": "sha512-OEwGIBnXnj7zJeonOh6ZG9woofIjGrd2BORfvE5p9USYKDCZoQmfqLcfNiRWoJlRWLdNPn2IgVZuWAOM4iTYMw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.2.2.tgz",
+            "integrity": "sha512-n4goKQbW8RVXIbNKRB/45LzyUqN451deQK0nzIeauVEqjlI49slUlgKYJM2QyUzap/PcpnS7kzSUmPb1sCRvYQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@alloc/quick-lru": "^5.2.0",
-                "@tailwindcss/node": "4.2.1",
-                "@tailwindcss/oxide": "4.2.1",
+                "@tailwindcss/node": "4.2.2",
+                "@tailwindcss/oxide": "4.2.2",
                 "postcss": "^8.5.6",
-                "tailwindcss": "4.2.1"
+                "tailwindcss": "4.2.2"
             }
         },
         "node_modules/@tanstack/query-core": {
@@ -12070,9 +12070,9 @@
             }
         },
         "node_modules/enhanced-resolve": {
-            "version": "5.20.0",
-            "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-            "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+            "version": "5.20.1",
+            "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+            "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -12283,9 +12283,9 @@
             }
         },
         "node_modules/esbuild": {
-            "version": "0.27.3",
-            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-            "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+            "version": "0.27.4",
+            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+            "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
@@ -12296,32 +12296,32 @@
                 "node": ">=18"
             },
             "optionalDependencies": {
-                "@esbuild/aix-ppc64": "0.27.3",
-                "@esbuild/android-arm": "0.27.3",
-                "@esbuild/android-arm64": "0.27.3",
-                "@esbuild/android-x64": "0.27.3",
-                "@esbuild/darwin-arm64": "0.27.3",
-                "@esbuild/darwin-x64": "0.27.3",
-                "@esbuild/freebsd-arm64": "0.27.3",
-                "@esbuild/freebsd-x64": "0.27.3",
-                "@esbuild/linux-arm": "0.27.3",
-                "@esbuild/linux-arm64": "0.27.3",
-                "@esbuild/linux-ia32": "0.27.3",
-                "@esbuild/linux-loong64": "0.27.3",
-                "@esbuild/linux-mips64el": "0.27.3",
-                "@esbuild/linux-ppc64": "0.27.3",
-                "@esbuild/linux-riscv64": "0.27.3",
-                "@esbuild/linux-s390x": "0.27.3",
-                "@esbuild/linux-x64": "0.27.3",
-                "@esbuild/netbsd-arm64": "0.27.3",
-                "@esbuild/netbsd-x64": "0.27.3",
-                "@esbuild/openbsd-arm64": "0.27.3",
-                "@esbuild/openbsd-x64": "0.27.3",
-                "@esbuild/openharmony-arm64": "0.27.3",
-                "@esbuild/sunos-x64": "0.27.3",
-                "@esbuild/win32-arm64": "0.27.3",
-                "@esbuild/win32-ia32": "0.27.3",
-                "@esbuild/win32-x64": "0.27.3"
+                "@esbuild/aix-ppc64": "0.27.4",
+                "@esbuild/android-arm": "0.27.4",
+                "@esbuild/android-arm64": "0.27.4",
+                "@esbuild/android-x64": "0.27.4",
+                "@esbuild/darwin-arm64": "0.27.4",
+                "@esbuild/darwin-x64": "0.27.4",
+                "@esbuild/freebsd-arm64": "0.27.4",
+                "@esbuild/freebsd-x64": "0.27.4",
+                "@esbuild/linux-arm": "0.27.4",
+                "@esbuild/linux-arm64": "0.27.4",
+                "@esbuild/linux-ia32": "0.27.4",
+                "@esbuild/linux-loong64": "0.27.4",
+                "@esbuild/linux-mips64el": "0.27.4",
+                "@esbuild/linux-ppc64": "0.27.4",
+                "@esbuild/linux-riscv64": "0.27.4",
+                "@esbuild/linux-s390x": "0.27.4",
+                "@esbuild/linux-x64": "0.27.4",
+                "@esbuild/netbsd-arm64": "0.27.4",
+                "@esbuild/netbsd-x64": "0.27.4",
+                "@esbuild/openbsd-arm64": "0.27.4",
+                "@esbuild/openbsd-x64": "0.27.4",
+                "@esbuild/openharmony-arm64": "0.27.4",
+                "@esbuild/sunos-x64": "0.27.4",
+                "@esbuild/win32-arm64": "0.27.4",
+                "@esbuild/win32-ia32": "0.27.4",
+                "@esbuild/win32-x64": "0.27.4"
             }
         },
         "node_modules/esbuild-node-externals": {
@@ -14673,9 +14673,9 @@
             }
         },
         "node_modules/lightningcss": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.31.1.tgz",
-            "integrity": "sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+            "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
             "dev": true,
             "license": "MPL-2.0",
             "dependencies": {
@@ -14689,23 +14689,23 @@
                 "url": "https://opencollective.com/parcel"
             },
             "optionalDependencies": {
-                "lightningcss-android-arm64": "1.31.1",
-                "lightningcss-darwin-arm64": "1.31.1",
-                "lightningcss-darwin-x64": "1.31.1",
-                "lightningcss-freebsd-x64": "1.31.1",
-                "lightningcss-linux-arm-gnueabihf": "1.31.1",
-                "lightningcss-linux-arm64-gnu": "1.31.1",
-                "lightningcss-linux-arm64-musl": "1.31.1",
-                "lightningcss-linux-x64-gnu": "1.31.1",
-                "lightningcss-linux-x64-musl": "1.31.1",
-                "lightningcss-win32-arm64-msvc": "1.31.1",
-                "lightningcss-win32-x64-msvc": "1.31.1"
+                "lightningcss-android-arm64": "1.32.0",
+                "lightningcss-darwin-arm64": "1.32.0",
+                "lightningcss-darwin-x64": "1.32.0",
+                "lightningcss-freebsd-x64": "1.32.0",
+                "lightningcss-linux-arm-gnueabihf": "1.32.0",
+                "lightningcss-linux-arm64-gnu": "1.32.0",
+                "lightningcss-linux-arm64-musl": "1.32.0",
+                "lightningcss-linux-x64-gnu": "1.32.0",
+                "lightningcss-linux-x64-musl": "1.32.0",
+                "lightningcss-win32-arm64-msvc": "1.32.0",
+                "lightningcss-win32-x64-msvc": "1.32.0"
             }
         },
         "node_modules/lightningcss-android-arm64": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.31.1.tgz",
-            "integrity": "sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+            "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
             "cpu": [
                 "arm64"
             ],
@@ -14724,9 +14724,9 @@
             }
         },
         "node_modules/lightningcss-darwin-arm64": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.31.1.tgz",
-            "integrity": "sha512-02uTEqf3vIfNMq3h/z2cJfcOXnQ0GRwQrkmPafhueLb2h7mqEidiCzkE4gBMEH65abHRiQvhdcQ+aP0D0g67sg==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+            "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
             "cpu": [
                 "arm64"
             ],
@@ -14745,9 +14745,9 @@
             }
         },
         "node_modules/lightningcss-darwin-x64": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.31.1.tgz",
-            "integrity": "sha512-1ObhyoCY+tGxtsz1lSx5NXCj3nirk0Y0kB/g8B8DT+sSx4G9djitg9ejFnjb3gJNWo7qXH4DIy2SUHvpoFwfTA==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+            "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
             "cpu": [
                 "x64"
             ],
@@ -14766,9 +14766,9 @@
             }
         },
         "node_modules/lightningcss-freebsd-x64": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.31.1.tgz",
-            "integrity": "sha512-1RINmQKAItO6ISxYgPwszQE1BrsVU5aB45ho6O42mu96UiZBxEXsuQ7cJW4zs4CEodPUioj/QrXW1r9pLUM74A==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+            "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
             "cpu": [
                 "x64"
             ],
@@ -14787,9 +14787,9 @@
             }
         },
         "node_modules/lightningcss-linux-arm-gnueabihf": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.31.1.tgz",
-            "integrity": "sha512-OOCm2//MZJ87CdDK62rZIu+aw9gBv4azMJuA8/KB74wmfS3lnC4yoPHm0uXZ/dvNNHmnZnB8XLAZzObeG0nS1g==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+            "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
             "cpu": [
                 "arm"
             ],
@@ -14808,9 +14808,9 @@
             }
         },
         "node_modules/lightningcss-linux-arm64-gnu": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.31.1.tgz",
-            "integrity": "sha512-WKyLWztD71rTnou4xAD5kQT+982wvca7E6QoLpoawZ1gP9JM0GJj4Tp5jMUh9B3AitHbRZ2/H3W5xQmdEOUlLg==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+            "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
             "cpu": [
                 "arm64"
             ],
@@ -14829,9 +14829,9 @@
             }
         },
         "node_modules/lightningcss-linux-arm64-musl": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.31.1.tgz",
-            "integrity": "sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+            "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
             "cpu": [
                 "arm64"
             ],
@@ -14850,9 +14850,9 @@
             }
         },
         "node_modules/lightningcss-linux-x64-gnu": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.31.1.tgz",
-            "integrity": "sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+            "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
             "cpu": [
                 "x64"
             ],
@@ -14871,9 +14871,9 @@
             }
         },
         "node_modules/lightningcss-linux-x64-musl": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.31.1.tgz",
-            "integrity": "sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+            "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
             "cpu": [
                 "x64"
             ],
@@ -14892,9 +14892,9 @@
             }
         },
         "node_modules/lightningcss-win32-arm64-msvc": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.31.1.tgz",
-            "integrity": "sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+            "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
             "cpu": [
                 "arm64"
             ],
@@ -14913,9 +14913,9 @@
             }
         },
         "node_modules/lightningcss-win32-x64-msvc": {
-            "version": "1.31.1",
-            "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.31.1.tgz",
-            "integrity": "sha512-I9aiFrbd7oYHwlnQDqr1Roz+fTz61oDDJX7n9tYF9FJymH1cIN1DtKw3iYt6b8WZgEjoNwVSncwF4wx/ZedMhw==",
+            "version": "1.32.0",
+            "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+            "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
             "cpu": [
                 "x64"
             ],
@@ -18662,15 +18662,15 @@
             }
         },
         "node_modules/tailwindcss": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
-            "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
+            "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
             "license": "MIT"
         },
         "node_modules/tapable": {
-            "version": "2.3.0",
-            "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-            "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+            "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
             "dev": true,
             "license": "MIT",
             "engines": {
diff --git a/package.json b/package.json
index 05ae3b49f..3d835f524 100644
--- a/package.json
+++ b/package.json
@@ -134,7 +134,7 @@
         "@dotenvx/dotenvx": "1.54.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
         "@react-email/preview-server": "5.2.10",
-        "@tailwindcss/postcss": "4.2.1",
+        "@tailwindcss/postcss": "4.2.2",
         "@tanstack/react-query-devtools": "5.91.3",
         "@types/better-sqlite3": "7.6.13",
         "@types/cookie-parser": "1.4.10",
@@ -160,21 +160,21 @@
         "@types/yargs": "17.0.35",
         "babel-plugin-react-compiler": "1.0.0",
         "drizzle-kit": "0.31.10",
-        "esbuild": "0.27.3",
+        "esbuild": "0.27.4",
         "esbuild-node-externals": "1.20.1",
         "eslint": "10.0.3",
         "eslint-config-next": "16.1.7",
         "postcss": "8.5.8",
         "prettier": "3.8.1",
         "react-email": "5.2.10",
-        "tailwindcss": "4.2.1",
+        "tailwindcss": "4.2.2",
         "tsc-alias": "1.8.16",
         "tsx": "4.21.0",
         "typescript": "5.9.3",
         "typescript-eslint": "8.56.1"
     },
     "overrides": {
-        "esbuild": "0.27.3",
+        "esbuild": "0.27.4",
         "dompurify": "3.3.2"
     }
 }

From 1e9544af0773307ed1fceae9730648cf86290270 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 20:29:31 -0700
Subject: [PATCH 159/314] Customize table a little more

---
 src/components/PendingSitesTable.tsx | 129 ++++++++++++++++-----------
 1 file changed, 77 insertions(+), 52 deletions(-)

diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index ae22c1bc1..2d1ac8769 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -2,6 +2,12 @@
 
 import { Badge } from "@app/components/ui/badge";
 import { Button } from "@app/components/ui/button";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
 import { InfoPopup } from "@app/components/ui/info-popup";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useNavigationContext } from "@app/hooks/useNavigationContext";
@@ -15,7 +21,8 @@ import {
     ArrowUp10Icon,
     ArrowUpRight,
     Check,
-    ChevronsUpDownIcon
+    ChevronsUpDownIcon,
+    MoreHorizontal
 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
@@ -93,7 +100,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "approved" });
+            await api.post(`/site/${siteId}`, { status: "accepted" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
@@ -201,56 +208,56 @@ export default function PendingSitesTable({
                 }
             }
         },
-        {
-            accessorKey: "mbIn",
-            friendlyName: t("dataIn"),
-            header: () => {
-                const dataInOrder = getSortDirection(
-                    "megabytesIn",
-                    searchParams
-                );
-                const Icon =
-                    dataInOrder === "asc"
-                        ? ArrowDown01Icon
-                        : dataInOrder === "desc"
-                          ? ArrowUp10Icon
-                          : ChevronsUpDownIcon;
-                return (
-                    <Button
-                        variant="ghost"
-                        onClick={() => toggleSort("megabytesIn")}
-                    >
-                        {t("dataIn")}
-                        <Icon className="ml-2 h-4 w-4" />
-                    </Button>
-                );
-            }
-        },
-        {
-            accessorKey: "mbOut",
-            friendlyName: t("dataOut"),
-            header: () => {
-                const dataOutOrder = getSortDirection(
-                    "megabytesOut",
-                    searchParams
-                );
-                const Icon =
-                    dataOutOrder === "asc"
-                        ? ArrowDown01Icon
-                        : dataOutOrder === "desc"
-                          ? ArrowUp10Icon
-                          : ChevronsUpDownIcon;
-                return (
-                    <Button
-                        variant="ghost"
-                        onClick={() => toggleSort("megabytesOut")}
-                    >
-                        {t("dataOut")}
-                        <Icon className="ml-2 h-4 w-4" />
-                    </Button>
-                );
-            }
-        },
+        // {
+        //     accessorKey: "mbIn",
+        //     friendlyName: t("dataIn"),
+        //     header: () => {
+        //         const dataInOrder = getSortDirection(
+        //             "megabytesIn",
+        //             searchParams
+        //         );
+        //         const Icon =
+        //             dataInOrder === "asc"
+        //                 ? ArrowDown01Icon
+        //                 : dataInOrder === "desc"
+        //                   ? ArrowUp10Icon
+        //                   : ChevronsUpDownIcon;
+        //         return (
+        //             <Button
+        //                 variant="ghost"
+        //                 onClick={() => toggleSort("megabytesIn")}
+        //             >
+        //                 {t("dataIn")}
+        //                 <Icon className="ml-2 h-4 w-4" />
+        //             </Button>
+        //         );
+        //     }
+        // },
+        // {
+        //     accessorKey: "mbOut",
+        //     friendlyName: t("dataOut"),
+        //     header: () => {
+        //         const dataOutOrder = getSortDirection(
+        //             "megabytesOut",
+        //             searchParams
+        //         );
+        //         const Icon =
+        //             dataOutOrder === "asc"
+        //                 ? ArrowDown01Icon
+        //                 : dataOutOrder === "desc"
+        //                   ? ArrowUp10Icon
+        //                   : ChevronsUpDownIcon;
+        //         return (
+        //             <Button
+        //                 variant="ghost"
+        //                 onClick={() => toggleSort("megabytesOut")}
+        //             >
+        //                 {t("dataOut")}
+        //                 <Icon className="ml-2 h-4 w-4" />
+        //             </Button>
+        //         );
+        //     }
+        // },
         {
             accessorKey: "type",
             friendlyName: t("type"),
@@ -375,6 +382,24 @@ export default function PendingSitesTable({
                 const isApproving = approvingIds.has(siteRow.id);
                 return (
                     <div className="flex items-center gap-2 justify-end">
+                        <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                                <Button variant="ghost" className="h-8 w-8 p-0">
+                                    <span className="sr-only">Open menu</span>
+                                    <MoreHorizontal className="h-4 w-4" />
+                                </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                                <Link
+                                    className="block w-full"
+                                    href={`/${siteRow.orgId}/settings/sites/${siteRow.nice}`}
+                                >
+                                    <DropdownMenuItem>
+                                        {t("viewSettings")}
+                                    </DropdownMenuItem>
+                                </Link>
+                            </DropdownMenuContent>
+                        </DropdownMenu>
                         <Button
                             variant="outline"
                             disabled={isApproving}

From c995c5a6748c7181930067097aec24094a95a324 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:02:09 -0700
Subject: [PATCH 160/314] Dont batch set on sqlite

---
 server/routers/gerbil/receiveBandwidth.ts | 44 ++++++++++++++++++-----
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 042c844aa..787b7b702 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -96,6 +96,14 @@ async function dbQueryRows<T extends Record<string, unknown>>(
     return (await anyDb.all(query)) as T[];
 }
 
+/**
+ * Returns true when the active database driver is SQLite (better-sqlite3).
+ * Used to select the appropriate bulk-update strategy.
+ */
+function isSQLite(): boolean {
+    return typeof (db as any).execute !== "function";
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
@@ -141,19 +149,37 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
         const chunkEnd = i + chunk.length - 1;
 
-        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
-        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
-        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
-        // in a single query instead of N individual round-trips.
-        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
-            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
-        );
-        const valuesClause = sql.join(valuesList, sql`, `);
-
         let rows: { orgId: string; pubKey: string }[] = [];
 
         try {
             rows = await withDeadlockRetry(async () => {
+                if (isSQLite()) {
+                    // SQLite: one UPDATE per row — no need for batch efficiency here.
+                    const results: { orgId: string; pubKey: string }[] = [];
+                    for (const [publicKey, { bytesIn, bytesOut }] of chunk) {
+                        const result = await dbQueryRows<{
+                            orgId: string;
+                            pubKey: string;
+                        }>(sql`
+                            UPDATE sites
+                            SET
+                                "bytesOut"            = COALESCE("bytesOut", 0) + ${bytesIn},
+                                "bytesIn"             = COALESCE("bytesIn", 0)  + ${bytesOut},
+                                "lastBandwidthUpdate" = ${currentTime}
+                            WHERE "pubKey" = ${publicKey}
+                            RETURNING "orgId", "pubKey"
+                        `);
+                        results.push(...result);
+                    }
+                    return results;
+                }
+
+                // PostgreSQL: batch UPDATE … FROM (VALUES …) — single round-trip per chunk.
+                const valuesList = chunk.map(
+                    ([publicKey, { bytesIn, bytesOut }]) =>
+                        sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+                );
+                const valuesClause = sql.join(valuesList, sql`, `);
                 return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
                     UPDATE sites
                     SET

From caacd1e6778433eaeff5de113c82872f57fb0455 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:11:18 -0700
Subject: [PATCH 161/314] Remove rewrite if match is removed

---
 server/routers/target/updateTarget.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/routers/target/updateTarget.ts b/server/routers/target/updateTarget.ts
index dd31f5f1b..1f9eff716 100644
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -188,6 +188,8 @@ export async function updateTarget(
             );
         }
 
+        const pathMatchTypeRemoved = parsedBody.data.pathMatchType === null;
+
         const [updatedTarget] = await db
             .update(targets)
             .set({
@@ -200,8 +202,8 @@ export async function updateTarget(
                 path: parsedBody.data.path,
                 pathMatchType: parsedBody.data.pathMatchType,
                 priority: parsedBody.data.priority,
-                rewritePath: parsedBody.data.rewritePath,
-                rewritePathType: parsedBody.data.rewritePathType
+                rewritePath: pathMatchTypeRemoved ? null : parsedBody.data.rewritePath,
+                rewritePathType: pathMatchTypeRemoved ? null : parsedBody.data.rewritePathType
             })
             .where(eq(targets.targetId, targetId))
             .returning();

From e0c96e722429831b7593eb997d03440852822b11 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:31:46 -0700
Subject: [PATCH 162/314] Configure connection log retention time

---
 messages/en-US.json                           |   2 +
 server/db/pg/schema/privateSchema.ts          |   1 +
 server/db/sqlite/schema/privateSchema.ts      |   1 +
 server/private/lib/logAccessAudit.ts          |   2 +
 .../routers/billing/featureLifecycle.ts       |  25 ++++
 server/private/routers/ssh/signSshKey.ts      |   2 +-
 server/routers/org/updateOrg.ts               |  20 ++-
 .../settings/general/security/page.tsx        | 115 +++++++++++++++++-
 8 files changed, 162 insertions(+), 6 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 7a3fde1d4..11c87f798 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2398,6 +2398,8 @@
     "logRetentionAccessDescription": "How long to retain access logs",
     "logRetentionActionLabel": "Action Log Retention",
     "logRetentionActionDescription": "How long to retain action logs",
+    "logRetentionConnectionLabel": "Connection Log Retention",
+    "logRetentionConnectionDescription": "How long to retain connection logs",
     "logRetentionDisabled": "Disabled",
     "logRetention3Days": "3 days",
     "logRetention7Days": "7 days",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index bb1e866c4..1f0de4e7d 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -291,6 +291,7 @@ export const accessAuditLog = pgTable(
         actor: varchar("actor", { length: 255 }),
         actorId: varchar("actorId", { length: 255 }),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: varchar("ip", { length: 45 }),
         type: varchar("type", { length: 100 }).notNull(),
         action: boolean("action").notNull(),
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 5913497b3..d651c1a38 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -279,6 +279,7 @@ export const accessAuditLog = sqliteTable(
         actor: text("actor"),
         actorId: text("actorId"),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: text("ip"),
         location: text("location"),
         type: text("type").notNull(),
diff --git a/server/private/lib/logAccessAudit.ts b/server/private/lib/logAccessAudit.ts
index 91db548f7..e56490795 100644
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -74,6 +74,7 @@ export async function logAccessAudit(data: {
     type: string;
     orgId: string;
     resourceId?: number;
+    siteResourceId?: number;
     user?: { username: string; userId: string };
     apiKey?: { name: string | null; apiKeyId: string };
     metadata?: any;
@@ -134,6 +135,7 @@ export async function logAccessAudit(data: {
             type: data.type,
             metadata,
             resourceId: data.resourceId,
+            siteResourceId: data.siteResourceId,
             userAgent: data.userAgent,
             ip: clientIp,
             location: countryCode
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index f6f2d513a..d86e23cf0 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -120,6 +120,18 @@ async function capRetentionDays(
         );
     }
 
+    // Cap action log retention if it exceeds the limit
+    if (
+        org.settingsLogRetentionDaysConnection !== null &&
+        org.settingsLogRetentionDaysConnection > maxRetentionDays
+    ) {
+        updates.settingsLogRetentionDaysConnection = maxRetentionDays;
+        needsUpdate = true;
+        logger.info(
+            `Capping connection log retention from ${org.settingsLogRetentionDaysConnection} to ${maxRetentionDays} days for org ${orgId}`
+        );
+    }
+
     // Apply updates if needed
     if (needsUpdate) {
         await db.update(orgs).set(updates).where(eq(orgs.orgId, orgId));
@@ -262,6 +274,10 @@ async function disableFeature(
                 await disableActionLogs(orgId);
                 break;
 
+            case TierFeature.ConnectionLogs:
+                await disableConnectionLogs(orgId);
+                break;
+
             case TierFeature.RotateCredentials:
                 await disableRotateCredentials(orgId);
                 break;
@@ -458,6 +474,15 @@ async function disableActionLogs(orgId: string): Promise<void> {
     logger.info(`Disabled action logs for org ${orgId}`);
 }
 
+async function disableConnectionLogs(orgId: string): Promise<void> {
+    await db
+        .update(orgs)
+        .set({ settingsLogRetentionDaysConnection: 0 })
+        .where(eq(orgs.orgId, orgId));
+
+    logger.info(`Disabled connection logs for org ${orgId}`);
+}
+
 async function disableRotateCredentials(orgId: string): Promise<void> {}
 
 async function disableMaintencePage(orgId: string): Promise<void> {
diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index e8de55c54..b02d2b23c 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -488,7 +488,7 @@ export async function signSshKey(
             action: true,
             type: "ssh",
             orgId: orgId,
-            resourceId: resource.siteResourceId,
+            siteResourceId: resource.siteResourceId,
             user: req.user
                 ? { username: req.user.username ?? "", userId: req.user.userId }
                 : undefined,
diff --git a/server/routers/org/updateOrg.ts b/server/routers/org/updateOrg.ts
index 5049ac1fa..4eca9a9a6 100644
--- a/server/routers/org/updateOrg.ts
+++ b/server/routers/org/updateOrg.ts
@@ -34,6 +34,10 @@ const updateOrgBodySchema = z
             .min(build === "saas" ? 0 : -1)
             .optional(),
         settingsLogRetentionDaysAction: z
+            .number()
+            .min(build === "saas" ? 0 : -1)
+            .optional(),
+        settingsLogRetentionDaysConnection: z
             .number()
             .min(build === "saas" ? 0 : -1)
             .optional()
@@ -164,6 +168,17 @@ export async function updateOrg(
                         )
                     );
                 }
+                if (
+                    parsedBody.data.settingsLogRetentionDaysConnection !== undefined &&
+                    parsedBody.data.settingsLogRetentionDaysConnection > maxRetentionDays
+                ) {
+                    return next(
+                        createHttpError(
+                            HttpCode.FORBIDDEN,
+                            `You are not allowed to set log retention days greater than ${maxRetentionDays} with your current subscription`
+                        )
+                    );
+                }
             }
         }
 
@@ -179,7 +194,9 @@ export async function updateOrg(
                 settingsLogRetentionDaysAccess:
                     parsedBody.data.settingsLogRetentionDaysAccess,
                 settingsLogRetentionDaysAction:
-                    parsedBody.data.settingsLogRetentionDaysAction
+                    parsedBody.data.settingsLogRetentionDaysAction,
+                settingsLogRetentionDaysConnection:
+                    parsedBody.data.settingsLogRetentionDaysConnection
             })
             .where(eq(orgs.orgId, orgId))
             .returning();
@@ -197,6 +214,7 @@ export async function updateOrg(
         await cache.del(`org_${orgId}_retentionDays`);
         await cache.del(`org_${orgId}_actionDays`);
         await cache.del(`org_${orgId}_accessDays`);
+        await cache.del(`org_${orgId}_connectionDays`);
 
         return response(res, {
             data: updatedOrg[0],
diff --git a/src/app/[orgId]/settings/general/security/page.tsx b/src/app/[orgId]/settings/general/security/page.tsx
index 2c51e9ecb..e7d0d85c8 100644
--- a/src/app/[orgId]/settings/general/security/page.tsx
+++ b/src/app/[orgId]/settings/general/security/page.tsx
@@ -79,7 +79,8 @@ const SecurityFormSchema = z.object({
     passwordExpiryDays: z.number().nullable().optional(),
     settingsLogRetentionDaysRequest: z.number(),
     settingsLogRetentionDaysAccess: z.number(),
-    settingsLogRetentionDaysAction: z.number()
+    settingsLogRetentionDaysAction: z.number(),
+    settingsLogRetentionDaysConnection: z.number()
 });
 
 const LOG_RETENTION_OPTIONS = [
@@ -120,7 +121,8 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
             SecurityFormSchema.pick({
                 settingsLogRetentionDaysRequest: true,
                 settingsLogRetentionDaysAccess: true,
-                settingsLogRetentionDaysAction: true
+                settingsLogRetentionDaysAction: true,
+                settingsLogRetentionDaysConnection: true
             })
         ),
         defaultValues: {
@@ -129,7 +131,9 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
             settingsLogRetentionDaysAccess:
                 org.settingsLogRetentionDaysAccess ?? 15,
             settingsLogRetentionDaysAction:
-                org.settingsLogRetentionDaysAction ?? 15
+                org.settingsLogRetentionDaysAction ?? 15,
+            settingsLogRetentionDaysConnection:
+                org.settingsLogRetentionDaysConnection ?? 15
         },
         mode: "onChange"
     });
@@ -155,7 +159,9 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
                 settingsLogRetentionDaysAccess:
                     data.settingsLogRetentionDaysAccess,
                 settingsLogRetentionDaysAction:
-                    data.settingsLogRetentionDaysAction
+                    data.settingsLogRetentionDaysAction,
+                settingsLogRetentionDaysConnection:
+                    data.settingsLogRetentionDaysConnection
             } as any;
 
             // Update organization
@@ -473,6 +479,107 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
                                             );
                                         }}
                                     />
+                                    <FormField
+                                        control={form.control}
+                                        name="settingsLogRetentionDaysConnection"
+                                        render={({ field }) => {
+                                            const isDisabled = !isPaidUser(
+                                                tierMatrix.connectionLogs
+                                            );
+
+                                            return (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t(
+                                                            "logRetentionConnectionLabel"
+                                                        )}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Select
+                                                            value={field.value.toString()}
+                                                            onValueChange={(
+                                                                value
+                                                            ) => {
+                                                                if (
+                                                                    !isDisabled
+                                                                ) {
+                                                                    field.onChange(
+                                                                        parseInt(
+                                                                            value,
+                                                                            10
+                                                                        )
+                                                                    );
+                                                                }
+                                                            }}
+                                                            disabled={
+                                                                isDisabled
+                                                            }
+                                                        >
+                                                            <SelectTrigger>
+                                                                <SelectValue
+                                                                    placeholder={t(
+                                                                        "selectLogRetention"
+                                                                    )}
+                                                                />
+                                                            </SelectTrigger>
+                                                            <SelectContent>
+                                                                {LOG_RETENTION_OPTIONS.filter(
+                                                                    (option) => {
+                                                                        if (build != "saas") {
+                                                                            return true;
+                                                                        }
+
+                                                                        let maxDays: number;
+
+                                                                        if (!subscriptionTier) {
+                                                                            // No tier
+                                                                            maxDays = 3;
+                                                                        } else if (subscriptionTier == "enterprise") {
+                                                                            // Enterprise - no limit
+                                                                            return true;
+                                                                        } else if (subscriptionTier == "tier3") {
+                                                                            maxDays = 90;
+                                                                        } else if (subscriptionTier == "tier2") {
+                                                                            maxDays = 30;
+                                                                        } else if (subscriptionTier == "tier1") {
+                                                                            maxDays = 7;
+                                                                        } else {
+                                                                            // Default to most restrictive
+                                                                            maxDays = 3;
+                                                                        }
+
+                                                                        // Filter out options that exceed the max
+                                                                        // Special values: -1 (forever) and 9001 (end of year) should be filtered
+                                                                        if (option.value < 0 || option.value > maxDays) {
+                                                                            return false;
+                                                                        }
+
+                                                                        return true;
+                                                                    }
+                                                                ).map(
+                                                                    (
+                                                                        option
+                                                                    ) => (
+                                                                        <SelectItem
+                                                                            key={
+                                                                                option.value
+                                                                            }
+                                                                            value={option.value.toString()}
+                                                                        >
+                                                                            {t(
+                                                                                option.label
+                                                                            )}
+                                                                        </SelectItem>
+                                                                    )
+                                                                )}
+                                                            </SelectContent>
+                                                        </Select>
+                                                    </FormControl>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            );
+                                        }}
+                                    />
                                 </>
                             )}
                         </form>

From 04943fb4a6dc7c4a8a83d082f3ed1fba221833e2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:58:48 -0700
Subject: [PATCH 163/314] Fix access log

---
 .../routers/auditLogs/queryAccessAuditLog.ts  | 124 ++++++++++++++----
 src/app/[orgId]/settings/logs/access/page.tsx |   6 +-
 2 files changed, 102 insertions(+), 28 deletions(-)

diff --git a/server/private/routers/auditLogs/queryAccessAuditLog.ts b/server/private/routers/auditLogs/queryAccessAuditLog.ts
index f0f45a826..f9951c1ab 100644
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,11 +11,11 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import { accessAuditLog, logsDb, resources, db, primaryDb } from "@server/db";
+import { accessAuditLog, logsDb, resources, siteResources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc, inArray, isNull } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -122,6 +122,7 @@ export function queryAccess(data: Q) {
             actorType: accessAuditLog.actorType,
             actorId: accessAuditLog.actorId,
             resourceId: accessAuditLog.resourceId,
+            siteResourceId: accessAuditLog.siteResourceId,
             ip: accessAuditLog.ip,
             location: accessAuditLog.location,
             userAgent: accessAuditLog.userAgent,
@@ -136,37 +137,73 @@ export function queryAccess(data: Q) {
 }
 
 async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
-    // If logs database is the same as main database, we can do a join
-    // Otherwise, we need to fetch resource details separately
     const resourceIds = logs
         .map(log => log.resourceId)
         .filter((id): id is number => id !== null && id !== undefined);
 
-    if (resourceIds.length === 0) {
+    const siteResourceIds = logs
+        .filter(log => log.resourceId == null && log.siteResourceId != null)
+        .map(log => log.siteResourceId)
+        .filter((id): id is number => id !== null && id !== undefined);
+
+    if (resourceIds.length === 0 && siteResourceIds.length === 0) {
         return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
     }
 
-    // Fetch resource details from main database
-    const resourceDetails = await primaryDb
-        .select({
-            resourceId: resources.resourceId,
-            name: resources.name,
-            niceId: resources.niceId
-        })
-        .from(resources)
-        .where(inArray(resources.resourceId, resourceIds));
+    const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();
 
-    // Create a map for quick lookup
-    const resourceMap = new Map(
-        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
-    );
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                resourceId: resources.resourceId,
+                name: resources.name,
+                niceId: resources.niceId
+            })
+            .from(resources)
+            .where(inArray(resources.resourceId, resourceIds));
+
+        for (const r of resourceDetails) {
+            resourceMap.set(r.resourceId, { name: r.name, niceId: r.niceId });
+        }
+    }
+
+    const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();
+
+    if (siteResourceIds.length > 0) {
+        const siteResourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name,
+                niceId: siteResources.niceId
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        for (const r of siteResourceDetails) {
+            siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
+        }
+    }
 
     // Enrich logs with resource details
-    return logs.map(log => ({
-        ...log,
-        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
-        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
-    }));
+    return logs.map(log => {
+        if (log.resourceId != null) {
+            const details = resourceMap.get(log.resourceId);
+            return {
+                ...log,
+                resourceName: details?.name ?? null,
+                resourceNiceId: details?.niceId ?? null
+            };
+        } else if (log.siteResourceId != null) {
+            const details = siteResourceMap.get(log.siteResourceId);
+            return {
+                ...log,
+                resourceId: log.siteResourceId,
+                resourceName: details?.name ?? null,
+                resourceNiceId: details?.niceId ?? null
+            };
+        }
+        return { ...log, resourceName: null, resourceNiceId: null };
+    });
 }
 
 export function countAccessQuery(data: Q) {
@@ -212,11 +249,23 @@ async function queryUniqueFilterAttributes(
         .from(accessAuditLog)
         .where(baseConditions);
 
+    // Get unique siteResources (only for logs where resourceId is null)
+    const uniqueSiteResources = await logsDb
+        .selectDistinct({
+            id: accessAuditLog.siteResourceId
+        })
+        .from(accessAuditLog)
+        .where(and(baseConditions, isNull(accessAuditLog.resourceId)));
+
     // Fetch resource names from main database for the unique resource IDs
     const resourceIds = uniqueResources
         .map(row => row.id)
         .filter((id): id is number => id !== null);
 
+    const siteResourceIds = uniqueSiteResources
+        .map(row => row.id)
+        .filter((id): id is number => id !== null);
+
     let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
 
     if (resourceIds.length > 0) {
@@ -228,10 +277,31 @@ async function queryUniqueFilterAttributes(
             .from(resources)
             .where(inArray(resources.resourceId, resourceIds));
 
-        resourcesWithNames = resourceDetails.map(r => ({
-            id: r.resourceId,
-            name: r.name
-        }));
+        resourcesWithNames = [
+            ...resourcesWithNames,
+            ...resourceDetails.map(r => ({
+                id: r.resourceId,
+                name: r.name
+            }))
+        ];
+    }
+
+    if (siteResourceIds.length > 0) {
+        const siteResourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        resourcesWithNames = [
+            ...resourcesWithNames,
+            ...siteResourceDetails.map(r => ({
+                id: r.siteResourceId,
+                name: r.name
+            }))
+        ];
     }
 
     return {
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index dbb7b6708..a0f1b5386 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -465,7 +465,11 @@ export default function GeneralPage() {
             cell: ({ row }) => {
                 return (
                     <Link
-                        href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                        href={
+                            row.original.type === "ssh"
+                                ? `/${row.original.orgId}/settings/resources/client?query=${row.original.resourceNiceId}`
+                                : `/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`
+                        }
                     >
                         <Button
                             variant="outline"

From 7d1085b43f408f1701b2c101ab41c8848cc61cba Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 20:36:35 +0000
Subject: [PATCH 164/314] Bump fast-xml-parser and @aws-sdk/xml-builder

Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) and [@aws-sdk/xml-builder](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/xml-builder). These dependencies needed to be updated together.

Updates `fast-xml-parser` from 5.5.6 to 5.5.8
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.6...v5.5.8)

Updates `@aws-sdk/xml-builder` from 3.972.12 to 3.972.16
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/xml-builder/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/xml-builder)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.5.8
  dependency-type: indirect
- dependency-name: "@aws-sdk/xml-builder"
  dependency-version: 3.972.16
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5a90a4884..aedce2897 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1005,13 +1005,13 @@
             }
         },
         "node_modules/@aws-sdk/xml-builder": {
-            "version": "3.972.12",
-            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.12.tgz",
-            "integrity": "sha512-xjyucfn+F+kMf25c+LIUnvX3oyLSlj9T0Vncs5WMQI6G36JdnSwC8g0qf8RajfmSClXr660EpTz7FFKluZ4BqQ==",
+            "version": "3.972.16",
+            "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.16.tgz",
+            "integrity": "sha512-iu2pyvaqmeatIJLURLqx9D+4jKAdTH20ntzB6BFwjyN7V960r4jK32mx0Zf7YbtOYAbmbtQfDNuL60ONinyw7A==",
             "license": "Apache-2.0",
             "dependencies": {
                 "@smithy/types": "^4.13.1",
-                "fast-xml-parser": "5.5.6",
+                "fast-xml-parser": "5.5.8",
                 "tslib": "^2.6.2"
             },
             "engines": {
@@ -13083,9 +13083,9 @@
             }
         },
         "node_modules/fast-xml-parser": {
-            "version": "5.5.6",
-            "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.6.tgz",
-            "integrity": "sha512-3+fdZyBRVg29n4rXP0joHthhcHdPUHaIC16cuyyd1iLsuaO6Vea36MPrxgAzbZna8lhvZeRL8Bc9GP56/J9xEw==",
+            "version": "5.5.8",
+            "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.8.tgz",
+            "integrity": "sha512-Z7Fh2nVQSb2d+poDViM063ix2ZGt9jmY1nWhPfHBOK2Hgnb/OW3P4Et3P/81SEej0J7QbWtJqxO05h8QYfK7LQ==",
             "funding": [
                 {
                     "type": "github",
@@ -13095,8 +13095,8 @@
             "license": "MIT",
             "dependencies": {
                 "fast-xml-builder": "^1.1.4",
-                "path-expression-matcher": "^1.1.3",
-                "strnum": "^2.1.2"
+                "path-expression-matcher": "^1.2.0",
+                "strnum": "^2.2.0"
             },
             "bin": {
                 "fxparser": "src/cli/cli.js"
@@ -16282,9 +16282,9 @@
             }
         },
         "node_modules/path-expression-matcher": {
-            "version": "1.1.3",
-            "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
-            "integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
+            "version": "1.2.0",
+            "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.2.0.tgz",
+            "integrity": "sha512-DwmPWeFn+tq7TiyJ2CxezCAirXjFxvaiD03npak3cRjlP9+OjTmSy1EpIrEbh+l6JgUundniloMLDQ/6VTdhLQ==",
             "funding": [
                 {
                     "type": "github",
@@ -18522,9 +18522,9 @@
             }
         },
         "node_modules/strnum": {
-            "version": "2.2.0",
-            "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
-            "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+            "version": "2.2.2",
+            "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.2.tgz",
+            "integrity": "sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==",
             "funding": [
                 {
                     "type": "github",

From b913466671d746cf679d93cc25407c8368746d59 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 20:37:38 +0000
Subject: [PATCH 165/314] Bump next from 15.5.12 to 15.5.14

Bumps [next](https://github.com/vercel/next.js) from 15.5.12 to 15.5.14.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/compare/v15.5.12...v15.5.14)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.14
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 90 ++++++++++++++++++++++++++---------------------
 package.json      |  2 +-
 2 files changed, 51 insertions(+), 41 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index b8d3ef513..a576b04ff 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -69,7 +69,7 @@
                 "lucide-react": "0.577.0",
                 "maxmind": "5.0.5",
                 "moment": "2.30.1",
-                "next": "15.5.12",
+                "next": "15.5.14",
                 "next-intl": "4.8.3",
                 "next-themes": "0.4.6",
                 "nextjs-toploader": "3.9.17",
@@ -2862,9 +2862,10 @@
             }
         },
         "node_modules/@next/env": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/env/-/env-15.5.12.tgz",
-            "integrity": "sha512-pUvdJN1on574wQHjaBfNGDt9Mz5utDSZFsIIQkMzPgNS8ZvT4H2mwOrOIClwsQOb6EGx5M76/CZr6G8i6pSpLg=="
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/env/-/env-15.5.14.tgz",
+            "integrity": "sha512-aXeirLYuASxEgi4X4WhfXsShCFxWDfNn/8ZeC5YXAS2BB4A8FJi1kwwGL6nvMVboE7fZCzmJPNdMvVHc8JpaiA==",
+            "license": "MIT"
         },
         "node_modules/@next/eslint-plugin-next": {
             "version": "16.1.7",
@@ -2877,12 +2878,13 @@
             }
         },
         "node_modules/@next/swc-darwin-arm64": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.5.12.tgz",
-            "integrity": "sha512-RnRjBtH8S8eXCpUNkQ+543DUc7ys8y15VxmFU9HRqlo9BG3CcBUiwNtF8SNoi2xvGCVJq1vl2yYq+3oISBS0Zg==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.5.14.tgz",
+            "integrity": "sha512-Y9K6SPzobnZvrRDPO2s0grgzC+Egf0CqfbdvYmQVaztV890zicw8Z8+4Vqw8oPck8r1TjUHxVh8299Cg4TrxXg==",
             "cpu": [
                 "arm64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "darwin"
@@ -2892,12 +2894,13 @@
             }
         },
         "node_modules/@next/swc-darwin-x64": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-15.5.12.tgz",
-            "integrity": "sha512-nqa9/7iQlboF1EFtNhWxQA0rQstmYRSBGxSM6g3GxvxHxcoeqVXfGNr9stJOme674m2V7r4E3+jEhhGvSQhJRA==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-15.5.14.tgz",
+            "integrity": "sha512-aNnkSMjSFRTOmkd7qoNI2/rETQm/vKD6c/Ac9BZGa9CtoOzy3c2njgz7LvebQJ8iPxdeTuGnAjagyis8a9ifBw==",
             "cpu": [
                 "x64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "darwin"
@@ -2907,12 +2910,13 @@
             }
         },
         "node_modules/@next/swc-linux-arm64-gnu": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.5.12.tgz",
-            "integrity": "sha512-dCzAjqhDHwmoB2M4eYfVKqXs99QdQxNQVpftvP1eGVppamXh/OkDAwV737Zr0KPXEqRUMN4uCjh6mjO+XtF3Mw==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.5.14.tgz",
+            "integrity": "sha512-tjlpia+yStPRS//6sdmlVwuO1Rioern4u2onafa5n+h2hCS9MAvMXqpVbSrjgiEOoCs0nJy7oPOmWgtRRNSM5Q==",
             "cpu": [
                 "arm64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "linux"
@@ -2922,12 +2926,13 @@
             }
         },
         "node_modules/@next/swc-linux-arm64-musl": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.5.12.tgz",
-            "integrity": "sha512-+fpGWvQiITgf7PUtbWY1H7qUSnBZsPPLyyq03QuAKpVoTy/QUx1JptEDTQMVvQhvizCEuNLEeghrQUyXQOekuw==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.5.14.tgz",
+            "integrity": "sha512-8B8cngBaLadl5lbDRdxGCP1Lef8ipD6KlxS3v0ElDAGil6lafrAM3B258p1KJOglInCVFUjk751IXMr2ixeQOQ==",
             "cpu": [
                 "arm64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "linux"
@@ -2937,12 +2942,13 @@
             }
         },
         "node_modules/@next/swc-linux-x64-gnu": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.5.12.tgz",
-            "integrity": "sha512-jSLvgdRRL/hrFAPqEjJf1fFguC719kmcptjNVDJl26BnJIpjL3KH5h6mzR4mAweociLQaqvt4UyzfbFjgAdDcw==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.5.14.tgz",
+            "integrity": "sha512-bAS6tIAg8u4Gn3Nz7fCPpSoKAexEt2d5vn1mzokcqdqyov6ZJ6gu6GdF9l8ORFrBuRHgv3go/RfzYz5BkZ6YSQ==",
             "cpu": [
                 "x64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "linux"
@@ -2952,12 +2958,13 @@
             }
         },
         "node_modules/@next/swc-linux-x64-musl": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.5.12.tgz",
-            "integrity": "sha512-/uaF0WfmYqQgLfPmN6BvULwxY0dufI2mlN2JbOKqqceZh1G4hjREyi7pg03zjfyS6eqNemHAZPSoP84x17vo6w==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.5.14.tgz",
+            "integrity": "sha512-mMxv/FcrT7Gfaq4tsR22l17oKWXZmH/lVqcvjX0kfp5I0lKodHYLICKPoX1KRnnE+ci6oIUdriUhuA3rBCDiSw==",
             "cpu": [
                 "x64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "linux"
@@ -2967,12 +2974,13 @@
             }
         },
         "node_modules/@next/swc-win32-arm64-msvc": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.5.12.tgz",
-            "integrity": "sha512-xhsL1OvQSfGmlL5RbOmU+FV120urrgFpYLq+6U8C6KIym32gZT6XF/SDE92jKzzlPWskkbjOKCpqk5m4i8PEfg==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.5.14.tgz",
+            "integrity": "sha512-OTmiBlYThppnvnsqx0rBqjDRemlmIeZ8/o4zI7veaXoeO1PVHoyj2lfTfXTiiGjCyRDhA10y4h6ZvZvBiynr2g==",
             "cpu": [
                 "arm64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "win32"
@@ -2982,12 +2990,13 @@
             }
         },
         "node_modules/@next/swc-win32-x64-msvc": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.5.12.tgz",
-            "integrity": "sha512-Z1Dh6lhFkxvBDH1FoW6OU/L6prYwPSlwjLiZkExIAh8fbP6iI/M7iGTQAJPYJ9YFlWobCZ1PHbchFhFYb2ADkw==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.5.14.tgz",
+            "integrity": "sha512-+W7eFf3RS7m4G6tppVTOSyP9Y6FsJXfOuKzav1qKniiFm3KFByQfPEcouHdjlZmysl4zJGuGLQ/M9XyVeyeNEg==",
             "cpu": [
                 "x64"
             ],
+            "license": "MIT",
             "optional": true,
             "os": [
                 "win32"
@@ -15416,11 +15425,12 @@
             }
         },
         "node_modules/next": {
-            "version": "15.5.12",
-            "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz",
-            "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==",
+            "version": "15.5.14",
+            "resolved": "https://registry.npmjs.org/next/-/next-15.5.14.tgz",
+            "integrity": "sha512-M6S+4JyRjmKic2Ssm7jHUPkE6YUJ6lv4507jprsSZLulubz0ihO2E+S4zmQK3JZ2ov81JrugukKU4Tz0ivgqqQ==",
+            "license": "MIT",
             "dependencies": {
-                "@next/env": "15.5.12",
+                "@next/env": "15.5.14",
                 "@swc/helpers": "0.5.15",
                 "caniuse-lite": "^1.0.30001579",
                 "postcss": "8.4.31",
@@ -15433,14 +15443,14 @@
                 "node": "^18.18.0 || ^19.8.0 || >= 20.0.0"
             },
             "optionalDependencies": {
-                "@next/swc-darwin-arm64": "15.5.12",
-                "@next/swc-darwin-x64": "15.5.12",
-                "@next/swc-linux-arm64-gnu": "15.5.12",
-                "@next/swc-linux-arm64-musl": "15.5.12",
-                "@next/swc-linux-x64-gnu": "15.5.12",
-                "@next/swc-linux-x64-musl": "15.5.12",
-                "@next/swc-win32-arm64-msvc": "15.5.12",
-                "@next/swc-win32-x64-msvc": "15.5.12",
+                "@next/swc-darwin-arm64": "15.5.14",
+                "@next/swc-darwin-x64": "15.5.14",
+                "@next/swc-linux-arm64-gnu": "15.5.14",
+                "@next/swc-linux-arm64-musl": "15.5.14",
+                "@next/swc-linux-x64-gnu": "15.5.14",
+                "@next/swc-linux-x64-musl": "15.5.14",
+                "@next/swc-win32-arm64-msvc": "15.5.14",
+                "@next/swc-win32-x64-msvc": "15.5.14",
                 "sharp": "^0.34.3"
             },
             "peerDependencies": {
diff --git a/package.json b/package.json
index dd48b69ee..66c61c0e6 100644
--- a/package.json
+++ b/package.json
@@ -92,7 +92,7 @@
         "lucide-react": "0.577.0",
         "maxmind": "5.0.5",
         "moment": "2.30.1",
-        "next": "15.5.12",
+        "next": "15.5.14",
         "next-intl": "4.8.3",
         "next-themes": "0.4.6",
         "nextjs-toploader": "3.9.17",

From dbafffe73de6a86ea3dc8aa71222f658e1fab903 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 14:06:56 -0700
Subject: [PATCH 166/314] Update crowdsec and add comment

---
 install/config/crowdsec/traefik_config.yml | 12 +++++++++---
 install/config/docker-compose.yml          |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/install/config/crowdsec/traefik_config.yml b/install/config/crowdsec/traefik_config.yml
index 198693ef8..b3e4f0839 100644
--- a/install/config/crowdsec/traefik_config.yml
+++ b/install/config/crowdsec/traefik_config.yml
@@ -81,11 +81,17 @@ entryPoints:
     transport:
       respondingTimeouts:
         readTimeout: "30m"
+    http3:
+      advertisedPort: 443
     http:
       tls:
         certResolver: "letsencrypt"
-      middlewares: 
-        - crowdsec@file
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
-  insecureSkipVerify: true
\ No newline at end of file
+  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
diff --git a/install/config/docker-compose.yml b/install/config/docker-compose.yml
index fd8fdd9a3..505089bed 100644
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -38,7 +38,7 @@ services:
       - 51820:51820/udp
       - 21820:21820/udp
       - 443:443
-      - 443:443/udp
+      - 443:443/udp # For http3 QUIC if desired
       - 80:80
 {{end}}
   traefik:

From 073b89b355b3003ef8d93cd7f987962517110ce2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 14:18:10 -0700
Subject: [PATCH 167/314] make path the default

---
 .../[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
index 2b6a16870..a3a7e0197 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
@@ -150,7 +150,7 @@ export default function ResourceRules(props: {
         resolver: zodResolver(addRuleSchema),
         defaultValues: {
             action: "ACCEPT",
-            match: "IP",
+            match: "PATH",
             value: ""
         }
     });

From cb6c47678b3b41dc89034af5353d5366d712ab5c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 14:43:49 -0700
Subject: [PATCH 168/314] Add regions to blueprints

---
 server/lib/blueprints/proxyResources.ts |  5 +++++
 server/lib/blueprints/types.ts          | 16 +++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/server/lib/blueprints/proxyResources.ts b/server/lib/blueprints/proxyResources.ts
index 2696b68c8..e16da2ea5 100644
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -31,6 +31,7 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "../billing/tierMatrix";
 
@@ -863,6 +864,10 @@ function validateRule(rule: any) {
         if (!isValidUrlGlobPattern(rule.value)) {
             throw new Error(`Invalid URL glob pattern: ${rule.value}`);
         }
+    } else if (rule.match === "region") {
+        if (!isValidRegionId(rule.value)) {
+            throw new Error(`Invalid region ID provided: ${rule.value}`);
+        }
     }
 }
 
diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts
index 2239e4f9a..6ebc509b8 100644
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
+import { isValidRegionId } from "@server/db/regions";
 
 export const SiteSchema = z.object({
     name: z.string().min(1).max(100),
@@ -77,7 +78,7 @@ export const AuthSchema = z.object({
 export const RuleSchema = z
     .object({
         action: z.enum(["allow", "deny", "pass"]),
-        match: z.enum(["cidr", "path", "ip", "country", "asn"]),
+        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
         value: z.string(),
         priority: z.int().optional()
     })
@@ -137,6 +138,19 @@ export const RuleSchema = z
             message:
                 "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
         }
+    )
+    .refine(
+        (rule) => {
+            if (rule.match === "region") {
+                return isValidRegionId(rule.value);
+            }
+            return true;
+        },
+        {
+            path: ["value"],
+            message:
+                "Value must be a valid UN M.49 region or subregion ID when match is 'region'"
+        }
     );
 
 export const HeaderSchema = z.object({

From b01d2666290f36b9dc992b4c2c001c26fa58eda0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 16:38:19 -0700
Subject: [PATCH 169/314] Migration 1.17 first pass

---
 server/setup/scriptsPg/1.17.0.ts     | 138 ++++++++++++++++++++++++++-
 server/setup/scriptsSqlite/1.17.0.ts | 119 ++++++++++++++++++++++-
 2 files changed, 251 insertions(+), 6 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 81c42e1a9..d953b24fb 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -23,6 +23,66 @@ export default async function migration() {
     try {
         await db.execute(sql`BEGIN`);
 
+        await db.execute(sql`
+            CREATE TABLE "bannedEmails" (
+               	"email" varchar(255) PRIMARY KEY NOT NULL
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "bannedIps" (
+               	"ip" varchar(255) PRIMARY KEY NOT NULL
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "connectionAuditLog" (
+               	"id" serial PRIMARY KEY NOT NULL,
+               	"sessionId" text NOT NULL,
+               	"siteResourceId" integer,
+               	"orgId" text,
+               	"siteId" integer,
+               	"clientId" integer,
+               	"userId" text,
+               	"sourceAddr" text NOT NULL,
+               	"destAddr" text NOT NULL,
+               	"protocol" text NOT NULL,
+               	"startedAt" integer NOT NULL,
+               	"endedAt" integer,
+               	"bytesTx" integer,
+               	"bytesRx" integer
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "siteProvisioningKeyOrg" (
+               	"siteProvisioningKeyId" varchar(255) NOT NULL,
+               	"orgId" varchar(255) NOT NULL,
+               	CONSTRAINT "siteProvisioningKeyOrg_siteProvisioningKeyId_orgId_pk" PRIMARY KEY("siteProvisioningKeyId","orgId")
+            );
+        `);
+        await db.execute(sql`
+            CREATE TABLE "siteProvisioningKeys" (
+               	"siteProvisioningKeyId" varchar(255) PRIMARY KEY NOT NULL,
+               	"name" varchar(255) NOT NULL,
+               	"siteProvisioningKeyHash" text NOT NULL,
+               	"lastChars" varchar(4) NOT NULL,
+               	"dateCreated" varchar(255) NOT NULL,
+               	"lastUsed" varchar(255),
+               	"maxBatchSize" integer,
+               	"numUsed" integer DEFAULT 0 NOT NULL,
+               	"validUntil" varchar(255)
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "userInviteRoles" (
+               	"inviteId" varchar NOT NULL,
+               	"roleId" integer NOT NULL,
+               	CONSTRAINT "userInviteRoles_inviteId_roleId_pk" PRIMARY KEY("inviteId","roleId")
+            );
+        `);
+
         await db.execute(sql`
             CREATE TABLE "userOrgRoles" (
                	"userId" varchar NOT NULL,
@@ -31,12 +91,80 @@ export default async function migration() {
                	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
             );
         `);
-        await db.execute(sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(
+            sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`
+        );
         await db.execute(sql`ALTER TABLE "userOrgs" DROP COLUMN "roleId";`);
 
+        await db.execute(
+            sql`ALTER TABLE "userInvites" DROP CONSTRAINT "userInvites_roleId_roles_roleId_fk";`
+        );
+        await db.execute(
+            sql`ALTER TABLE "accessAuditLog" ADD COLUMN "siteResourceId" integer;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "clientSitesAssociationsCache" ADD COLUMN "isJitMode" boolean DEFAULT false NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "domains" ADD COLUMN "errorMessage" text;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "orgs" ADD COLUMN "settingsLogRetentionDaysConnection" integer DEFAULT 0 NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "sites" ADD COLUMN "lastPing" integer;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "user" ADD COLUMN "marketingEmailConsent" boolean DEFAULT false;`
+        );
+        await db.execute(sql`ALTER TABLE "user" ADD COLUMN "locale" varchar;`);
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_siteResourceId_siteResources_siteResourceId_fk" FOREIGN KEY ("siteResourceId") REFERENCES "public"."siteResources"("siteResourceId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_siteId_sites_siteId_fk" FOREIGN KEY ("siteId") REFERENCES "public"."sites"("siteId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_clientId_clients_clientId_fk" FOREIGN KEY ("clientId") REFERENCES "public"."clients"("clientId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeyOrg" ADD CONSTRAINT "siteProvisioningKeyOrg_siteProvisioningKeyId_siteProvisioningKeys_siteProvisioningKeyId_fk" FOREIGN KEY ("siteProvisioningKeyId") REFERENCES "public"."siteProvisioningKeys"("siteProvisioningKeyId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeyOrg" ADD CONSTRAINT "siteProvisioningKeyOrg_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userInviteRoles" ADD CONSTRAINT "userInviteRoles_inviteId_userInvites_inviteId_fk" FOREIGN KEY ("inviteId") REFERENCES "public"."userInvites"("inviteId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userInviteRoles" ADD CONSTRAINT "userInviteRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_startedAt" ON "connectionAuditLog" USING btree ("startedAt");`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_org_startedAt" ON "connectionAuditLog" USING btree ("orgId","startedAt");`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
+        );
+        await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
+
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
     } catch (e) {
@@ -70,4 +198,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
\ No newline at end of file
+}
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index fe7d82de0..866eb8fe5 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -25,6 +25,77 @@ export default async function migration() {
         );
 
         db.transaction(() => {
+            db.prepare(
+                `
+                CREATE TABLE 'bannedEmails' (
+                   	'email' text PRIMARY KEY NOT NULL
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'bannedIps' (
+                   	'ip' text PRIMARY KEY NOT NULL
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'connectionAuditLog' (
+                   	'id' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'sessionId' text NOT NULL,
+                   	'siteResourceId' integer,
+                   	'orgId' text,
+                   	'siteId' integer,
+                   	'clientId' integer,
+                   	'userId' text,
+                   	'sourceAddr' text NOT NULL,
+                   	'destAddr' text NOT NULL,
+                   	'protocol' text NOT NULL,
+                   	'startedAt' integer NOT NULL,
+                   	'endedAt' integer,
+                   	'bytesTx' integer,
+                   	'bytesRx' integer,
+                   	FOREIGN KEY ('siteResourceId') REFERENCES 'siteResources'('siteResourceId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('siteId') REFERENCES 'sites'('siteId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('clientId') REFERENCES 'clients'('clientId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`).run();
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`).run();
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`).run();
+
+            db.prepare(
+                `
+                CREATE TABLE 'siteProvisioningKeyOrg' (
+                   	'siteProvisioningKeyId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	PRIMARY KEY('siteProvisioningKeyId', 'orgId'),
+                   	FOREIGN KEY ('siteProvisioningKeyId') REFERENCES 'siteProvisioningKeys'('siteProvisioningKeyId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'siteProvisioningKeys' (
+                   	'siteProvisioningKeyId' text PRIMARY KEY NOT NULL,
+                   	'name' text NOT NULL,
+                   	'siteProvisioningKeyHash' text NOT NULL,
+                   	'lastChars' text NOT NULL,
+                   	'dateCreated' text NOT NULL,
+                   	'lastUsed' text,
+                   	'maxBatchSize' integer,
+                   	'numUsed' integer DEFAULT 0 NOT NULL,
+                   	'validUntil' text
+                );
+            `
+            ).run();
+
             db.prepare(
                 `
                 CREATE TABLE 'userOrgRoles' (
@@ -63,6 +134,52 @@ export default async function migration() {
             db.prepare(
                 `ALTER TABLE '__new_userOrgs' RENAME TO 'userOrgs';`
             ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'userInviteRoles' (
+                   	'inviteId' text NOT NULL,
+                   	'roleId' integer NOT NULL,
+                   	PRIMARY KEY('inviteId', 'roleId'),
+                   	FOREIGN KEY ('inviteId') REFERENCES 'userInvites'('inviteId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('roleId') REFERENCES 'roles'('roleId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE '__new_userInvites' (
+                   	'inviteId' text PRIMARY KEY NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'email' text NOT NULL,
+                   	'expiresAt' integer NOT NULL,
+                   	'token' text NOT NULL,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `INSERT INTO '__new_userInvites'("inviteId", "orgId", "email", "expiresAt", "token") SELECT "inviteId", "orgId", "email", "expiresAt", "token" FROM 'userInvites';`
+            ).run();
+            db.prepare(`DROP TABLE 'userInvites';`).run();
+            db.prepare(
+                `ALTER TABLE '__new_userInvites' RENAME TO 'userInvites';`
+            ).run();
+
+            db.prepare(
+                `ALTER TABLE 'accessAuditLog' ADD 'siteResourceId' integer;`
+            ).run();
+            db.prepare(
+                `ALTER TABLE 'clientSitesAssociationsCache' ADD 'isJitMode' integer DEFAULT false NOT NULL;`
+            ).run();
+            db.prepare(`ALTER TABLE 'domains' ADD 'errorMessage' text;`).run();
+            db.prepare(
+                `ALTER TABLE 'orgs' ADD 'settingsLogRetentionDaysConnection' integer DEFAULT 0 NOT NULL;`
+            ).run();
+            db.prepare(`ALTER TABLE 'sites' ADD 'lastPing' integer;`).run();
+            db.prepare(
+                `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
+            ).run();
+            db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
         })();
 
         db.pragma("foreign_keys = ON");
@@ -93,4 +210,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
\ No newline at end of file
+}

From 6484e8e3027a901f883636d870ecd7638ccc5f90 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 22:02:19 -0700
Subject: [PATCH 170/314] Make work for demo

---
 server/lib/consts.ts                                  | 2 +-
 server/middlewares/verifySiteProvisioningKeyAccess.ts | 8 ++++++--
 server/private/cleanup.ts                             | 2 +-
 server/private/routers/ws/messageHandlers.ts          | 2 +-
 src/app/[orgId]/settings/provisioning/keys/page.tsx   | 3 ++-
 src/components/PendingSitesTable.tsx                  | 2 +-
 src/components/SiteProvisioningKeysTable.tsx          | 1 +
 7 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/server/lib/consts.ts b/server/lib/consts.ts
index d53bd70bb..8ad4f48e9 100644
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";
 
 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.16.0";
+export const APP_VERSION = "1.17.0";
 
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
diff --git a/server/middlewares/verifySiteProvisioningKeyAccess.ts b/server/middlewares/verifySiteProvisioningKeyAccess.ts
index e0d446de6..bdf12c821 100644
--- a/server/middlewares/verifySiteProvisioningKeyAccess.ts
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -4,6 +4,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteProvisioningKeyAccess(
     req: Request,
@@ -116,8 +117,11 @@ export async function verifySiteProvisioningKeyAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            row.siteProvisioningKeyOrg.orgId
+        );
+        req.userOrgId = row.siteProvisioningKeyOrg.orgId;
 
         return next();
     } catch (error) {
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 17d823491..f8032eb3b 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,7 +14,7 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "#dynamic/routers/newt";
+import { flushConnectionLogToDb } from "#private/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index a3c9c5bdb..5021cb966 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,7 +18,7 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
-import { handleConnectionLogMessage } from "#dynamic/routers/newt";
+import { handleConnectionLogMessage } from "#private/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 021bb97b7..9637b03b3 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -45,7 +45,8 @@ export default async function ProvisioningKeysPage(
         lastUsed: k.lastUsed,
         maxBatchSize: k.maxBatchSize,
         numUsed: k.numUsed,
-        validUntil: k.validUntil
+        validUntil: k.validUntil,
+        approveNewSites: k.approveNewSites
     }));
 
     return (
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index 2d1ac8769..64417da7b 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -100,7 +100,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "accepted" });
+            await api.post(`/site/${siteId}`, { status: "approved" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index df7fd241c..fafbe725e 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -36,6 +36,7 @@ export type SiteProvisioningKeyRow = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 type SiteProvisioningKeysTableProps = {

From a651e507598940303fbd375a824135c343abe944 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 16:59:05 -0700
Subject: [PATCH 171/314] Fix merge from main

---
 server/routers/newt/handleGetConfigMessage.ts | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 23d95b61e..fced51818 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -9,17 +9,6 @@ import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { convertTargetsIfNessicary } from "../client/targets";
 import { canCompress } from "@server/lib/clientVersionChecks";
 
-<<<<<<< HEAD
-const inputSchema = z.object({
-    publicKey: z.string(),
-    port: z.int().positive(),
-    chainId: z.string()
-});
-
-type Input = z.infer<typeof inputSchema>;
-
-=======
->>>>>>> main
 export const handleGetConfigMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;
     const newt = client as Newt;
@@ -38,20 +27,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         return;
     }
 
-<<<<<<< HEAD
-    const parsed = inputSchema.safeParse(message.data);
-    if (!parsed.success) {
-        logger.error(
-            "handleGetConfigMessage: Invalid input: " +
-                fromError(parsed.error).toString()
-        );
-        return;
-    }
-
-    const { publicKey, port, chainId } = message.data as Input;
-=======
     const { publicKey, port, chainId } = message.data;
->>>>>>> main
     const siteId = newt.siteId;
 
     // Get the current site data

From 673b8b7af5b03b51fbd0f90ff106eba88bd246c2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 17:03:12 -0700
Subject: [PATCH 172/314] Add userInviteRoles migration

---
 server/setup/scriptsPg/1.17.0.ts     | 36 ++++++++++++++++++++++++++++
 server/setup/scriptsSqlite/1.17.0.ts | 30 +++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index d953b24fb..c0489956f 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -20,6 +20,19 @@ export default async function migration() {
         `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
     );
 
+    // Query existing roleId data from userInvites before the transaction destroys it
+    const existingInviteRolesQuery = await db.execute(
+        sql`SELECT "inviteId", "roleId" FROM "userInvites" WHERE "roleId" IS NOT NULL`
+    );
+    const existingUserInviteRoles = existingInviteRolesQuery.rows as {
+        inviteId: string;
+        roleId: number;
+    }[];
+
+    console.log(
+        `Found ${existingUserInviteRoles.length} existing userInvites role assignment(s) to migrate`
+    );
+
     try {
         await db.execute(sql`BEGIN`);
 
@@ -174,6 +187,29 @@ export default async function migration() {
         throw e;
     }
 
+    // Re-insert the preserved invite role assignments into the new userInviteRoles table
+    if (existingUserInviteRoles.length > 0) {
+        try {
+            for (const row of existingUserInviteRoles) {
+                await db.execute(sql`
+                    INSERT INTO "userInviteRoles" ("inviteId", "roleId")
+                    VALUES (${row.inviteId}, ${row.roleId})
+                    ON CONFLICT DO NOTHING
+                `);
+            }
+
+            console.log(
+                `Migrated ${existingUserInviteRoles.length} role assignment(s) into userInviteRoles`
+            );
+        } catch (e) {
+            console.error(
+                "Error while migrating role assignments into userInviteRoles:",
+                e
+            );
+            throw e;
+        }
+    }
+
     // Re-insert the preserved role assignments into the new userOrgRoles table
     if (existingUserOrgRoles.length > 0) {
         try {
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 866eb8fe5..10cc0973d 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -24,6 +24,17 @@ export default async function migration() {
             `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
         );
 
+        // Query existing roleId data from userInvites before the transaction destroys it
+        const existingUserInviteRoles = db
+            .prepare(
+                `SELECT "inviteId", "roleId" FROM 'userInvites' WHERE "roleId" IS NOT NULL`
+            )
+            .all() as { inviteId: string; roleId: number }[];
+
+        console.log(
+            `Found ${existingUserInviteRoles.length} existing userInvites role assignment(s) to migrate`
+        );
+
         db.transaction(() => {
             db.prepare(
                 `
@@ -184,6 +195,25 @@ export default async function migration() {
 
         db.pragma("foreign_keys = ON");
 
+        // Re-insert the preserved invite role assignments into the new userInviteRoles table
+        if (existingUserInviteRoles.length > 0) {
+            const insertUserInviteRole = db.prepare(
+                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId") VALUES (?, ?)`
+            );
+
+            const insertAll = db.transaction(() => {
+                for (const row of existingUserInviteRoles) {
+                    insertUserInviteRole.run(row.inviteId, row.roleId);
+                }
+            });
+
+            insertAll();
+
+            console.log(
+                `Migrated ${existingUserInviteRoles.length} role assignment(s) into userInviteRoles`
+            );
+        }
+
         // Re-insert the preserved role assignments into the new userOrgRoles table
         if (existingUserOrgRoles.length > 0) {
             const insertUserOrgRole = db.prepare(

From b8d7d5c910b903c69976fca9ab6e9779ae843288 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 17:18:38 -0700
Subject: [PATCH 173/314] Add name to provisioning

---
 server/routers/newt/registerNewt.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 6ad7c30a8..954acca92 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -30,7 +30,8 @@ import { INSPECT_MAX_BYTES } from "buffer";
 import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
 
 const bodySchema = z.object({
-    provisioningKey: z.string().nonempty()
+    provisioningKey: z.string().nonempty(),
+    name: z.string().optional()
 });
 
 export type RegisterNewtBody = z.infer<typeof bodySchema>;
@@ -56,7 +57,7 @@ export async function registerNewt(
             );
         }
 
-        const { provisioningKey } = parsedBody.data;
+        const { provisioningKey, name } = parsedBody.data;
 
         // Keys are in the format "siteProvisioningKeyId.secret"
         const dotIndex = provisioningKey.indexOf(".");
@@ -194,7 +195,7 @@ export async function registerNewt(
                 .insert(sites)
                 .values({
                     orgId,
-                    name: niceId,
+                    name: name || niceId,
                     niceId,
                     type: "newt",
                     dockerSocketEnabled: true,

From 3ed72dd96b58eb5ada726d2864b3041b7c4bdd11 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 18:16:22 -0700
Subject: [PATCH 174/314] Add missing colums to migrations

---
 server/setup/scriptsPg/1.17.0.ts     | 2 ++
 server/setup/scriptsSqlite/1.17.0.ts | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index c0489956f..09d09261c 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -177,6 +177,8 @@ export default async function migration() {
             sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
+        await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
+        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar;`);
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 10cc0973d..b6515510f 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -191,6 +191,8 @@ export default async function migration() {
                 `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
+            db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
+            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text;`).run();
         })();
 
         db.pragma("foreign_keys = ON");

From 5e0e4f145214ae8dc1c53cff38c61817f2d45af9 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 20:16:35 -0700
Subject: [PATCH 175/314] Update book a demo

---
 messages/en-US.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 768796c12..6a137e2ba 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2463,8 +2463,8 @@
     "sourceAddress": "Source Address",
     "destinationAddress": "Destination Address",
     "duration": "Duration",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
     "certResolver": "Certificate Resolver",
     "certResolverDescription": "Select the certificate resolver to use for this resource.",
     "selectCertResolver": "Select Certificate Resolver",

From ca0dd09964fad0884aa6ceb24dac43fcac9b2400 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 20:35:00 -0700
Subject: [PATCH 176/314] Add crud

---
 server/auth/actions.ts                        |   6 +-
 server/db/pg/schema/privateSchema.ts          |  31 ++++
 server/db/sqlite/schema/privateSchema.ts      |  40 ++++-
 .../createEventStreamingDestination.ts        | 124 +++++++++++++++
 .../deleteEventStreamingDestination.ts        | 103 +++++++++++++
 .../eventStreamingDestination/index.ts        |  17 +++
 .../listEventStreamingDestinations.ts         | 144 ++++++++++++++++++
 .../updateEventStreamingDestination.ts        | 141 +++++++++++++++++
 server/private/routers/external.ts            |  38 +++++
 9 files changed, 642 insertions(+), 2 deletions(-)
 create mode 100644 server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
 create mode 100644 server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
 create mode 100644 server/private/routers/eventStreamingDestination/index.ts
 create mode 100644 server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
 create mode 100644 server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index fc5daa4f8..213dab9d3 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -140,7 +140,11 @@ export enum ActionsEnum {
     exportLogs = "exportLogs",
     listApprovals = "listApprovals",
     updateApprovals = "updateApprovals",
-    signSshKey = "signSshKey"
+    signSshKey = "signSshKey",
+    createEventStreamingDestination = "createEventStreamingDestination",
+    updateEventStreamingDestination = "updateEventStreamingDestination",
+    deleteEventStreamingDestination = "deleteEventStreamingDestination",
+    listEventStreamingDestinations = "listEventStreamingDestinations"
 }
 
 export async function checkUserActionPermission(
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 9d5955d51..1b031636f 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -417,6 +417,25 @@ export const siteProvisioningKeyOrg = pgTable(
     ]
 );
 
+export const eventStreamingDestinations = pgTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: serial("destinationId").primaryKey(),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: boolean("sendConnectionLogs").notNull().default(false),
+        sendRequestLogs: boolean("sendRequestLogs").notNull().default(false),
+        sendActionLogs: boolean("sendActionLogs").notNull().default(false),
+        sendAccessLogs: boolean("sendAccessLogs").notNull().default(false),
+        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: boolean("enabled").notNull().default(true),
+        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
+    }
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -439,3 +458,15 @@ export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type SessionTransferToken = InferSelectModel<
+    typeof sessionTransferToken
+>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type SiteProvisioningKeyOrg = InferSelectModel<
+    typeof siteProvisioningKeyOrg
+>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 809c0c45d..9bb994266 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -7,7 +7,16 @@ import {
     sqliteTable,
     text
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, siteResources, sites, users } from "./schema";
+import {
+    clients,
+    domains,
+    exitNodes,
+    orgs,
+    sessions,
+    siteResources,
+    sites,
+    users
+} from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -401,6 +410,29 @@ export const siteProvisioningKeyOrg = sqliteTable(
     ]
 );
 
+export const eventStreamingDestinations = sqliteTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: integer("destinationId").primaryKey({
+            autoIncrement: true
+        }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: integer("sendConnectionLogs", { mode: "boolean" }).notNull().default(false),
+        sendRequestLogs: integer("sendRequestLogs", { mode: "boolean" }).notNull().default(false),
+        sendActionLogs: integer("sendActionLogs", { mode: "boolean" }).notNull().default(false),
+        sendAccessLogs: integer("sendAccessLogs", { mode: "boolean" }).notNull().default(false),
+        type: text("type").notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: integer("enabled", { mode: "boolean" })
+            .notNull()
+            .default(true),
+        createdAt: integer("createdAt").notNull(),
+        updatedAt: integer("updatedAt").notNull()
+    }
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -423,3 +455,9 @@ export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
new file mode 100644
index 000000000..1c9de788a
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -0,0 +1,124 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.strictObject({
+    type: z.string().nonempty(),
+    config: z.string().nonempty(),
+    enabled: z.boolean().optional().default(true),
+    sendConnectionLogs: z.boolean().optional().default(false),
+    sendRequestLogs: z.boolean().optional().default(false),
+    sendActionLogs: z.boolean().optional().default(false),
+    sendAccessLogs: z.boolean().optional().default(false)
+});
+
+export type CreateEventStreamingDestinationResponse = {
+    destinationId: number;
+};
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/event-streaming-destination",
+    description: "Create an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { type, config, enabled } = parsedBody.data;
+
+        const now = Date.now();
+
+        const [destination] = await db
+            .insert(eventStreamingDestinations)
+            .values({
+                orgId,
+                type,
+                config,
+                enabled,
+                createdAt: now,
+                updatedAt: now,
+                sendAccessLogs: parsedBody.data.sendAccessLogs,
+                sendActionLogs: parsedBody.data.sendActionLogs,
+                sendConnectionLogs: parsedBody.data.sendConnectionLogs,
+                sendRequestLogs: parsedBody.data.sendRequestLogs
+            })
+            .returning();
+
+        return response<CreateEventStreamingDestinationResponse>(res, {
+            data: {
+                destinationId: destination.destinationId
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destination created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
new file mode 100644
index 000000000..d93bc4405
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
@@ -0,0 +1,103 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { and, eq } from "drizzle-orm";
+
+const paramsSchema = z
+    .object({
+        orgId: z.string().nonempty(),
+        destinationId: z.coerce.number<number>()
+    })
+    .strict();
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
+    description: "Delete an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, destinationId } = parsedParams.data;
+
+        const [existing] = await db
+            .select()
+            .from(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Event streaming destination not found"
+                )
+            );
+        }
+
+        await db
+            .delete(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Event streaming destination deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/index.ts b/server/private/routers/eventStreamingDestination/index.ts
new file mode 100644
index 000000000..595e9595b
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/index.ts
@@ -0,0 +1,17 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createEventStreamingDestination";
+export * from "./updateEventStreamingDestination";
+export * from "./deleteEventStreamingDestination";
+export * from "./listEventStreamingDestinations";
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
new file mode 100644
index 000000000..b3f5ff149
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -0,0 +1,144 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { eq, sql } from "drizzle-orm";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const querySchema = z.strictObject({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+export type ListEventStreamingDestinationsResponse = {
+    destinations: {
+        destinationId: number;
+        orgId: string;
+        type: string;
+        config: string;
+        enabled: boolean;
+        createdAt: number;
+        updatedAt: number;
+        sendConnectionLogs: boolean;
+        sendRequestLogs: boolean;
+        sendActionLogs: boolean;
+        sendAccessLogs: boolean;
+    }[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+};
+
+async function query(orgId: string, limit: number, offset: number) {
+    const res = await db
+        .select()
+        .from(eventStreamingDestinations)
+        .where(eq(eventStreamingDestinations.orgId, orgId))
+        .orderBy(sql`${eventStreamingDestinations.createdAt} DESC`)
+        .limit(limit)
+        .offset(offset);
+    return res;
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/event-streaming-destination",
+    description: "List all event streaming destinations for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        query: querySchema,
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function listEventStreamingDestinations(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+        const { orgId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+        const { limit, offset } = parsedQuery.data;
+
+        const list = await query(orgId, limit, offset);
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(eventStreamingDestinations)
+            .where(eq(eventStreamingDestinations.orgId, orgId));
+
+        return response<ListEventStreamingDestinationsResponse>(res, {
+            data: {
+                destinations: list,
+                pagination: {
+                    total: count,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destinations retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
new file mode 100644
index 000000000..1ad8f0081
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -0,0 +1,141 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { and, eq } from "drizzle-orm";
+import { parse } from "zod/v4/core";
+
+const paramsSchema = z
+    .object({
+        orgId: z.string().nonempty(),
+        destinationId: z.coerce.number<number>()
+    })
+    .strict();
+
+const bodySchema = z.strictObject({
+    type: z.string().optional(),
+    config: z.string().optional(),
+    enabled: z.boolean().optional(),
+    sendConnectionLogs: z.boolean().optional().default(false),
+    sendRequestLogs: z.boolean().optional().default(false),
+    sendActionLogs: z.boolean().optional().default(false),
+    sendAccessLogs: z.boolean().optional().default(false)
+});
+
+export type UpdateEventStreamingDestinationResponse = {
+    destinationId: number;
+};
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
+    description: "Update an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, destinationId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const [existing] = await db
+            .select()
+            .from(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Event streaming destination not found"
+                )
+            );
+        }
+
+        const updateData = parsedBody.data;
+
+        await db
+            .update(eventStreamingDestinations)
+            .set(updateData)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+
+        return response<UpdateEventStreamingDestinationResponse>(res, {
+            data: {
+                destinationId
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destination updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index 412895a41..41a4919a0 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -28,6 +28,7 @@ import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
 import * as user from "#private/routers/user";
 import * as siteProvisioning from "#private/routers/siteProvisioning";
+import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 
 import {
     verifyOrgAccess,
@@ -615,3 +616,40 @@ authenticated.patch(
     logActionAudit(ActionsEnum.updateSiteProvisioningKey),
     siteProvisioning.updateSiteProvisioningKey
 );
+
+authenticated.put(
+    "/org/:orgId/event-streaming-destination",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createEventStreamingDestination),
+    logActionAudit(ActionsEnum.createEventStreamingDestination),
+    eventStreamingDestination.createEventStreamingDestination
+);
+
+authenticated.post(
+    "/org/:orgId/event-streaming-destination/:destinationId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateEventStreamingDestination),
+    logActionAudit(ActionsEnum.updateEventStreamingDestination),
+    eventStreamingDestination.updateEventStreamingDestination
+);
+
+authenticated.delete(
+    "/org/:orgId/event-streaming-destination/:destinationId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteEventStreamingDestination),
+    logActionAudit(ActionsEnum.deleteEventStreamingDestination),
+    eventStreamingDestination.deleteEventStreamingDestination
+);
+
+authenticated.get(
+    "/org/:orgId/event-streaming-destinations",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listEventStreamingDestinations),
+    eventStreamingDestination.listEventStreamingDestinations
+);

From 5150a2c3862a32bac29d229cff33c869495f165e Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:00:05 -0700
Subject: [PATCH 177/314] Basic ui done

---
 messages/en-US.json                           |   1 +
 server/lib/billing/tierMatrix.ts              |   6 +-
 server/private/routers/external.ts            |   1 -
 .../[orgId]/settings/logs/streaming/page.tsx  | 861 ++++++++++++++++++
 src/app/navigation.tsx                        |   6 +
 5 files changed, 872 insertions(+), 3 deletions(-)
 create mode 100644 src/app/[orgId]/settings/logs/streaming/page.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 6a137e2ba..e8c7cb47d 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2460,6 +2460,7 @@
     "connectionLogs": "Connection Logs",
     "connectionLogsDescription": "View connection logs for tunnels in this organization",
     "sidebarLogsConnection": "Connection Logs",
+    "sidebarLogsStreaming": "Streaming",
     "sourceAddress": "Source Address",
     "destinationAddress": "Destination Address",
     "duration": "Duration",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index 2aa38e1ef..c76dcd95b 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -18,7 +18,8 @@ export enum TierFeature {
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
     SshPam = "sshPam",
     FullRbac = "fullRbac",
-    SiteProvisioningKeys = "siteProvisioningKeys" // handle downgrade by revoking keys if needed
+    SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
+    SIEM = "siem" // handle downgrade by disabling SIEM integrations
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -54,5 +55,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
     [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
     [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
-    [TierFeature.SiteProvisioningKeys]: ["enterprise"]
+    [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
+    [TierFeature.SIEM]: ["enterprise"]
 };
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index 41a4919a0..4410a44c8 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -648,7 +648,6 @@ authenticated.delete(
 
 authenticated.get(
     "/org/:orgId/event-streaming-destinations",
-    verifyValidLicense,
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listEventStreamingDestinations),
     eventStreamingDestination.listEventStreamingDestinations
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
new file mode 100644
index 000000000..265001e8e
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -0,0 +1,861 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import { useParams } from "next/navigation";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Label } from "@app/components/ui/label";
+import { Switch } from "@app/components/ui/switch";
+import {
+    Tabs,
+    TabsContent,
+    TabsList,
+    TabsTrigger
+} from "@app/components/ui/tabs";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Textarea } from "@app/components/ui/textarea";
+import { Globe, Plus, Pencil, Trash2, X } from "lucide-react";
+import { AxiosResponse } from "axios";
+import { build } from "@server/build";
+
+// ── Types ──────────────────────────────────────────────────────────────────────
+
+type AuthType = "none" | "bearer" | "basic" | "custom";
+
+interface HttpConfig {
+    name: string;
+    url: string;
+    authType: AuthType;
+    bearerToken?: string;
+    basicCredentials?: string;
+    customHeaderName?: string;
+    customHeaderValue?: string;
+    headers: Array<{ key: string; value: string }>;
+    useBodyTemplate: boolean;
+    bodyTemplate?: string;
+}
+
+interface Destination {
+    destinationId: number;
+    orgId: string;
+    type: string;
+    config: string;
+    enabled: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+
+interface ListDestinationsResponse {
+    destinations: Destination[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+const defaultConfig = (): HttpConfig => ({
+    name: "",
+    url: "",
+    authType: "none",
+    bearerToken: "",
+    basicCredentials: "",
+    customHeaderName: "",
+    customHeaderValue: "",
+    headers: [],
+    useBodyTemplate: false,
+    bodyTemplate: ""
+});
+
+function parseConfig(raw: string): HttpConfig {
+    try {
+        return { ...defaultConfig(), ...JSON.parse(raw) };
+    } catch {
+        return defaultConfig();
+    }
+}
+
+// ── Headers editor ─────────────────────────────────────────────────────────────
+
+interface HeadersEditorProps {
+    headers: Array<{ key: string; value: string }>;
+    onChange: (headers: Array<{ key: string; value: string }>) => void;
+}
+
+function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const addRow = () => onChange([...headers, { key: "", value: "" }]);
+
+    const removeRow = (i: number) =>
+        onChange(headers.filter((_, idx) => idx !== i));
+
+    const updateRow = (
+        i: number,
+        field: "key" | "value",
+        val: string
+    ) => {
+        const next = [...headers];
+        next[i] = { ...next[i], [field]: val };
+        onChange(next);
+    };
+
+    return (
+        <div className="space-y-3">
+            {headers.length === 0 && (
+                <p className="text-xs text-muted-foreground">
+                    No custom headers configured. Click "Add Header" to add one.
+                </p>
+            )}
+            {headers.map((h, i) => (
+                <div key={i} className="flex gap-2 items-center">
+                    <Input
+                        value={h.key}
+                        onChange={(e) => updateRow(i, "key", e.target.value)}
+                        placeholder="Header name"
+                        className="flex-1"
+                    />
+                    <Input
+                        value={h.value}
+                        onChange={(e) => updateRow(i, "value", e.target.value)}
+                        placeholder="Value"
+                        className="flex-1"
+                    />
+                    <Button
+                        type="button"
+                        variant="ghost"
+                        size="icon"
+                        onClick={() => removeRow(i)}
+                        className="shrink-0 h-9 w-9"
+                    >
+                        <X className="h-4 w-4" />
+                    </Button>
+                </div>
+            ))}
+            <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                onClick={addRow}
+                className="gap-1.5"
+            >
+                <Plus className="h-3.5 w-3.5" />
+                Add Header
+            </Button>
+        </div>
+    );
+}
+
+// ── Destination card ───────────────────────────────────────────────────────────
+
+interface DestinationCardProps {
+    destination: Destination;
+    onToggle: (id: number, enabled: boolean) => void;
+    onEdit: (destination: Destination) => void;
+    isToggling: boolean;
+    disabled?: boolean;
+}
+
+function DestinationCard({
+    destination,
+    onToggle,
+    onEdit,
+    isToggling,
+    disabled = false
+}: DestinationCardProps) {
+    const cfg = parseConfig(destination.config);
+
+    return (
+        <div className="relative flex flex-col rounded-lg border bg-card text-card-foreground p-5 gap-3">
+            {/* Top row: icon + name/type + toggle */}
+            <div className="flex items-start justify-between gap-3">
+                <div className="flex items-center gap-3 min-w-0">
+                    <div className="shrink-0 flex items-center justify-center w-9 h-9 rounded-md bg-muted">
+                        <Globe className="h-5 w-5 text-muted-foreground" />
+                    </div>
+                    <div className="min-w-0">
+                        <p className="font-semibold text-sm leading-tight truncate">
+                            {cfg.name || "Unnamed destination"}
+                        </p>
+                        <p className="text-xs text-muted-foreground truncate mt-0.5">
+                            HTTP
+                        </p>
+                    </div>
+                </div>
+                <Switch
+                    checked={destination.enabled}
+                    onCheckedChange={(v) =>
+                        onToggle(destination.destinationId, v)
+                    }
+                    disabled={isToggling || disabled}
+                    className="shrink-0 mt-0.5"
+                />
+            </div>
+
+            {/* URL preview */}
+            <p className="text-xs text-muted-foreground truncate">
+                {cfg.url || (
+                    <span className="italic">No URL configured</span>
+                )}
+            </p>
+
+            {/* Footer: edit button */}
+            <div className="flex justify-end pt-1 border-t border-border mt-auto">
+                <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={() => onEdit(destination)}
+                    disabled={disabled}
+                    className="h-7 gap-1.5 text-xs mt-2"
+                >
+                    <Pencil className="h-3 w-3" />
+                    Edit
+                </Button>
+            </div>
+        </div>
+    );
+}
+
+// ── Add destination card ───────────────────────────────────────────────────────
+
+function AddDestinationCard({
+    onClick,
+    disabled = false
+}: {
+    onClick: () => void;
+    disabled?: boolean;
+}) {
+    return (
+        <button
+            type="button"
+            onClick={disabled ? undefined : onClick}
+            disabled={disabled}
+            className={`flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full ${
+                disabled
+                    ? "opacity-50 cursor-not-allowed text-muted-foreground"
+                    : "text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
+            }`}
+        >
+            <div className="flex flex-col items-center gap-2">
+                <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
+                    <Plus className="h-4 w-4" />
+                </div>
+                <span className="text-sm font-medium">Add Destination</span>
+            </div>
+        </button>
+    );
+}
+
+// ── Destination modal ──────────────────────────────────────────────────────────
+
+interface DestinationModalProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    editing: Destination | null;
+    orgId: string;
+    onSaved: () => void;
+    onDeleted: () => void;
+}
+
+function DestinationModal({
+    open,
+    onOpenChange,
+    editing,
+    orgId,
+    onSaved,
+    onDeleted
+}: DestinationModalProps) {
+    const api = createApiClient(useEnvContext());
+
+    const [saving, setSaving] = useState(false);
+    const [deleting, setDeleting] = useState(false);
+    const [confirmDelete, setConfirmDelete] = useState(false);
+    const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
+
+    useEffect(() => {
+        if (open) {
+            setCfg(editing ? parseConfig(editing.config) : defaultConfig());
+            setConfirmDelete(false);
+        }
+    }, [open, editing]);
+
+    const update = (patch: Partial<HttpConfig>) =>
+        setCfg((prev) => ({ ...prev, ...patch }));
+
+    const isValid =
+        cfg.name.trim() !== "" && cfg.url.trim() !== "";
+
+    async function handleSave() {
+        if (!isValid) return;
+        setSaving(true);
+        try {
+            const payload = {
+                type: "http",
+                config: JSON.stringify(cfg)
+            };
+            if (editing) {
+                await api.post(
+                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
+                    payload
+                );
+                toast({ title: "Destination updated successfully" });
+            } else {
+                await api.put(
+                    `/org/${orgId}/event-streaming-destination`,
+                    payload
+                );
+                toast({ title: "Destination created successfully" });
+            }
+            onSaved();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: editing
+                    ? "Failed to update destination"
+                    : "Failed to create destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setSaving(false);
+        }
+    }
+
+    async function handleDelete() {
+        if (!editing) return;
+        if (!confirmDelete) {
+            setConfirmDelete(true);
+            return;
+        }
+        setDeleting(true);
+        try {
+            await api.delete(
+                `/org/${orgId}/event-streaming-destination/${editing.destinationId}`
+            );
+            toast({ title: "Destination deleted successfully" });
+            onDeleted();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to delete destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setDeleting(false);
+        }
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-2xl">
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {editing ? "Edit Destination" : "Add Destination"}
+                    </CredenzaTitle>
+                    <CredenzaDescription>
+                        {editing
+                            ? "Update the configuration for this HTTP event streaming destination."
+                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+
+                <CredenzaBody>
+                    <Tabs defaultValue="settings">
+                        <TabsList>
+                            <TabsTrigger value="settings">Settings</TabsTrigger>
+                            <TabsTrigger value="headers">Headers</TabsTrigger>
+                            <TabsTrigger value="body">Body Template</TabsTrigger>
+                        </TabsList>
+
+                        {/* ── Settings ─────────────────────────────────── */}
+                        <TabsContent value="settings" className="space-y-5">
+                            <div className="space-y-1.5">
+                                <Label htmlFor="dest-name">Name</Label>
+                                <Input
+                                    id="dest-name"
+                                    placeholder="My HTTP destination"
+                                    value={cfg.name}
+                                    onChange={(e) =>
+                                        update({ name: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            <div className="space-y-1.5">
+                                <Label htmlFor="dest-url">Destination URL</Label>
+                                <Input
+                                    id="dest-url"
+                                    placeholder="https://example.com/webhook"
+                                    value={cfg.url}
+                                    onChange={(e) =>
+                                        update({ url: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            <div className="space-y-2">
+                                <Label>Authentication</Label>
+                                <RadioGroup
+                                    value={cfg.authType}
+                                    onValueChange={(v) =>
+                                        update({ authType: v as AuthType })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* None */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors data-[state=checked]:border-primary">
+                                        <RadioGroupItem
+                                            value="none"
+                                            id="auth-none"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="auth-none"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                No Authentication
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends requests without an{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    Authorization
+                                                </code>{" "}
+                                                header.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Bearer */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="bearer"
+                                            id="auth-bearer"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-bearer"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Bearer Token
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Bearer &lt;token&gt;
+                                                    </code>{" "}
+                                                    header to each request.
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "bearer" && (
+                                                <Input
+                                                    placeholder="Your API key or token"
+                                                    value={cfg.bearerToken ?? ""}
+                                                    onChange={(e) =>
+                                                        update({
+                                                            bearerToken:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Basic */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="basic"
+                                            id="auth-basic"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-basic"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Basic Auth
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Basic &lt;credentials&gt;
+                                                    </code>{" "}
+                                                    header. Provide credentials as{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        username:password
+                                                    </code>
+                                                    .
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "basic" && (
+                                                <Input
+                                                    placeholder="username:password"
+                                                    value={
+                                                        cfg.basicCredentials ?? ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            basicCredentials:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Custom */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="custom"
+                                            id="auth-custom"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-custom"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Custom Header
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Specify a custom HTTP header name and value for
+                                                    authentication (e.g.{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        X-API-Key
+                                                    </code>
+                                                    ).
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "custom" && (
+                                                <div className="flex gap-2">
+                                                    <Input
+                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        value={
+                                                            cfg.customHeaderName ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderName:
+                                                                    e.target.value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                    <Input
+                                                        placeholder="Header value"
+                                                        value={
+                                                            cfg.customHeaderValue ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderValue:
+                                                                    e.target.value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                </div>
+                                            )}
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
+                        </TabsContent>
+
+                        {/* ── Headers ───────────────────────────────────── */}
+                        <TabsContent value="headers" className="space-y-4">
+                            <div>
+                                <p className="text-sm font-medium mb-1">
+                                    Custom HTTP Headers
+                                </p>
+                                <p className="text-xs text-muted-foreground mb-4">
+                                    Add custom HTTP headers to every outgoing request.
+                                    Useful for passing static tokens, setting a custom{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>
+                                    , or other API requirements. By default, the{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>{" "}
+                                    is{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        application/json
+                                    </code>
+                                    .
+                                </p>
+                                <HeadersEditor
+                                    headers={cfg.headers}
+                                    onChange={(headers) => update({ headers })}
+                                />
+                            </div>
+                        </TabsContent>
+
+                        {/* ── Body Template ─────────────────────────────── */}
+                        <TabsContent value="body" className="space-y-4">
+                            <div>
+                                <p className="text-sm font-medium mb-1">
+                                    Custom Body Template
+                                </p>
+                                <p className="text-xs text-muted-foreground mb-4">
+                                    Control the structure of the JSON payload sent to your
+                                    endpoint. If disabled, a default JSON object is sent for
+                                    each event.
+                                </p>
+                            </div>
+
+                            <div className="flex items-center gap-3 rounded-md border p-3">
+                                <Switch
+                                    id="use-body-template"
+                                    checked={cfg.useBodyTemplate}
+                                    onCheckedChange={(v) =>
+                                        update({ useBodyTemplate: v })
+                                    }
+                                />
+                                <Label
+                                    htmlFor="use-body-template"
+                                    className="cursor-pointer"
+                                >
+                                    Enable custom body template
+                                </Label>
+                            </div>
+
+                            {cfg.useBodyTemplate && (
+                                <div className="space-y-1.5">
+                                    <Label htmlFor="body-template">
+                                        Body Template (JSON)
+                                    </Label>
+                                    <Textarea
+                                        id="body-template"
+                                        placeholder={
+                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
+                                        }
+                                        value={cfg.bodyTemplate ?? ""}
+                                        onChange={(e) =>
+                                            update({
+                                                bodyTemplate: e.target.value
+                                            })
+                                        }
+                                        className="font-mono text-xs min-h-45 resize-y"
+                                    />
+                                    <p className="text-xs text-muted-foreground">
+                                        Use template variables to reference event fields in
+                                        your payload.
+                                    </p>
+                                </div>
+                            )}
+                        </TabsContent>
+                    </Tabs>
+                </CredenzaBody>
+
+                <CredenzaFooter>
+                    {editing && (
+                        <Button
+                            type="button"
+                            variant="destructive"
+                            onClick={handleDelete}
+                            loading={deleting}
+                            disabled={saving}
+                            className="mr-auto"
+                        >
+                            <Trash2 className="h-4 w-4 mr-1.5" />
+                            {confirmDelete ? "Confirm Delete" : "Delete"}
+                        </Button>
+                    )}
+                    <CredenzaClose asChild>
+                        <Button
+                            type="button"
+                            variant="outline"
+                            disabled={saving || deleting}
+                        >
+                            Cancel
+                        </Button>
+                    </CredenzaClose>
+                    <Button
+                        type="button"
+                        onClick={handleSave}
+                        loading={saving}
+                        disabled={!isValid || deleting}
+                    >
+                        {editing ? "Save Changes" : "Create Destination"}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
+
+// ── Main page ──────────────────────────────────────────────────────────────────
+
+export default function StreamingDestinationsPage() {
+    const { orgId } = useParams() as { orgId: string };
+    const api = createApiClient(useEnvContext());
+    const { isPaidUser } = usePaidStatus();
+    const isEnterprise = isPaidUser(tierMatrix[TierFeature.SIEM]);
+
+    const [destinations, setDestinations] = useState<Destination[]>([]);
+    const [loading, setLoading] = useState(true);
+    const [modalOpen, setModalOpen] = useState(false);
+    const [editingDestination, setEditingDestination] =
+        useState<Destination | null>(null);
+    const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
+
+    const loadDestinations = useCallback(async () => {
+        if (build == "oss") {
+            setDestinations([]);
+            setLoading(false);
+            return;
+        }
+        try {
+            const res = await api.get<AxiosResponse<ListDestinationsResponse>>(
+                `/org/${orgId}/event-streaming-destinations`
+            );
+            setDestinations(res.data.data.destinations ?? []);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to load destinations",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setLoading(false);
+        }
+    }, [orgId]);
+
+    useEffect(() => {
+        loadDestinations();
+    }, [loadDestinations]);
+
+    const handleToggle = async (destinationId: number, enabled: boolean) => {
+        // Optimistic update
+        setDestinations((prev) =>
+            prev.map((d) =>
+                d.destinationId === destinationId ? { ...d, enabled } : d
+            )
+        );
+        setTogglingIds((prev) => new Set(prev).add(destinationId));
+
+        try {
+            await api.post(
+                `/org/${orgId}/event-streaming-destination/${destinationId}`,
+                { enabled }
+            );
+        } catch (e) {
+            // Revert on failure
+            setDestinations((prev) =>
+                prev.map((d) =>
+                    d.destinationId === destinationId
+                        ? { ...d, enabled: !enabled }
+                        : d
+                )
+            );
+            toast({
+                variant: "destructive",
+                title: "Failed to update destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setTogglingIds((prev) => {
+                const next = new Set(prev);
+                next.delete(destinationId);
+                return next;
+            });
+        }
+    };
+
+    const openCreate = () => {
+        setEditingDestination(null);
+        setModalOpen(true);
+    };
+
+    const openEdit = (destination: Destination) => {
+        setEditingDestination(destination);
+        setModalOpen(true);
+    };
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title="Event Streaming"
+                description="Stream events from your organization to external destinations in real time."
+            />
+
+            <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
+
+            {loading ? (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                    {Array.from({ length: 3 }).map((_, i) => (
+                        <div
+                            key={i}
+                            className="rounded-lg border bg-card p-5 min-h-36 animate-pulse"
+                        />
+                    ))}
+                </div>
+            ) : (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                    {destinations.map((dest) => (
+                        <DestinationCard
+                            key={dest.destinationId}
+                            destination={dest}
+                            onToggle={handleToggle}
+                            onEdit={openEdit}
+                            isToggling={togglingIds.has(dest.destinationId)}
+                            disabled={!isEnterprise}
+                        />
+                    ))}
+                    <AddDestinationCard
+                        onClick={openCreate}
+                        disabled={!isEnterprise}
+                    />
+                </div>
+            )}
+
+            <DestinationModal
+                open={modalOpen}
+                onOpenChange={setModalOpen}
+                editing={editingDestination}
+                orgId={orgId}
+                onSaved={loadDestinations}
+                onDeleted={loadDestinations}
+            />
+        </>
+    );
+}
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 66e6cdad0..ac7a4a10f 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -23,6 +23,7 @@ import {
     Settings,
     SquareMousePointer,
     TicketCheck,
+    Unplug,
     User,
     UserCog,
     Users,
@@ -196,6 +197,11 @@ export const orgNavSections = (
                                   title: "sidebarLogsConnection",
                                   href: "/{orgId}/settings/logs/connection",
                                   icon: <Cable className="size-4 flex-none" />
+                              },
+                              {
+                                  title: "sidebarLogsStreaming",
+                                  href: "/{orgId}/settings/logs/streaming",
+                                  icon: <Unplug className="size-4 flex-none" />
                               }
                           ]
                         : [])

From 45c613dec46108192b3ea2320e985d4497e02ac9 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:09:14 -0700
Subject: [PATCH 178/314] Tweaking the ui

---
 .../[orgId]/settings/logs/streaming/page.tsx  | 85 +++++++++++--------
 1 file changed, 50 insertions(+), 35 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 265001e8e..c732274b4 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -7,6 +7,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import {
@@ -23,15 +24,10 @@ import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { Label } from "@app/components/ui/label";
 import { Switch } from "@app/components/ui/switch";
-import {
-    Tabs,
-    TabsContent,
-    TabsList,
-    TabsTrigger
-} from "@app/components/ui/tabs";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Textarea } from "@app/components/ui/textarea";
-import { Globe, Plus, Pencil, Trash2, X } from "lucide-react";
+import { Globe, Plus, Trash2, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 
@@ -217,15 +213,14 @@ function DestinationCard({
             </p>
 
             {/* Footer: edit button */}
-            <div className="flex justify-end pt-1 border-t border-border mt-auto">
+            <div className="mt-auto pt-3">
                 <Button
-                    variant="ghost"
+                    variant="secondary"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
-                    className="h-7 gap-1.5 text-xs mt-2"
+                    className="w-full"
                 >
-                    <Pencil className="h-3 w-3" />
                     Edit
                 </Button>
             </div>
@@ -286,13 +281,15 @@ function DestinationModal({
 
     const [saving, setSaving] = useState(false);
     const [deleting, setDeleting] = useState(false);
-    const [confirmDelete, setConfirmDelete] = useState(false);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
 
     useEffect(() => {
         if (open) {
             setCfg(editing ? parseConfig(editing.config) : defaultConfig());
-            setConfirmDelete(false);
+        }
+        if (!open) {
+            setDeleteDialogOpen(false);
         }
     }, [open, editing]);
 
@@ -343,10 +340,6 @@ function DestinationModal({
 
     async function handleDelete() {
         if (!editing) return;
-        if (!confirmDelete) {
-            setConfirmDelete(true);
-            return;
-        }
         setDeleting(true);
         try {
             await api.delete(
@@ -370,6 +363,7 @@ function DestinationModal({
     }
 
     return (
+        <>
         <Credenza open={open} onOpenChange={onOpenChange}>
             <CredenzaContent className="sm:max-w-2xl">
                 <CredenzaHeader>
@@ -384,15 +378,16 @@ function DestinationModal({
                 </CredenzaHeader>
 
                 <CredenzaBody>
-                    <Tabs defaultValue="settings">
-                        <TabsList>
-                            <TabsTrigger value="settings">Settings</TabsTrigger>
-                            <TabsTrigger value="headers">Headers</TabsTrigger>
-                            <TabsTrigger value="body">Body Template</TabsTrigger>
-                        </TabsList>
-
+                    <HorizontalTabs
+                        clientSide
+                        items={[
+                            { title: "Settings", href: "" },
+                            { title: "Headers", href: "" },
+                            { title: "Body Template", href: "" }
+                        ]}
+                    >
                         {/* ── Settings ─────────────────────────────────── */}
-                        <TabsContent value="settings" className="space-y-5">
+                        <div className="space-y-5">
                             <div className="space-y-1.5">
                                 <Label htmlFor="dest-name">Name</Label>
                                 <Input
@@ -592,10 +587,10 @@ function DestinationModal({
                                     </div>
                                 </RadioGroup>
                             </div>
-                        </TabsContent>
+                        </div>
 
                         {/* ── Headers ───────────────────────────────────── */}
-                        <TabsContent value="headers" className="space-y-4">
+                        <div className="space-y-4">
                             <div>
                                 <p className="text-sm font-medium mb-1">
                                     Custom HTTP Headers
@@ -621,10 +616,10 @@ function DestinationModal({
                                     onChange={(headers) => update({ headers })}
                                 />
                             </div>
-                        </TabsContent>
+                        </div>
 
                         {/* ── Body Template ─────────────────────────────── */}
-                        <TabsContent value="body" className="space-y-4">
+                        <div className="space-y-4">
                             <div>
                                 <p className="text-sm font-medium mb-1">
                                     Custom Body Template
@@ -676,8 +671,8 @@ function DestinationModal({
                                     </p>
                                 </div>
                             )}
-                        </TabsContent>
-                    </Tabs>
+                        </div>
+                    </HorizontalTabs>
                 </CredenzaBody>
 
                 <CredenzaFooter>
@@ -685,13 +680,12 @@ function DestinationModal({
                         <Button
                             type="button"
                             variant="destructive"
-                            onClick={handleDelete}
-                            loading={deleting}
-                            disabled={saving}
+                            onClick={() => setDeleteDialogOpen(true)}
+                            disabled={saving || deleting}
                             className="mr-auto"
                         >
                             <Trash2 className="h-4 w-4 mr-1.5" />
-                            {confirmDelete ? "Confirm Delete" : "Delete"}
+                            Delete
                         </Button>
                     )}
                     <CredenzaClose asChild>
@@ -714,6 +708,27 @@ function DestinationModal({
                 </CredenzaFooter>
             </CredenzaContent>
         </Credenza>
+
+        {editing && (
+            <ConfirmDeleteDialog
+                open={deleteDialogOpen}
+                setOpen={setDeleteDialogOpen}
+                string={parseConfig(editing.config).name || "delete"}
+                title="Delete Destination"
+                dialog={
+                    <p className="text-sm text-muted-foreground">
+                        Are you sure you want to delete the destination{" "}
+                        <span className="font-semibold text-foreground">
+                            {parseConfig(editing.config).name || "this destination"}
+                        </span>
+                        ? All configuration will be permanently removed.
+                    </p>
+                }
+                buttonText="Delete Destination"
+                onConfirm={handleDelete}
+            />
+        )}
+        </>
     );
 }
 

From a73879ec7a55c6f164f661e361255e37227e005f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:35:37 -0700
Subject: [PATCH 179/314] Fix formatting

---
 .../updateEventStreamingDestination.ts        |  24 +-
 .../[orgId]/settings/logs/streaming/page.tsx  | 233 +++++++++++++++---
 2 files changed, 212 insertions(+), 45 deletions(-)

diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
index 1ad8f0081..3d3321824 100644
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,7 +22,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
-import { parse } from "zod/v4/core";
+
 
 const paramsSchema = z
     .object({
@@ -35,10 +35,10 @@ const bodySchema = z.strictObject({
     type: z.string().optional(),
     config: z.string().optional(),
     enabled: z.boolean().optional(),
-    sendConnectionLogs: z.boolean().optional().default(false),
-    sendRequestLogs: z.boolean().optional().default(false),
-    sendActionLogs: z.boolean().optional().default(false),
-    sendAccessLogs: z.boolean().optional().default(false)
+    sendConnectionLogs: z.boolean().optional(),
+    sendRequestLogs: z.boolean().optional(),
+    sendActionLogs: z.boolean().optional(),
+    sendAccessLogs: z.boolean().optional()
 });
 
 export type UpdateEventStreamingDestinationResponse = {
@@ -110,7 +110,19 @@ export async function updateEventStreamingDestination(
             );
         }
 
-        const updateData = parsedBody.data;
+        const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
+
+        const updateData: Record<string, unknown> = {
+            updatedAt: Date.now()
+        };
+
+        if (type !== undefined) updateData.type = type;
+        if (config !== undefined) updateData.config = config;
+        if (enabled !== undefined) updateData.enabled = enabled;
+        if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;
+        if (sendActionLogs !== undefined) updateData.sendActionLogs = sendActionLogs;
+        if (sendConnectionLogs !== undefined) updateData.sendConnectionLogs = sendConnectionLogs;
+        if (sendRequestLogs !== undefined) updateData.sendRequestLogs = sendRequestLogs;
 
         await db
             .update(eventStreamingDestinations)
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index c732274b4..a89c961b4 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -27,7 +27,8 @@ import { Switch } from "@app/components/ui/switch";
 import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Textarea } from "@app/components/ui/textarea";
-import { Globe, Plus, Trash2, X } from "lucide-react";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Globe, Plus, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 
@@ -54,6 +55,10 @@ interface Destination {
     type: string;
     config: string;
     enabled: boolean;
+    sendAccessLogs: boolean;
+    sendActionLogs: boolean;
+    sendConnectionLogs: boolean;
+    sendRequestLogs: boolean;
     createdAt: number;
     updatedAt: number;
 }
@@ -215,7 +220,7 @@ function DestinationCard({
             {/* Footer: edit button */}
             <div className="mt-auto pt-3">
                 <Button
-                    variant="secondary"
+                    variant="outline"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
@@ -283,10 +288,18 @@ function DestinationModal({
     const [deleting, setDeleting] = useState(false);
     const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
+    const [sendAccessLogs, setSendAccessLogs] = useState(false);
+    const [sendActionLogs, setSendActionLogs] = useState(false);
+    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
+    const [sendRequestLogs, setSendRequestLogs] = useState(false);
 
     useEffect(() => {
         if (open) {
             setCfg(editing ? parseConfig(editing.config) : defaultConfig());
+            setSendAccessLogs(editing?.sendAccessLogs ?? false);
+            setSendActionLogs(editing?.sendActionLogs ?? false);
+            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
+            setSendRequestLogs(editing?.sendRequestLogs ?? false);
         }
         if (!open) {
             setDeleteDialogOpen(false);
@@ -296,8 +309,27 @@ function DestinationModal({
     const update = (patch: Partial<HttpConfig>) =>
         setCfg((prev) => ({ ...prev, ...patch }));
 
+    const urlError: string | null = (() => {
+        const raw = cfg.url.trim();
+        if (!raw) return null;
+        try {
+            const parsed = new URL(raw);
+            if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+                return "URL must use http or https";
+            }
+            if (build === "saas" && parsed.protocol !== "https:") {
+                return "HTTPS is required on cloud deployments";
+            }
+            return null;
+        } catch {
+            return "Enter a valid URL (e.g. https://example.com/webhook)";
+        }
+    })();
+
     const isValid =
-        cfg.name.trim() !== "" && cfg.url.trim() !== "";
+        cfg.name.trim() !== "" &&
+        cfg.url.trim() !== "" &&
+        urlError === null;
 
     async function handleSave() {
         if (!isValid) return;
@@ -305,7 +337,11 @@ function DestinationModal({
         try {
             const payload = {
                 type: "http",
-                config: JSON.stringify(cfg)
+                config: JSON.stringify(cfg),
+                sendAccessLogs,
+                sendActionLogs,
+                sendConnectionLogs,
+                sendRequestLogs
             };
             if (editing) {
                 await api.post(
@@ -383,11 +419,12 @@ function DestinationModal({
                         items={[
                             { title: "Settings", href: "" },
                             { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" }
+                            { title: "Body Template", href: "" },
+                            { title: "Logs", href: "" }
                         ]}
                     >
                         {/* ── Settings ─────────────────────────────────── */}
-                        <div className="space-y-5">
+                        <div className="space-y-4 mt-4 p-1">
                             <div className="space-y-1.5">
                                 <Label htmlFor="dest-name">Name</Label>
                                 <Input
@@ -410,10 +447,22 @@ function DestinationModal({
                                         update({ url: e.target.value })
                                     }
                                 />
+                                {urlError && (
+                                    <p className="text-xs text-destructive mt-1">
+                                        {urlError}
+                                    </p>
+                                )}
                             </div>
 
-                            <div className="space-y-2">
-                                <Label>Authentication</Label>
+                            <div>
+                                <div className="mb-4">
+                                    <label className="font-medium block">
+                                        Authentication
+                                    </label>
+                                    <div className="text-sm text-muted-foreground">
+                                        Choose how requests to your endpoint are authenticated.
+                                    </div>
+                                </div>
                                 <RadioGroup
                                     value={cfg.authType}
                                     onValueChange={(v) =>
@@ -590,27 +639,25 @@ function DestinationModal({
                         </div>
 
                         {/* ── Headers ───────────────────────────────────── */}
-                        <div className="space-y-4">
+                        <div className="space-y-4 mt-4 p-1">
                             <div>
-                                <p className="text-sm font-medium mb-1">
-                                    Custom HTTP Headers
-                                </p>
-                                <p className="text-xs text-muted-foreground mb-4">
-                                    Add custom HTTP headers to every outgoing request.
-                                    Useful for passing static tokens, setting a custom{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>
-                                    , or other API requirements. By default, the{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>{" "}
-                                    is{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        application/json
-                                    </code>
-                                    .
-                                </p>
+                                <div className="mb-4">
+                                    <label className="font-medium block">
+                                        Custom HTTP Headers
+                                    </label>
+                                    <div className="text-sm text-muted-foreground">
+                                        Add custom headers to every outgoing request.
+                                        Useful for static tokens or custom{" "}
+                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                            Content-Type
+                                        </code>
+                                        . By default,{" "}
+                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                            Content-Type: application/json
+                                        </code>{" "}
+                                        is sent.
+                                    </div>
+                                </div>
                                 <HeadersEditor
                                     headers={cfg.headers}
                                     onChange={(headers) => update({ headers })}
@@ -619,19 +666,19 @@ function DestinationModal({
                         </div>
 
                         {/* ── Body Template ─────────────────────────────── */}
-                        <div className="space-y-4">
-                            <div>
-                                <p className="text-sm font-medium mb-1">
+                        <div className="space-y-4 mt-4 p-1">
+                            <div className="mb-4">
+                                <label className="font-medium block">
                                     Custom Body Template
-                                </p>
-                                <p className="text-xs text-muted-foreground mb-4">
-                                    Control the structure of the JSON payload sent to your
-                                    endpoint. If disabled, a default JSON object is sent for
-                                    each event.
-                                </p>
+                                </label>
+                                <div className="text-sm text-muted-foreground">
+                                    Control the JSON payload structure sent to your
+                                    endpoint. If disabled, a default JSON object is sent
+                                    for each event.
+                                </div>
                             </div>
 
-                            <div className="flex items-center gap-3 rounded-md border p-3">
+                            <div className="flex items-center gap-3">
                                 <Switch
                                     id="use-body-template"
                                     checked={cfg.useBodyTemplate}
@@ -672,6 +719,115 @@ function DestinationModal({
                                 </div>
                             )}
                         </div>
+
+                        {/* ── Logs ──────────────────────────────────────── */}
+                        <div className="space-y-4 mt-4 p-1">
+                            <div className="mb-4">
+                                <label className="font-medium block">
+                                    Log Types
+                                </label>
+                                <div className="text-sm text-muted-foreground">
+                                    Choose which log types are forwarded to this
+                                    destination. Only enabled log types will be
+                                    streamed.
+                                </div>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-access"
+                                        checked={sendAccessLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendAccessLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-access"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Access Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Resource access attempts, including
+                                            authenticated and denied requests.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-action"
+                                        checked={sendActionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendActionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-action"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Action Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Administrative actions performed by
+                                            users within the organization.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-connection"
+                                        checked={sendConnectionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendConnectionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-connection"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Connection Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Site and tunnel connection events,
+                                            including connects and disconnects.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-request"
+                                        checked={sendRequestLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendRequestLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-request"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Request Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            HTTP request logs for proxied
+                                            resources, including method, path,
+                                            and response code.
+                                        </p>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
                     </HorizontalTabs>
                 </CredenzaBody>
 
@@ -684,7 +840,6 @@ function DestinationModal({
                             disabled={saving || deleting}
                             className="mr-auto"
                         >
-                            <Trash2 className="h-4 w-4 mr-1.5" />
                             Delete
                         </Button>
                     )}

From 1711e392196c3dea9f5ad2587921bcc2fd84d257 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:42:41 -0700
Subject: [PATCH 180/314] Add logos

---
 public/third-party/dd.png | Bin 0 -> 74745 bytes
 public/third-party/s3.png | Bin 0 -> 13495 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 public/third-party/dd.png
 create mode 100644 public/third-party/s3.png

diff --git a/public/third-party/dd.png b/public/third-party/dd.png
new file mode 100644
index 0000000000000000000000000000000000000000..598771157afa6786bccb3dfdca9982d2316daabd
GIT binary patch
literal 74745
zcmYg22Rzm7_s_l7wJ*ZWyrM-!${rWt7D~3PYZPUajBHm{wkAa(R5sZ&*`<)OMK;OG
z-v8(7{lD+;{e1eo^}WycJm)$4oadZxnD!-gdKwNI008|3{COP!C~@#l0g4hn*{?g#
z3I9iZ8*l6a04+1=52Evj-wps+aN)d?o=4*EA6hzGhTW7u_0-$b%>x#Zf<cDZBIJl=
zbkLETPF2V;R?HXiI?+taR91`ufvKFxCbaRHW@EIUT~>=#TXFO5vclz{x*z(zf@e|$
zmuuD&mq+L4bK$1&zxap#(g_ED`zD$sY%cv|@i;5?;NM~K?QGksSAt^4_L97pE^iFq
z8oj&Zs2^vMsC#F9VUY1)Q7z`PZN&BXuXHl^N;#{}>tk*5(8PmZR;(3FxEkJ1?<IW^
zjP4PxK_O6mLgd(k-zx2kUiW)1zUh0Od3vPSR4Qlu5<rrESqzdg+OgEgyw2L(+Pv>b
zIDtfy9%JpJy7jUsBTGpyc$X*Xp7;x>_VGE&2t_VYa|bCSxuZz*J3|zXw4SJU?y4?p
z)Kk5yx(NS&@JaoSIkk7Yb^{&QsC%aC6I<_nKu%gaZI*hjD-$uswixiDx~#I&<q(1d
z!Qe0Cm%j*0-+gquCVB=Lk)FDU11ufVzCOR%MRd-|XyQv`M4*gWh$KkB{{|hK#W}(t
z!5Mq_FXAouzre5RYN<=*#g+4t|2YN@;D_1KvH438szi<CWb^JQLS7#{CO`ZCh%aFv
z!TtiSMV&o3rc=JuK=0k}Eie9JF4JwNReZCytXmIo|2<@FG)G_~F9Sx>C^6+N;Pd{A
zgopC~BOzvRy)ITBfg&N>ck};|B?cXwdyn)qK26O&Q=hD<__fuqA$>Q`nNyF1{>p<u
zhM3XL2yv;7;0*p!Kk`!QIsLD87t+tMI$UpGI%4~GJFlJtLYI9Q?cn*BHXWJ&4;Put
z{&$^3=l`!06`^XQlKy+v#khYL{zF8fCOmx}hbTO~X1mbT<3ws43DaY*{+|h0#mthH
z=La;wBBDNwGEzmdQ$~>0zGJ_8_pSybiDey05UN!p0kVu}=3~+|!LA<5m2p7wX(Q|W
zje5iwe8WtfD#+n4boUNO+stqkdqIL7l&hl$OFfiHOS|>p(vzqKWA?T~(#%8>E`2wP
zUV9lerkrC10)Hi0QwJ{1JXl)Z>+<^JlLPedI*=3ff($tsVDA{<GdUmx!4)#ikRCFP
z3wS&|SU0T?DO+HbPh#yHGsh$01D17UHW8K}Z|K>mfY%aK;kE}P1Jd1jfNH&nHPLzN
zb!KZ`8-4ke13}$M7c=sKavIo(=sYx3Pl2^jKTxx0cK@O)Dt&-MJdp%CCxecSs>Ni3
ztL*bGHkS8bQ-S2K&wp96hC)o_rn<!2>je%7L?A#yLyhD-#Za3|j<vaP0GJ!nLC}DX
zt>-xnQQ^1jr*ZtjV_7KcfAs<o0}eFwClg7bGo^}NBeAT4xR!^cV-p>q&i!RH&`tSq
z#Q1=?q8H#&#w^lO&{7*wSt&bp7_Lnt3B^sVYxz>(l(%8m#6)MRsHGqd(gX7X@;X$X
z3+g_|XFE7V^}n(Xrkh@lU35AS;G)-GpJy708JXG(0!%ar`h9?!kqL=&2l4<!IS#0^
z_pdMj{6N66`rp@|{dX#GOqFy{QN(|!hI?oMV<sZRC(`s^Q2?{~eE0rtLkX34HJ>D4
z0Q7c}j@8TnKr;WoWCbfT1DPW4rAEh<DWJmEKIO>C2xkp!EQWMwYT`n_J3^94kMn=A
z-LfMC8BD}jR?>N6(@8q?mjb$nay>;7jqmW0Rv&{p{Et8Y!YGLdxH}LmkAbtD76n)=
zt5#16pgy2_Dpbyz%yUmZi~=yg@(<jOtp6wrat;oc^RLMRM9Xp>ejyUU2*QvKjo}|g
zNh|=Ve@LQw82;_~zj99CsLA;CC(GpmgB~OijuIkapzmxK3~`USt#tzM(URc&mCC;Y
z58m;^6A&Lj&+(6@fdrbK2XWCH(j?ngOC%{#@#`~CiHIfDcg}wdCW(~H_y4FIf(3k>
zB(S{)y7>=>)wbJc$`2sW{4dgxiSTvess98L=%yos97qxppZFhjW5u6*wo!q+hjje+
zaDX`4_~XZmREU)wH0Sc!qaDv_0O()J&1}_Zewab>BDh=s;R}e}B)E23{~8BCkXuWn
zy+iT|1Yse{2+1rdsF{H1io&(rBO!ME|E(DS03QvXV95@aNgph$;*uI3$3d)O%UGe%
zG||J8!G#A(DthO?g+OBU6B9obqzMs`W2e<ccc5gT;-`7wDH299e_9Aj*UyELgaC9r
zAeqx>VNlCvQ1tpH13Of5sBDF|vMP2)>BO#)bk6{4Q<d=-OQ@6}R>lPvF9*dj_J#UY
z-E%4=qX&o?EJRUHxFO*VG!wTBTrg`?(Cbf4=Fv6>oFsXG3&v0>?eq==5`Y~gc#6nR
zP?WyhWPoN2Qn6r4>WmwNkSr+#!IB+-1zY^U@(+|}oDk39Q$yL4qEHN=Ymb7IF=`F(
z*84K@R~FM6=~RzhhA^`^NXu?tp@Yi=rbz56qy#K$c>B!jEhIAza4-K#XuBSC6U2rb
z%)elX%|YJk2-G9!6NpSE|BLM+jBx;+UE_a5b3Hj2Xf9KyNizR3?_QnL7yo%63&fP_
zJCyNf;BtqN2mc)oBMafe0D;K*KO`oe?7hqOjI_4T_&@T3T5`yu_{aaz7W}*{h>Jf9
z*IoGEb=mF5l#XcuWUXDcotFOD1DgvEO>jItKR?eU47{M9@hE&=58XPX*l=a0$Z77o
zukq04<QT!j9llL64Uisrki2rUf030}ft<i<dAD)uLMjmS?K3BDL)S_ITS1Q1gieew
z`VW6kL8}I8Nlt_Lf2a!<9|s<P8JGqit2z7+y#R@XwK#ZsL5@lhlF0{PYw^>S>zQzO
z?*BcOD5Z?1s4)^v6o$uwl4}Y@4sKLyKKSE@G!>wa`72&<``SaM?5a!K;=`e{7DTxN
z=Rfs41A0gsTh)INj}ISsb)wFy`x>20-TvNH81HGlf8VrIQSHH9eVPjqe+UY*00Jd?
z@;~h%e9E=zWx5xAdVrieCTu?^ec#-Ho^y|@Df0$&a?c?h9<mwX&hXrT=t&PcAVBP+
zS&WCNo|~t1$bu~85p^;26*KzS=%maFIp>;q4hWs&Kj_%IrRxFebn-6~hQ&@;qHsDS
zcz}Gm5lXXa>R-QMG*`mpVVb=YP7Z_cdQ3>w-IoZpnX1fI{x>1e89)a9m6uX>0J2X9
z@z`45bnJRsCiY7zgzsuEGO}4;KMqD-y3n$|EdEb8-6g{=#<(?Z`ZX`bV95y{Nc1u2
z-k*8f9LUKR=wMu@<l;K4S(Q+=9(rz@bu)yU<XBN>l0Jq;*ptL%cRTSDcDV+n3_^|r
z%W!gRY(8{d30+(;bON;=rjnChK5pg)_T+quxjRTuu@cpO;<Xw;@~<9fprzp<=r;$n
zvR9;vlZ&2}_01NY2wy*0?L=&-&ieJI^McLAy*Y<E(f^ULnTqff^`|cK{b;h(`rgiU
z&24i)faZR>_J0T#|GH!HSMPk^T7z}DWRmcu&s2zMQ=|Gnhnvz+I0Efo>i^b60%Fx5
zo2s);*F?thP*kSK<;lWE<7~=;47y~_JT5~Lri_2Z?m$GJD_3Umiz`&H$1HvDDUpg)
zx_=W*bf?C}bE$NE{KS87aFJx_z1(~=fBotG`pcrKR90MoJ6YdQ-;75pO*4!JeJuS-
zb-~|Y9^g2g#<F9?)m<?9W_vuLX<3vAzysZnP4<Bm>L6o-nyP|QWXOc3*DfXy?$$kM
z;Fdwp_UH((Jp0!Zl_o&Tig~_h-7s0GYNzf#y2nKD);FuUy%EohKvn;br51JXNtt+P
zIW@+%Am2V{i*!&2b>C6AUgN)^#eoygpnbyY?L1FT4U@t*s#km#Oc4&h&Gh5q7&vt;
zQ8Mi?@Vk1D`9Kr!X@0<*T9Fx2Z^@^m>@1cWz@+EnK@@}-yBGrLkoau#K|VAzRvOu~
z>!rYcz~wDOswL>3tPR@wN&?ho9?7spekY%8`DVeVQiaznG)@tVAyp3{@O6LBc;JEv
z-n_^4Hkt0lXwy3<+Mm;K2xF~T*G)hmu)HD3F?xS<AClZbv3&!1`P$WIs!%mP*g4)?
zBd_eiq9z2ZZU%Fm#okA;9EcX&KlI~-a!kNXK@Mrn^)_p{??<?3F=SO#nQpz(Y;ga|
zNA8(4D+WC7fuIXaL{}IllTyM;O^A2XjEn(Z^Nv9iJideLA(U`U+tZp8{L6hu^fq_m
zm&Jh5NJVDr?nEe`7BZIpZ;X+9;B=lVUu*E=dM<x~w6<iYb7Lq7>(9gDq69cHD||*g
zL|KusRHR_(Z@K^o&ugGQSpAxES1{SxBNSMm{@AjI(ys3Se`ccSQDX}1-+1ysDP!M!
zq?h;q>{Ej3Vi;ER*fMJqR|<b$DQ|j}6KvF%>YMpFpNPNrksJ%d1=ZA}`i0L`q=n#d
z7_XiCea=93XYJ?6fYi3Yc4O|Q15>7@!YO$~Y~1fa=hyttK-%BH@>(Wb?;v<;XF<zt
zdea)JO&seJ2IW{gSPOtgc)61WY__}-7Vz9y$JDfv;;4V3yJXtX@?hStec=>)9p^^Q
z3?|unY3@M@x{>(AN=ha+Yr790TV;-n{hI-qk*M5Jdiikax)Ce!P!xI`hthf3c=4IW
zEE|Z;ePKd?l9U5eMh^^JXzgOwHR0E0driS4=tcEH+{=w`Q<)-+aXeqNe;YYl`jWML
z_SBD4za*o(XhVVjAEA$ZE;?H`x|gJnjiJCUOcgfX(2r}@XtyCHSp`{*>1gtnmY0vd
z=<QrVFjM)+bCFV1xS#H_Sdru%gZ<u>jcxI{7hG8(kY3S^q3OrL>#5AlR<fxlCpQdt
zc$62~dB^5sO6y3alw;F{6ubT&PPKD49K63IbzxJuKbKo0Y;aS&$Hpu!9feB{qjK_A
z#P{D!A!D_<?=THmFW*J|`C0&oX9uaUhHcQu0~U9qu8D<9i^G`}Rrf!1=$bcs@|`aT
z$D@#%{XQk4R6!TCNtt2ocakCMG&Y|p7mPi^pxW+-_0pwNsxjloA@NV3K$kJ%Oi^&5
zsA`Yul|-q+n5)MDwVwpzICNG!I)@qq(Bz;=gOry5UH7!ruCZ>1K)1_6*;E{SEvuc6
zzzr5JacWXT2;wu7Mv><(o0QUwe}T5q%<HU+GMezpT)IFrfCdKR;PrGxrbbR)ccBwt
z_EAg{W_Zf;#Wed2^F5#ojT!SE3P%?Rb(f&5tnr5bxT|~tefP1p$->~^0@7w(aI=}O
z$cX<xSE8M7aX~xh4sBk<D=BlY$BN3anIbBvJM(s+cJVplJ~xb6LE3y~riP24MClFI
zmYC(fy7`~#&?^g&BbcY;U;YD04+5%oylPGR{3RCtu--{+Lj&KJ#**IuT}Dc?e@>1%
z54aN72R0q}ZhI-yDfxNr2mzwVL0y4BqhRRfIjK2s^G(9&Lq@>#WvHlWC&FVc`!Us`
zzSu^PO$C2HSc!GJYEf*R;1<wvWWr|V${t?`q!5^Xc0e7SyLynJZKF<*p^=uIuWORp
z*}TL22CA9v0qQ?Pm;O9Qw6MQnfsu8CPv);X3Ef)RC60GdWM6woSn~ruPk#!mdn-gb
zHlA}X?rNzc_+y^8v5Hax$%>371T)z+_?y6J$Mu@-IUOzj$g7Xg<oF;$!niyg&QuDD
zK<qup^Y5R^uR;3|_2k@uM;48ZuNe8JduzE6sO8|H#ES61Xb@95n<=8t>1sP5VH7MF
z`=tTBfI}f8zY84?`RABNEmJl+4$poULEIONrKeURGI@`U$I7rCP;^|X<i;!6%3OM`
z)ADtXg0P^2{_hW?E{O@a&{3-$5!xk^3J!Iq%3XkfzxtH)-nGL2LnSn&3$L_pbzeHY
zfhAjudl0r3^^8opbB~Fr=azva)fU8LT-*Dz%p~zVZML)#*G<s(0RLEZVw!w5pw5jW
zoq#y9gJut&Y0qWFp4R{EaC)zbbB!@FfXzt2Q6E^T(?dF0JL|)cpzv#6rpR4-98G=4
zU6%F_&5z$x0Ze};XvpP&Ynpy`i)<*(_4AFcLU}jxdR*L?vJXWb?;Wjh(u9@x7AAFo
zK=*kUW5CHNQ2e3)0h$~W4}#KiXmF%t7>E|}UcFi0u-0$HD@s>Q0cD}L4FaDh0S{T}
z8;rSP#}7O+qKsv&P<Ir97bx(bOx{F1{`d9AoQ{vwQgc=j2)qUiEukXSZjqv5VPEKu
zjr`EWlhm}d7Gvwn#Y^vdoE2Nn6rJ%HdxHdaS1?|F+Fj{Up8R4-!hSLOT$Nifo+5M4
z+S%AuuT&*{S|^JflGHbIdglaEmlo8`@kSW$>Xj4VWI3a>h_!cpe(YlLT*TAfZ=Q;K
zeG&V5M`(e=n9+uqjK$T85?Xz%twzkdoK%k&w^W!rLaXT|FV)$}u@QY(i9ldNVhH$_
z@7r3){vI86IlR9EZ8cYe=y>h?SwNsq8jU1tQUzy}M>yonZ_z4&pVXJ3R4*VSdmQ;)
z%eclaeasYDuo&hg(}WUYNvFaP{2SDgk%Ft!@}Dq8#bZ4o@lPAk<DwyYjzuTQJU;K$
zYsJKdzkz9F(?rFI@Q&H_BaPi?eKYfh9)GS|-{<$sjLC>qW}FY@Z|0cY4Y9BF(86md
zdk?4`y+3<1StyUoSO+FPn9|u^!Jk$a$(rZuW2F=YPI)B0r9lu+1!s2i*B7Yge6jBc
zEaMAd3;uEi`t#4^n|Wh2uIGXBy90Jqua$ZK?14^Ux?VsfW~w1G)>;^YzzQu`4QQ%4
zD43i&&E+r!;{@NS3QnkR*TRQ6Maw!e|J2^Vs_uJ@pUVP>X~W*#jf@lFx9YSk_2b@1
z2lJ|C(}c0>Ez~u3bwYojyL@HiL1e;H^XUX5geFyH1zp11Hf|HJG4Kfpl&VS+5y8QG
z3ox=^rS$jO-*xfuqEl8V@hGGRk*%Jl*+=OeOFz8g*Eb6hjBSrT-EpSNTfqJrU^aF|
zPOBC6kJVyZx<+5&%UZT>Ou*eTWMU$U(p131r>VUL?8(BXxi9Ff>Vb#5A~wXQX3d!)
z@?AW$)MQt(D(J{M-+yJJ1;<8Y+IEfzJDQjFs}2_2rZ+p(XgTOX0Z0XP*9AF-4Z1@4
zwo!U&PL$;phlq3za?r_I7em&g+~=LJjhI#$bV%=~w1a+S@ul)ZaxC~!78bF(Pc6(t
zx8b0kO}S~1pa$@5Ig9)^Ec$(x*uHLE>6(Z$3Sa<zu*g+3>-W~v&c$u?*n8h4HK*a*
z>d9241>p;ouTJ>guC=tUi&-i5onL#(lfvShJ9J!~-7a9=>7f8X^#0gIK1-RD4=Yq+
z`0*LRy&<&n_SYYMYwhKB1__4=g&n)%d&Kc)WUwOX-ytWTOo2o{Tv<47UIfU0-bkVU
zcH_#SNiRBq!OzeO<R|~pcuEEAzUliYD%$T!!pPJpP1YsNQm8Iw#%}wnA?SRc?|GtV
z!uQdDBm-`UBsub400vfLmyzQ_MdmW+daUK(Kd;cGnos(jB1Q!@_GuU2We#oJtA{2s
z!gry%w01Ixm*v~q7EV9z^i!TRU9s=)SIQ|JW&~ZUZ!hA%=nChDdwiv-O<D*|vP#HO
z8EGzS;2xk-C?%c?UJp-FKJ0Jjyo%pg5)9#2ImK+&D5!#evKVOF*y!PP$p3f@w+p!Q
zM~^o9$h?Pl<;n@1Laz0-55W?KV{A^-5U~I=$66LAtKw!E;halUb}Y<nQI|*eC0v5^
zs1=QR{7hYv)knldLoN@?&ew*ROB2$j%Rz$`Z*10bFRgjHx-xX~x5{~GfAUIDE7awV
z=gY3uce4DTnPZI^y?tT9GVS8Vhhq$%jX2a2Q%i5v3+3~P2jM$ig!4_ykkaM1!v1JE
zgdN$zYn!@m#&0`=J@inIqJdj^snSNlu*<3{%62GtEqrO;gib)ej!`0=qC20V7)E<k
z?G#u+9Ffbknc^L^Be`5b8dpb^-=N9=bR{koxF>hSZ-0#wHM#kosVu42SpAh#5U<0B
z?H@!dZ;SfKfT;N4^Wo5#OUuSoI;~3@WBKWq5?{)i#lBd^2qrp+Rh}eA=f&|jTA+sB
z(+lJ0Evy}e<8&0)Tx3JTa>o`Dz11byhPN^Jo$B2WOH>jB2GmDbuNYTL$chYd;bOl|
zoT&^?S^FyS#7CYIt=RZ;H?MKj$n&8x+Mh*HWuIk%#azUfqP#r%3GX~--&0^i&^LS8
zB&`Q#(Ztxq<DtpTmhUuT$OKLdCMRXCwCI!-?A=UZI3`3s&|F#de*F;6w6UlBW}J`3
zlj8#w;Ylg}MN|pxZ0ce9SshW!WnY0iA2=MkSm~1?d^kU3_oYcwUE51K+$)m^HC&x?
zM6~!5o=uuc9Vp6}KO6S*&B$ZZav?O8^9l=Rh^U^<<IbUT4<D4)$i(FB=7m4+UH6<=
zS2j>S`YlZN679-E-T;qkAKrUL`v`*0OZx!*crv5_K0#=YZ;x(g{B5nx;Msn&xkG*p
z6uY^|`&m+)me&ZPo!y4(Nh$lDy_d3=yo94Cgm!#<j_)L^o~HlK9cq*^eV5atZ3y07
zOlRvNUL^^|(m3XN=ow{)J;7ew=5tK4(pNU=c`H;O#w~BW`c?FGx1r?HImOk(UX$`?
z?MGy0ryoc-<wuZlo^Iyzaccb3uuhW4D^RNoFM&Uep}eAZ`b`T&(syHX6UsLF`@MbX
zREI_63lg$6WRkcVhMXrp9?P{_TpD+N(azR9PyKF9de3x#E3R}lTDgNPXH{+DL@rsB
zrvxj=)}lbgW)76Gtge)+9xG#a&uN1uVr<KnisE6XdslO{1p8oj&Q{sFUb-sp(@Af+
zV<G2;B$rp~DHVG(O$_bHC{tqa)_y}Ig(0MuNHQu-eFg{}7I)xJcP$ROLt4dNJ=2Er
zJ3q11>&uk=7}q^U=U#i0N|U6-)q>Fl1)jH0zB|%As_~Q>9usq(Z*JtjEbch+eAZ-y
zN?w%8#>OhElJ|}x1JDelL1S5ytc#l;3Cj?)EDZ+?bMgt_mEYd(wQPM+LRr06^bt3W
zIk6&dvnF9sndsy!*IuObQRglCro2bc@p!T`XPkNP>^VmQ8lVxBPq=d7V<7_X!2WJU
z3ddMf{)#24bI*d?5|e((WWGpmw_px8{f(!-Ct+j#g=1l?<GlJ)r?K|pOx~^Q3@uW9
zXUVhQu@7@%sb}?whnAFksdzf#Ua&b3xKp0P#M6i4BiiccWyykHsk3Ial?DU{y;bMa
zB_5mkE9bYJMtx#(rXu6F9~=#AJNz);Eok(0O8$+X?;!<2XK@={tnx|0jz?L&v+|F1
zoxZ&$lVF~tX)qhCT~uh6=6GR#ciw21>0a>Nfgs*1J(UUj@sC&))$dX(e%@_q)vDV2
z^=^Vo&R)R;6QZD8aOAh{d^2K$$|V8+sRBl~W->9d`cJga1l40!vRs2k9Q3agq^An+
zSHHM^#C1^JcPc!F3c@-5Wh4bwTMv2xn%`^`@^28h<G9-cr6T>Q#$1>O9#=a%5nr7!
zmqw-8`~YdQwA@%l$*4^pr;5XxsG-Me^#rdMl4wc^CugmJZu{S_w#EcS%u7oMcJt~I
zxmL+<I+Mh%AkOGS85q5vfDS|vg~Nx_pp$PII+v)MRO(sUT3Wim>Vn>(#+c}1E7u43
zMk}R;7Kf|D^PJz%G;TULcivHLbTh4Ta(h!$&TCv2rYL(gQB3WYvUZN3Ph#Cv@$5Bh
zCo&?<K?gCa!qD63NvH6*So~tj?xo-IIipM!lHc<uwE8WIJD&=*ed|5z;i);0lgm?c
zDPr_nS6@3r(Qm9ln7Hzi*QU16DWLNTNj}}_=&<R0{WyDASrXN&b$Qn*UHv#m3Z#7m
zt;Fo-Eo$1vP+^1DT&1GcZ(|zmT@+u>NR)8S**7tK>uz4%NdY!1pWDgwh_R3TbC#{<
zdMPCivE5W)Q)Rl?OD}o+u(RZrrKu>gf8F{1BEO8OmyPjT&AwYgJ9a5sW5;+3t3~P=
zT@;Va?AcC1C&;$ytaXc_rKQnZc0njs5^>@Jw9`cytCrcCx`Scd{lnRX*uJdZVX0G;
zd!x;aS6P%B0|Tf;6j%LRIH!&jai2+a@C@|eRJ>e?Nrb969~zuJBWfS@y_&8kZ1Q`g
z$%apO&+^q~q^Os@KJmPvMhw^~$Fod&lR6Rt76YeX-8VmZeK>zWimt+EvXzR7J=*Wi
znG{w@l~7*ins#fY1~(ty91%?OdMT`Xc=S8^EcDHu-0@&F`6B1;fLAYL+m<kopjO2H
z&<!{@=A3qu;}2_I9v@8IiH<)SR3Cjqg!DcvxxO9rh(45g{TPGiU=JIm`yE~px?Sm|
zUaNl3?49Y+RmZFPOD7F{S3I*X(Y@2^cdKHPbrDv(yhZa)IP)mBsP1_?+lb5f)L;w+
z7%RB|?qpOk-IpAA<Iesr@cNUE(A#5YN2SHomsYQ0gTDAi=gc?di*DZ*%gK6b=zqV9
zm-p#Qqd6BJ;p!U3rtYH&25&{H@(~k9%p;x^sO8mdZ~Bx>kLCGrOQg^ZN<27c7ffNy
zc}<eaNR<MWpSxUEuN@)e&TQ)tM3LCD^j>^YFm~Ab#)6@+6@ed?_M%7EWlB76hQ#-X
z#n0TabbRqE=ELOmMq-m%h^uLH$5`Dx(Zke9e9f0Un4_)SV(qWBM1UY0hcjdiua1vT
zNtBGEmgS>^c#Gaj_x@2aP3B53^WMe9SQ`!4)y2Fu-gO>Ym3z41w`SCub7cPKzSQF2
zDHp}2Ilr3zW)FHc_qrsMA|@>1rFoO?LTV&FTWz3djvuV3LCimCRo$=d(0v|lDrZ-H
zM{bhyjZrbPQ-i;m7qi_~O3cU)&i)vSp;r5dC)O5*MQyYZ{clv-+rqne<AiTHd38y(
z&Gxd_?$o;t%5%4UWLKi%UoXDWIB?W4pZOIlo6X0nV-HCU1Wt23GD*VS`&L+0Lubp$
zy1rEV<-XDNCZv%OW{}hSr$mx)UGAF2)0ZIJs7th><Rbj_NXheGj!eR*`dL+%OvX}{
zH#j~!7^!5x@;s&O`MX>{M$y4vqG$l)>Jt{xVxiab@cE|0*C~gN%lc+F1E1W-<l6^R
zY?jfmerc0Di6#P7(|GCP`fvs41q!KD?)lRQD>V5r2VwI&Pt?co!KaUU>n3`Sta~(+
zUs~r0Ikvr2U==|zlz_QO{=QkYcC@CmsU7ITeDxBq-je&w>r4&#NtQE7!pekI7ietH
zICJ;A%JiiXzJav%A3V6yc@yWvz6YPsR?l|)IsM(vNR~TWE;pwi$6l^uBx=&#reDd?
zx_SeqycTK(zErMhnXT;6!Y6xeP%@(Q>-B~fjRDW=7(@Qtmi#?yWG3cSpffRenE|B;
zruCS6LUsaOC~Mz3a1c-Y2yqSG<XNa=@Q%=rR7zZ5+Weq#*q1gN7T|fPm0A)P$*_vP
zdDL7Y@^x<;!(SvN9*wV&T4zwZOo7t0FiPG%M)#)E|2dPF)NRFQg0add<)I*6urlK2
zkZ|$pCF>~!q2FBkJ?T{E7qsy8j)QK?N%^>}FRc6}f{!&a9n4Y6A@GGw4l6Ajco=Uq
zlf%lUnFN9aAZ|M~D=5)pj8onlFRp#JlDfP5^IQ##OQ=r1kmf@jX7U3z4$0dQ^_vcs
z4}`@EwrlI%OKXel0#upxh_z?q7nDBnlzb4>c}{WXGD?{eZgPmMNWv?FM!;CTKo$Y$
zuBU<qr#l$#W%>Af`Uw16WS@zb>$nx_&&SJ0Sp;^#&mr`jTe0p%ZBvztPSz~>CFApb
zAHPYcbnuo4BDSv8P(6ZG-#B%5=3}0Pu=M3@bjsWd*?DvaB;U9n_27b2^hk{TnC>iI
z)OaZFLY)MxC804Pn>?C*nS!y58AH=ejaGap-P<B?r+}2J*1V_Xl?C+{foQz{ttIx*
zh!>?AF-WtDsPswo<-S**OBl9Li*?uWyd-Lz|E)o~7c_Rg+IAyryW##50$rT1^X=r4
zgln2^Pfc{P*KWLME^z`KXTQ7cJwOX+rHp#R;KFO%ix(faYWXl3N#415#xGxP=bPaM
zQ<d@3y5#=v##ptD4^6Ok=V5~z9q}pgC|<EUGV1U$P`ySHQwU`a@QCSAw6szse89Jc
z*;|2-d@XS1dn1FWLa8%)yHww7K9qZ*j?q0olfJw4``xX^!^ge7c*XBXF757AN?Ctm
zFabQ`<8;ah{HsylSF^P7nB`~q53rr2GRk}sR{CX)p~*nDTrg^(um3GV&Qo-BetP>_
zqyN0b=Ne<Lvtk7gkM0clEUMJweWK^4>by5&BaDH-bp;cLlGu*iTRu+dFnaL``$0jx
z;lVD;TWjYiOGe((?l_p@&vCa%Wk7_78n<V6H+Bm<iDBbuOsGkUs{s{vS^V2YtOuk)
zZ?{(aoJT^mKC{4F@9V2ztH_xGFSg^vm~0{G+*7e;;OeAcVybWkKL=~-A0Kx&-Mm=;
zbw=fFuWUq0=pqNvK+gF~cWAzteS7tV3Ybhj%e0G+<b_o&H<`nQj)J&w5Ahrurq^>W
z*=yRL@JS*(<<I=&VfoQ}Wc{Xs$?xWco~e_L+g$!7MJLIVg)Df=ug|LV;_hI`{5oB^
z+Ec#ZVr#|+^u>J#D6vkjEuTAacJXZeIujIeykCV|Yer3SFM6)sHeykBeHZe7%ZW1}
zwA%ozSWbHfvmo#lb(B#a^gGt13<n45rg!aI+1~~uH8t#9R>ht^BpLUMJAIXY<9Ys^
zChA%j_2Vq52JbpEadxx%nYY!qU(%1uBNgcUKu2my54ri}r3%sGBQ@efp~xEpclR)|
ztk_sd$6QQm>+ybN?&hiEM^BkTY^sl6B`T$Kk`b8>*N0?WFlWDhEU|un(ht^*yGv9$
z7=7_d@8;P%^t?nbI!iR&x?ELq>-A2dY?5%awF#B{gOfo#AhHXV27JU)d>_?_eEv{N
zwi@u`M@YD9^8>Mg5{joZX#8cP^V=s&%4P1P)*9)%ZB9IM*FLThqlt$_rh>?gPmDLZ
zm4k=W=W+n1K+H5tbE`s>rHwD`OOw3XtpU(bcQS44b-{hMOa=1zw4WJ`LyXIPR-Lk%
z$~fb$Yt#0-_2QQ3Z+E!cH~r!9vwwBoHUv!$bhF4u??n<TdZRbx*2e(uZV3(UH&>{D
zY2!$lH``Zyhb{uov`ul@Je6a-kazSW4Wj2wZ=JPbqKncw5Qb^3z_IlNv)r}%#+U|0
zmP^Vvvaf^{t2(I95P8|?gfF{$jQum^x|f`Go{6na?~Ul0uivU(?vp*4WR2&}T#j}W
zL12}v593~baU0QVoK5~V7()hr^d1GysSIOxc<!Qko6cC_4F(bWdR;2h;$CGd(?P+*
zv)W%-Z8v-Q;$A0s?9C5n1%HQ^1Fd-TZ4G_wquakY*dG>8eHXiqMB@h>`8Py+6Ei$T
zT3YWAtl}qF2CQbDBt~D?sAE~^0-8#L`DdO|*z04%A`~xEzEXkx1Cg+&vD20FF4F?F
zLVW&|d-MC3Fbmg+xsEMqlnHk%$lYO%)DchaeuyS!aOkq)4Z1$)9-11yu}Oo=f;a9@
zuP-`VX^ZHx1y;}6)-;|Xi}fxL?he?*rZTtHGa_$-Gh(m1D>JEHfA9=i!Q5+mOO3<Q
z-($S9I;gb@uQVR)HX2wfw5Th!5S}~cUaG!K78_Oo^DAjXs>>Jj<8196?jecAyWXKH
zM?t{+j|Og0cD8RVdS!^My=S*}J!~o&saS4d+DE_mdn|aom`Rz|wR2%b#)t_61kR#q
zZSyX39`6N{vYP!a=^&f<4-IcgO{fD~tI+4q?O*$O(x05yS&Zc!3_)sg3u5=93{+al
z`CgPqMF_p|n+GjFd`dRt+kRpqV&+pj;az?m<(txSUMjpQtZ^ltYPuQ6W)v*J*-??;
z@u6nw75Cn|OKzd&AB2L|AM|px=C8QJG6EA!hrv%q>nx-+bb#*sZ`xPoK~C>E;5^1S
zhxVx*6XEflycO!?%G-l^y65Q7*Kqy$!q-VrM6F^}4(m*7uX0#W@T?)H2bLSk_wbBW
zHtd4P?ogYc`amTId%a+nl4ONF%0&>?T^$Q*!k*BTruu)auVB7JR$JI4MK#+y8Gk{W
z0y(qzvek|nN5GUuNeI4aL&(i8b6B_(t)PU0yR`})@|mXj6;(Q2km6ZT?uz_L240>k
zp^2@VjK6VTA3Hlp1?pi>)m7N(U?{%Pp+?bN+7`7sE47k9-yqFLRUkO7JE_k%74_3P
zGC~@N$}GLS9=WWf!rB5aQqt67DQ<KiBfc^daf;-;`3Y|Q1Xicm680?RXlwnJyU*rI
zXg@SdrpU*`T}#e%3!;S|GqdMj`I1jYU?;T?mF)G55fg@Ce8^Mrp1^5ErGxSNU6(Wt
zdDvmG^@U@&SvI0~?tXP4qji2!TfyZEsMjjqS>HUY>4C#ZgOR;6onz}!?OR2S7hmpA
z_;C@&+s3LcU|#qy{JB>r+O_FWup*T|Uf;>TE5+_7$`@xZQpX$P%5HVXs`x63x@|OS
z$}+L|;T;U~y_jzppSMk9MEA(eej(FVu2b?C&nOemB?-4tRpn8>d^3SfEw+ax%4PEr
z(d&x%;b-w~p;zAbER_2es2ZT?*T$-1dBb0oU79v23(GSWQU-R$+4-2+{#w%A9=MPc
z<qI6rqriA;Cx30MlQnI!u5G|cYW+~oL8D5gUmg6GEk?E>K|jZ=_2ayk&e1A>WKQcm
zB%h_2P3sLc?zG7q@g}2UCZZ9ZxP+=KVEn8|sO#nq@xx3Rb`+>#nES1Fj|b5^&wuTx
z#O2kAu48<RRseB6$NPmuP!Ei`d)sk;9R83ItOaod8HMJ>`UL^qlKH6BRw>#bp5R~M
zXo;XT7+QvaU$BeG?^n5g_mmL@`w(Mu6`Bm_imz!I9hYcH6Lwmu{In}oYji{Pi_zR!
za(NvDvVQwxzRQ_{k5Q`+42<f-1AfOf-K$sPO5@qvte9YD&%AWW%9|V{+d6BnYEdOE
zIeH$>qj!9G!9*(bJ@hz)G-WXA7x~rG`R?7)Z}#E!4L%#SqRJ7^_$w1XeuUwN;=)4D
z&Qryk{%0>a-|bKuYnO;PT3Wz*ua5^Du3+pjqm5~Xt9s0M)%MQ3*FTq30?P?EhCpPe
ztZ?69e(3*lJ9H*HoNUjymMeif4$~7-jqACE+sn&XG<AK~u-sDJt<m}Sv>&K&HFdVN
z&?IoM|A_HD7Fnl?M6}$f8p4`o;s}XrEOw#z5cgbga?iA=cUKYVFgmEkQyxw`u|M#0
zpp^EgQq)u9?WLq!*6mZevc3qr@T9{dg(Es9y_StGOa9bV-(kpcR$JDRZ->jd@?6W4
zwcn9CCWw}Wf}~>|^1{9?Lm`rKNm&(gre23Yd}P_8-}}P-hSfi}VZ;(=D=6KJE&4iG
zm~zUDbPKe-eH6Mk{^bmK1^pDtdhyD=mG&TLK>doHCV#e@y`1&p%~AuzFdEuEm@U9t
zt2j}9Y+F{E|H;9;sz^m40l^{mVJUx6!R<>_*53_)RS&uAtjh*gESquf-3?lSN^RH;
zT9ES<MjDfbN-bEO8}eHp+SUF9838$XWgj`<=-}!0R*rLz&DLws={7#v%AO8(1CM6E
z&CmDcw#5fy$CXv>6h~j@=($fOm8)s?_l2yJ<4X02q8Fk3Rn^fC1Uxlde5>Wo9wI>n
z{Sgv8I>bH#FWFh&zh76qvU5wpB#~O#tKdfQytaAPp-YB?0&i)^o9cb+)GomNbunD&
z6RdJtoTtFgE6yT#lu{d~#j+B*GeQp;`?DD)9zAy|95CcRFTmYQl{e>MOQP`ix@C##
z0zY}!9}vew0geeXsPAw5^ga~iY8T<2u2Oja<y+V+t$>maKs?K7z!WnRd(#<mP=Rgh
zqhFAVkw$;~c2^9AnM9Dd5G#|uyFzRe6nsA}Wc+PPF!p+^XBS9On+h*+5hd(Sbv5GC
zTqW;jqE<~JI6>^2vafdg59klAE45^#^yXYR2~HN(T{Ikg?0v3lfsuL4FX8JAaj;}b
zmO%Sn(z09qrX-ap+rZ9z?++^QEPU<`gVpM);4o}|Ij2X4Qg&xqaMrmQsBahi<m?nf
zlM)OZ-+}<kAkF~ZI_)M87D@-c`L+I)rma8<deCCX70okw&(~`lTSeCe?!_9Um7K_7
zHF#x}P?<oAP+I%xaG!;VtAmEV)4DV;#-?dFg$6CAuu(-QBvq1H**$JF*C!{xGo6M!
z#1<u!nu;XfO8rGvQJ@9xKo<kMbIa^^25bc{?lT3Ql5b75Ds~F5{BxSz`~tip%Rf(n
zT2bkua<xrpPlAR>8TNz>p6*nX;HsXvmd&v7OU8=-<Pcf4grtbPbLxmE%(y9!$z6BV
zBjVQmbXE~RsC}!fTgpz-vV&UQZcOyhA+~0Jrl4%cgquIaHvC|ic5JKP<uycYwQ0%L
zfpoc5y!H_Gt9kE>;Vn+ADrElBaXaJ+FGGWPh7@ltmHKer^+kdmOZXr>ctKK%BX>Iq
zCjZK)KYKHI9O)e#j;Ec<_?Y+-BbAPd5;H|Cq~;@GbKP{)RPUcpTIdz)f#GxY9SEYo
zk+sy8ie<`b4>UN^Ny2pgX2M-&o2OZF2_K(ze-llHzGq=W{FoyZcAy9wkU<^T#yH1(
zZ|}D#VL1>H2WnNErM4<<LsAu2N|=I-c5c86z$0HRr$3m~FFZ=6XQOMCmq>-B%6=B7
z=%K@|41rfDkf7+8feUZ87}stJI%o&RHL!~XwlfrNUi7@OrJiCSGkX1eeTStK60Md#
z2hPJnyBn)_{T4TI#9`oN?V=7Kq#IrH%D+|`$Ox6}v>xMIsa=&{kXMP#X?A9m^-LIX
zL8vizVY`N0#~&I>*y^$ArC<U(J%~^0-2BRhhAq`MV_@&zm+B}TIL5^?{AB;CeY&f_
zkUKq*EdvD11wS<$ZsZHAt+hgJdbS#pMh0H$bzLhn-x$fr^Q>#_RhzM&<UFmzh#s2a
zu{o+nps4TIdvFDoJO`+KiHxJU%mld-`qANEvvff2c-!`N*~smc*V?L!8eEV4@>hO0
zG(P<>P{hLdh}T8#ZWuGMRul%g7qbxeH>qq!UFZ~Rq(($#DuW(omII<KY{+Aqy63=o
z?~t?hRvxMFRIfDiMk6MzSuU2mp~SuiMtj6Ti1wEqSSLvF<Q2WNbj)_Z{5|hr3lhxU
zPe@raF*5Z{8c1FV`+VIagTmv?Yjl~?%^?}<$P4TU{I7}Z{7<`8jJxKRJMI}sF<RIv
zt}*E0+|en&xSPCUnydQyw#6#UgzXB>`t=)-*<7MP$+cH8;#);3mx?|hK{uOVJ-o{1
zYw@I2pSzaG_~+U$@ncq;1>du9;YLahWMA$#&eJEkC^B@E(hbO-u`(maP970GYB=eO
zy91j;&0#86pRNu`tlf3Zh<tx!DX+IBL31)tGrd9~$Y5I|=FBk(apiqTA~klz{XUdt
zqi64zYeQ6NNB7$1JHwS(Q6Rq{Q=~pSAV!u!{T9u#lJdD0fq}(KZ)pU|&T2SSjkaGk
zc^?M^U_CK=O>BM?*;&*ol2`i44MB8l2<{GKV>eMT$>xPE6Fp%ijn6NZS)bV2$Up}8
zWkgz^h1DL#V9qCZmzpT>J-L#}nK(eqX;>?#a(+rMF~3|OY*4ju)B64n1{1E}1cT4G
zOer-L3e?V=UvK#f+1RqO#e5BoV17qBKy-9Fbng(0W5l`ig`;$;r4OzL!GcH!C9T(l
z-}A3_@<8l#z<D!HcZNrW8u5qwF_;hr;2=E6Y3O$NDlxIt=g`7{mG3iUlk76Y9Bd$*
z+46if_vtl`6}6&HdrB=ef+qG=pqWTVy6A5o3lFMCg|qb0KfFP0+o;2b%iLTaC1KLj
zM=ogi#{CED)hEU~oN%rQ7g9lkJ0<WaJc&*=^kaYViyxeo>wqYs=XRKFL($z;RPm51
zQ%KrzlWI~Y`0ZOIE9WbepR^simyz*xo@0xj{Q6l4por-R1#ebGqRxBcWIhA8xvLLO
zU@5>=CMrMw-*ya2Mz{ADU<0V82YzcNT70l+GAcaKIc%Lu_hu=j^;&12<tcavk$Ss+
zNo0r!zLm^sO;O20BuW~*V*?pN#okA$bUv~_$;$rbP08lCqurH~l@lt=7ZEm)o#o|G
z^=(gTlzIBgK9B?#HulF^SfM(*et(X0M&G^Dg=OKoZ{9$EF86qI{Z+7XUgJg+oFbB@
zmc(o?g^;!2c6^83LenLT04~c5r4+7q4u8|pKSm}y_VB0nlkIlT9!lMM-8w7_)JU6^
z!Fyzj7tSqhxs_Gsm6jBspUp&p+tqXlovGxP2ur0p8I;fLgtB2Hq2wVCuA&e3{L*9|
zg@?@ufH3w`qHI%QJBu#Vo;SxR)uGIGRNRh%B|gh4+nLUU$JYZP&2xtpgykQUpw-Nt
zpO&P7!W0UEu1sel)3kM3@QJXEPGE<aUHo-w-S?(^5rXI%<o%R~ZAUkO{?3^XZWMei
zsG{%3*oo&|4-<`UU$;|i<fO)07p(r!qE)Y5ya<xTVPtF{6(i3zvfYPGtued_ZzTGa
zS2<ZxsRRsc3q!lArL=;EY>JSTg3Q+MA-jklUnyw;raDuk-HS#^`Doo~Xnw55yHL7j
zh90nx()N@m{W2Uq&_v<lU&SmnS=x?V$I>Y>u)ndqot(smH{g_%I^A5O%M9=qRdJgo
zZ$5>t7jW2QSGqD<8;Ps(!tO;a@A@mjWIw*m$6P_fM%@w0kxH}r7>pNJ@DFWh-7T&h
z+NWoSjn;`GzGAWACGH+@Qi9mlc$k7pJ{Svo8#mn2B9?S-CH+aIm#DWZ&=OfJlZ;Uy
zlZRcutRqc7lQUa$+?^Xb#-!-TBU74BJ4=4A9w^DYNZf1W=`<AHX}m?RLIt+aDzUpf
zQ~{xl8>jgzyQSe}mzT28JFc2`vCatumJEr0{ZnD5cY5@iYI<|KGxn!orXtqYQ9r;=
zAApr3^E!&tV&tAICRX${SlGF_c6@N}S4!c=Zs%ziT(b4h04A^v8S9ZkX*M9Wb6;Fu
zgePOgXu<#>A9Zxow~e%f1|tCrvykyNos#nO;_#+}*owUNrHJbz@fKH4{DwoW6;ngc
zKDZepbf(|nn{#{U73+d+xNP>k6K9r8r@y*#+>#*%K{wH-!#fxEtjHPwwIhQuBpq&U
z_x4d8ZhmT{B5XdvMj2%PnU>RWtMCRpH9=_T8^*MUR5q^o<FN5HewN9P!9ODKv!rl}
z!7k!kXSYb+Sh_l#eKP2pxYEvtw+mZ!Q!t?ui<E1=dB3NCx#6Cre}6m+O77A%&OkUA
z_iB65`kH=IAe*6Lb3}_{#vbv;4I$u}s)_)jL700!zn1bC5?cJ|6I!3Xoawe+KKy1r
z3Y})yPe5o6zL(uwBgYmwUfX~%%v$&>sc?UHYPsin{<SMbo`Ei0!*C$nOTX*dTi1PN
zTaLAfsWQZP*{qh;(w>MdAG!25_hR-K_b1@$gY9i;{$ym(<5R)BDTibYym#_Wg!7uv
zDTXVE{0{JIEb(;wj5tXLIUWMtxe<21cUfbjL)YydMd2$C-bo`7`HKVO*bd=^DY{EQ
zS#Xa=k>~T;hFg8W<ZMNl<ROTSK7|!V28g~5P>$U$$C{Opaa&EcV0_W{T(dGYW(@$#
zall8>vxMBxuiDt|uXBi*!rZ3&*5wXkeBy@&^!NZ<mTAw@8H0PST@2r&N8VE_RoJ3s
zT#xs7UW&xOLEIO3!DiYl&9&~BtI!ZJCqnAR9~u8(Q+$|6@&<GwC7W^>EbM`UnZ+sj
zLRmzMqVM#y)ber1d~hs#mL~S+^%*9kVRNqEJ+@X3>XMp9tu8p4g~Om0LwD#NxuUyv
z3ZZ%N9j|P5*~b@sNgXLLtN(so+m{@hiR)GE>EdDZ4VPr7Eh;wtdrlg%5NwKa%9D|4
zwofltBG73pjzgTFwJJ~i1Ol}qJScENC`7Kv^N}@)C>&zseGzj(+ba@n6n*E&3$)kH
z^5M5(_m5^gAm4M>=}M>NZBZGhtRe*sYWzbzTy*GrRbhNBB799BI{D=U$ZtFlL3c>I
zh#%JDMck*jrgIzit7nK)cuo@-S~%x8VDsu>De_Htt5x#JOYqJA_X3zL-q9-N;lo#c
z&I_KmJNzYi3xyMyNvoZAY>5$s6Ly`HbV}w;7h@fj(TJ9<Ane@NYVry=C#NllOFq$-
zRdIHO?$5Wih3bUMfZ)nZr!)jFqjX{CZ10VL#$*{r+=`CPxYJyJh(q!2=1S+6<3Lmm
zHriKB#g$$`y;B*;9;8-sx78J>J->Pdp;I(y3vb#S7Ny5CQa_!Rd<kk#1aH606p2ye
zxrf4)94ALKee#wK{3QggP}E^a{GI%a>(0HpH#y7!IUL#7qJoaFsifv>x$tQih+a7T
z!XV_kA+QRSw@zDSO{O6SEp7KzV&A;9mRE!gyqvodwm)bHub>CbO8Wc;0ek;&xs(h_
zJX!JQKs7gS5SFu00dT{MXR7GaDpwH7(N0jk+$IB}Cy7<CiW*AFS|dLb`C1y`rA(Jk
z$EeXPY&y2d(?%%2j;2$f;^==##taAShyqZ6s$iqg7j(m_?lw#`7NyAOMhZSDPAAf!
z?<|+6au4GwDo`_uWnamGju-*enXQc`x{l3-=Tj%&LZT_ZX#lHkB)_x$qIABpVai)$
zi0T<i8l|C739W+NuGw_k8?6cFC_Bh%1y=PDIt`7sm`+$<wRnN}iGZ_wwYT|NLaCl$
zT~$zj&Q^X)F`1MTi&r2+>tpF=VB>sXd%#iWV;!rVES274lq>-M1;=;)SBzg(B;Wlg
znN~;_mM&Xh#eh=j+@kTgXvkNcpaHPbWWm@K{vho8&$hJdEx4r5d{&}x3j0I(hpAd|
zl9<||?`aOTTkc()r%F+xK)KFFjkRjS0)QK364~suAn=4a(?KGRC!%fsD8M!Z=pyUd
z9N_StO$M<1b;;V_pQsLR4vJ5NCp5ntegFj$Ypfjmk+$;P`*^eCARyN>$?}9RCAOn9
z0nX%bxe>I?^aH9&vlsyW83buQCC4Rip2gX~_`}8GGuDe1_nANdS1k|;)9-Yyz%U~A
zEMLp`4@PyxFN@x#Lfl(?z!D9|A2YMySW%)Gfy|6@6?XSxJ(Ximk){en#IpzrMqcF8
z_wpYot#A`fh2@byI<{zf;gv=Ta=aupbxrNPE+EhZVU0aZ4mHBO@PURX9KekiWyNZK
zEq`iX`&2Ig067)Z!{83)S@^ry%$MMT&WX8B799H;mwrgcU0`+Pxx(8$P;!j{GLFLv
z^{TagWfx;&rR6sA=k^R!GMtX4OhE=^P<O$AN}r$skvu(B7!0i>;bL9!mtt`l&lKg+
zR-cmi(U6xUHxz#e?jH4vkzg-h)DD|s!6Vqgy5Q`04{fuhtdVU2Gss3g%CzRg$8W(R
zY{jb|T!Gq%y2lWQ{*G%xp^UoamgL|>5LViYmn!YDrF9JbV{mx-91x3t9$oH%=<k@|
ziX|lyqUV%je+S)+-G42|DL^UZo~qJ*Oz!f1CS63G9tl{do6#+jt&@fppu6u&)2>5o
zngoAS`0sD&$B7Ck-1HAL0w0&7+7kDRF<ID*3VUnL3jto^Q4iC#>Hmz83UjtM(|%^3
z2=6IRk|LVE1(r0qdj7yMOmbe5n^zm!apDCyk`jRy(BRYFI9Jlx&pV5Nvu3u=(bS@m
zUuzUa%~W9iMC_1A&%zCmM6~xITEIR<xce5L9mb>!W{;$Kq?MT`sanI(DpWwJI-RJR
ze2s)lQ<XRaAQ*~~OS@wWS?`7HNAaPk#T6m(f)~lulz{RAd_$&-7sp<+a$8RyviXrg
z*R@{f{jbJt{l4fsVhxe8Wi!({140;jPQ=U$8nn)vEiyZ^!Gd15R!SFWB|fs;Ls!R$
zE7#?(jA=jlIuQ`2&udvfek*0mYlarIG(qa{R^I$rZ(H9Uz~E+9uyGag97_e;y2ou;
zLeuw64>j&LX2zyU)W>3c5@GVuO;cmBg@ip?0W&||Z|~8<A!}dQ5-!hRqP>f7ozY-S
z|I>Wc5&@)P;lZ!xy)@mRH}C!qbP>6ulxeM*B9i_05BcXZjPd5=5(dp>6jyTAfk1`9
zJv=Qr78h3+)f2<L&kchR&_@DL`d;-Wj~D0u4o33JP=jD}{>hp3^t?UY_>=G0vo6BI
z18MX-i)Z0G%x5Bb9rANJ_CD3|b!5QSj^@zuyZUA{uCVRB0gQLP#uFW?2Z}mr-NnA6
zU0ra!Pa2hz8GGb+xa&*-mNP}zeXxAE*$qx<m8T$Mn?JEznjz82jK04wl0GM39L9$)
zqpWb7M7%4Udi)K3i6(7Y#$1%lH75p)PxzF;p$%XRKOA76O%CT@##MoG9^~8+Ut~bd
z3TrPdWW;Y$I#C>*=n0aA1abHWaAH<<@R`TA`eD*1Jl?_Z$L`k7*FLJ2rT|^7BuZ*r
z(P=Anh{0vwptS>XKp})udf5-ofR@nfBbZH3%Ol$>nUWFmvqG+LQ~~tC6=f&FT@(@E
z(fX&8uP>`mV%ZA%Le_5JhCd?^U|I>zl1XSFHHSFg#4FIloTTMCr=JtiT;HwFkm5ef
zxq$y#2s=DU4s<qfaJCk`RYA>8I(>w2jLOj#M|hu1$b`aK^GL%29*^V0VNr4@WWbBm
z8DT_?tUU{7TW<aHOHj>_H%T2fWXU(DjR2ex4jO`=emPmd#gTl=SD$zYChlMlR!EGm
z97^J1Aby0yQbTlXB&=w?YLS7E{q`{nO3+pk-)6Rsy*i;F%L8g9Lf}}8(^H;+<_r#G
zNE$sGs1>c#Ua@cHA)HxDytsA775s6VVFDOZ1O_P4vUsjvG(Z%7^~MVh6BAcgjDtzv
zxv{%1e8G$#0XQLZYrVE0Ovik>U@~C$_SYHH7++US@Nm8RWZG%CyOD}Rb;s22%v4hF
zeFlEeW54jO;ss|@<6&Z<tXFgm>wR+^<qFODJlu+?dL5Irq<KIGP2|*J%d?;Ue)j0T
zDXyNzya4I%oF1X~isr50pMBq#sJdUuj`dn^GppWvw@J6Y`)&Pe7S2MGK7%s*4d!?R
zg1#;$oI%w2nt1}5@@eQU^J^5yVta<rNFevCR@;?$!R5WiX-azBC|VrEhbv4GZAb()
zh?u*;XyC^TupAXgf!XpTnQv>KR>>&4Z7J~ANydLH^L5#oL;uIqcL!4a{r{hPuW@Y|
zQPx!=du3+aC{#q*GOpP`l9BDosuWrxyNt-5DdR>)5mH7PRvAgiNHTuU+xzqV`NJRg
zbzbM3*BQ_Gcs`#3q>5EL^>w)zbeJ1IJ6w5+l1RrJ)o3|cy}*M;cf>rz872kW1%aWB
z{ASsX_91nh-^H^Wp-<+A5M59V#a-<s6L2xqwdB2Jl^c9^zd9vnXyOqMsAhWV%*@5}
zho)nKVXlwPU*}tThsd!ICVtbGm)B;5n{d$89%5xs#!02tz$90pjIGn?MwF%&4Ci>>
z-%g%nfMeF_p`INp<9;qN>m)lH8S>kY-q)sEMll9brqO;!V<Y6JpEH6H7($4;a2V9c
zt4nL3OgU<kH+$2a{swUb(_x=7C@~62Xv*Zc1jswy{Y=riv5zX_4Zp6ppvC^1U<xpQ
z@`|~Ux1%6%nk4jfsc-LsYATu18-xFu?nHxz$bkg(DE}QMo$om6yDYgQ5Aqc-OLUih
ze_mQOrG?0E1XAd+R3E2$J~m3cf&qWy(8$<k{7y1Lsn_T&<E8je4!9OfT{zi!BZcjs
z|KkrP{ajPlNt<q;kzTv-8S0w_@Fuh8RrE4d7m??p0ttfytf)`nI?6fE$W8D#27`KD
zJv8l=1mR$#*5;-m1B^^0U;8={Ur#A+LQ1xa$Jx>@_sHAi7iLD@@-M@mce!KaARor~
zSf@jg0OjnDIxb&NL#l46><Tj(o<rNA)ca9mrqp^a$@TsK8|stGLofN+m2*RO@jg%^
zAoR{Bhl!S=dN;6P{#5Ti;PxrXR<JMubBsNq>p58DQ2;wj{~hVIY)Yq}!Zg1>7fH)}
z?(u>>aBT_`%p=3~gP1#BP8Eay_gJkO_wVr<6I!?g9D>=HNlG1J#|z-N^BVSZ@!&RV
z&0*c@VR<qI3UTB>J|lEWDVmYJ#?Rv$8S|NSAu~*RgBAs-6_+8psV_+<ZWdrgOoLu0
zr43<Xd=-1cPs7l}gH_E~YSNq&H>IiDt?d80et=Dg_d1onaprOFL|ubJSax6lNh(h$
zCNV*C;7&kQhb5)RFY3#eePOqJ7A>?xNCe#m{}db+^_DopcqIF_on*>!Q2Ll1AMYak
zJ2|UnMmxR?rdypNhpBzizYh(V`}NZU!GJhzSASCQIs*UX5p&ZtH*5cMMwp;|C|eN(
z!8>xyc6coFn19xG3AIJ&GbThaydi-K9)KlGHrI9+Z?lOx!I8D&3DpQYWYf>(*!GcL
z65pE|dfdnoWL*_U#olXYv%GX!bb6?wpYOOYMZ$snUUf+SOdBtGy86}e0xV{IHITwh
zrQTIV=dbs`f-mbKoip&dzSrw|WetYuI}pc7PAPaW{z=$~Y!5&>>dVPE9X{wYbaw^T
z#S7>t8ouPR4?}te?^({n1I^v%@#{QpLKx&rz1g_880z`$2C=Cdo;F-nY15^yr>_|E
z;ik$)l>VW-$`=5yR9DLMyF`^%Dmjnmy~>K-DLwn|bXOha#`oSArq7n-p+nQK`Dft5
zpLQl+I6G%Z{o2cgL^9WpyMfX)z`~N?#wI71(-H0;PoS()C(2s^X8?Q{y~RW2&0(}e
z6@F44CotFu3E<wD^!Bdbni2YZu%Zp6mtEEuYuioz#E<Z%Pd<cSW;vUiesZy1eXEY6
z902ab4TF`ie8#$$cFh8)8M;-b|AB_{pJ38?-I2nwD96%QBZ=PJ?9(JyD!F~e^Mn{y
z`5wuIZS&4ps>T?JOp2LBq`g#mf_!|lZi=9?n^y8oYqwfkxQ)$|zr0Ln)gBSK)Z@o7
z74btVl#cAFu@Zzk&F79DVxvmZ#0zk4hCtI6ig^9`UnVR}shlnue!cCGGB_qQxcFtO
zQ@@|9QauOA=9EIIaivsn)ACVNQ+}p@x_M-4eYW(Zj7Q4g#71*+WO&cq8x=X$y#aI2
zo;+wS*o8<(QwC$LlLXp&Csz6#rrTYUT&J>~s?T44B@}XFY48FpNEK{oll8G-<w^AQ
z*e`v3nJ0OG0jatmGPbE*y^cc_rSnEQe$(E}T5UB)!}(egE5&1lv)@!mK$3?IcUFwr
zgu;OEbc!0mciJdrP=6<HvN+Hf0&p;)yMY3QU$&Vm+4XI**$Yj=SRI^I(XO9wosP7=
zk5aa}%(?Ll(`KNLvr(Buhllm=pAcQ2+&xOo0A^tJc<t(ocA<nfQ@jPen`6IwPe_=V
z8P3>CcVVwpieduPg8iz%0a6eoaQp>kQZG&$8JKvqE>FF@k`U|fbg+OuDy`LV&h(=C
ztx`_X5B}*#esDNGl*8$8bv_$D%CZ-Uh<tkYa@PZ&2fF2)r!Q}MF>(ugZw<HS8Y2{G
ziqU!PpY|SOqa3pkc19<EABN0xRkz#AiK(D2Nc+}+l^7u3%fx?I{F_5C4;@WjBcAf(
zF&0Bki5qKgHK0$cooiIG;7tlsZIhL=hzPM+r$MRg<lbj*=?LD5yvr|+3XrI2yX3<E
zG6?cBSMqQ3(KRGgjhn{;XHAi}B-0EYPayvNayKy4#V%qORbJ@=j%A_LdZ?c(90Ugk
zU?oYeA3XOAZob(JNzCnGetiBq(_daB`>XBO+nREEFeOcQLYz0{2AB;9!se#7@V>3m
zk;m89jDhxF3;8|Yg4TvuJ*40eP_EtpzXyF(;}5{AcXhaD%b*+}^h+kYZo7VH;w->3
z;6}Ikk1H8G?s`@6<H8IlDss({W=#QQbm4Ok-9wz>LokVO?EEM{C-(mKOlTU5LX0jo
zz!sIsVDQDKFj(zVCCpva99SHdN=H=90uoJ*=u8WQD_)88{3(eciGY76VfA&rmVFQx
zNz+-qfSOJ0r*7h12@aj$3GJBr(kBnbMLR2uk7pv1z)#n6{X@9K)Li|nV6k-;?CBuQ
zhtW$KbO3f6R49#Q4g-ce6d#yWb^blZKtl-=`tf81a~Fk=X9v2<%4v7?va7uVi#(4A
z^CM#yye1KhjaBD=07q3}X8!7#GFb3M1Sw`eU_n=lv)asZhie<8I%9UnhXGO<^?<x;
zVI)lDF(%z~L3fyYsVUt=qy%GB7Zn$zX=Z{=jn2Rxf~`$3pL=In%`Lh-dRPY}u9omy
z2`p_dYrYJ^M~sR~5YIvyri`6IZNo&G0r@tSa}uyoCtd9`+l;~+KkmvBNYeE~sXIQs
zlfd9Lj3uQ=g>YaJvs8N)&J2d-HtGU5LnI=WJ>ZLbs87VTpowM-(Pq4DE2VQQ=L_8<
zOQS`QFsTbRdh%I$uP6pzG<C+fk)o*ghkr+GCKk=84rsYZ2W!$D0h&f4JYpk`_sa3&
zip$92K+K7I#y4M=&o<Q5dRrVDgppIdg^s)DnP50R$!KCX-!U=;ytcyi$+MoJN6)g?
zoqe?1Q^eE3Q9*LXvfC)$ql%c$Z~vq^lPcPFA9!qwBhx(I3b<7%I2=<5_XM0?Bp+Z;
zrcPlyP|ldiO8bC+5T2SxbJhpOp&^vjr3=P>!@OH`%W){^b3_J_{tdE~mXm&G+#iEn
z$_!b~J~FiYiZ2q7!<5>IpyXPG(%%h}wd0|-oh5J+trEH=s~|DX$Afd(#!_+^SNnu#
z8iPLEs4GJ)dTyp-c-sjWoyCXKi@Y9?E$`#(BWT6qtep-gj~w_;vOzPwy1DSdo*$mJ
zvf$&N?h?T!u8CsW9>3Enr?~ijkjQ3n-d;!K`-?UsB@?WYX9XVOtaRI@8IE?CNf56*
z&($aKe@STAWa+IdZ<2qf&5b5K+gCjMPsHkeqlK@8)s)QR`e*o=@V1|<7IQNg96D{t
za1Mi%mrCL!5(~vk_!nrb;zE^e<a7TCsd9n`1=u=qZEwiRi2P^fyPz>Qp0ZR$c?c;B
zvoyUr>$Pe!5|gei?+dMjlZtv8W4}NCyx7{e7ZJq(0`WXdDTm><;_9j;<U}cr(*-vv
zd8%$OkNS4#WCYPhbVm>)oZXsVHFMU4e;m^P`7#6A$v`{{^4QrC_a!1h+;o?mOfoI`
z&oh6|gMNK4nruP(S|%xA4Eni1%(;E>*yA{rSClow+=}LzT_{<Wp6<Ed(4l)x2!f5>
ztoyEuo0DlS0~-%$m_JJrl;bEDXzo5-5(|`JvePZ7w)t;EOVTz|$u8*hJXLhfYtvv)
zt`(0?%ZNjy#!r%$OZy$CC&@^obZ(bn&WsS}-;#SP3Q7kTT@uDx<cv+%Kd)-gC{{bR
z&KQ02#Z4YTeGLt8GEQIU5%|eHBCW|t0YxTY{&k$8G-B{N09IzkiJf2eX99Kns{Z1~
zSs(f;8IQ8o!s5T-jW&4smdxMwzec2%f)>NS$b2%hZ^h|5Y*{NsuS&`75FV0RTEC!E
ztd{@%@wa1%l0XQ20nxNPVV5$<0}`OMSMog`Pn}g@?l%mirbcca`o5X@n|`Q1L_oVD
zHd55t<Pwj{w9L46saYcBtevXdP+dzBj{T4#<=v{L<*!qwMJS?Ry`gLNNz(DWhzO6N
zOK!|*_~?k2*W+V_O#h^Ry7r=@_F_)g?8kt;yS2KX<XtpiXdAOdeRYGLH7^*qGw96&
z(ME^VaeJ7-^6Z|pwW^b-GHa8&>=d)XymlU!f6=U;$A@1sf(vV0k?i+M<fO!0{(2An
z8tdwe<qkk0d(l|y*6N@`xY2p;&iaf29_G%HmYA#TG<nih)v2RzzBjEb$F6GPHBNnb
z$v9VWq9yjXn%oT&Z>{p3>88GRN=Mv_kHDz}ma*9<hVUR-TwF`!NwJ~DcfGLx#1AT3
z-kYPE24-m^-t5L0p|kS8-<<gL@}SI;dK5wIcsOo)I2z^n1iRWdotK~P-?Iy;A818~
z1NZwZ$aLe>{FEGnL{+zO0omZEY{M}t^JK2>!(Z#U7h8BJ%QBn$b5Bye554!~F+QLw
z3GT(?@xGg%t7Bhm*i5cue~Uf(;QM^ZD4jC9PJ%*dg7fi|?dZV^W9@ohl8>Uz>n(L&
z(!o<U!N%rFt#A4w(I?Y$Z{m#PkvC^+TH3up={GSmJ47gk(KVtV=rCy7aN4w<{mZba
zUil^6{cpqQH|nL61g2J|b31g0@@ZT8<d`A4cDMaqhGz%OCjEvEY&1!AhW!ryQuujS
zsH_|<Hu2|NbqHHN%TCJPs;tRecy%F)ASZ1aw&V&i>MzeH^o~nZ3H{mIHC>^VE{CHD
z;yNu6S}~dKUU}OA%m)G~<Lti4j~W6_bsDnsHi>U%FcL?D_YGd7JmRT6@u-Dx0t83*
znS*}4;}|1g9D-9?NjxdGwEtb(C$;4(baJQ4Pj$Ls4b41!{C1oP#%n*jETA({C=R5f
zXFPPN+Hc;>otv<#hB8FZ*pV(2;T_0h<NZ`r&Ze-6bY<LRDQ;-;`%U+uxU$6{6Q$@H
z8M!o5_mP4cm9H152~F%h3Nan9E^<OmF*kP)a_XJ?j=5^BE3%JHNX7ec-RL9j%kmp0
ze=xYh2jg9NLHVmTTld`~Y0Dl6PuE{%WarHv(M@F?q-%2)ohuz~JQ;iPdT|LgjCt7n
z`@IFo#}W6L^<LoTNrEqkpIJCl7Gk|Tfp$u|DVxq-@2@0pUGy%YaQp_Hcm5prjqY<B
zpL6&;Ee09mF&6J$k$C_!G*QjjtR;-U5i{T`cgod%J}EHtLR<T2e6*09O!@9ksl=aE
z*46WWI7v$MsR28<333;}=NVUgnH&-I#yqu9PHSwXyleK3ROgmT<W4`+-}2pjs7;^S
z;PP<2u_6xgEkZ<2o0qJ`75pKRYWsj-TW;5EOMuO4!*Ru@r+e<m*%uPk`)#Vj`niBE
z>rclwA2(F^PdhBwafMP=)pX_7)wz=9;1}DwFKX=;i^*u2F2JV5%)Y0ZZdO}{9x$>e
z$7{}wWQD_tZ1wl8BpA5928k-(T*#*HW_$5~rCb;c@oshYmfS9q((iH)&)5HLNI2ZE
zk1ph}H^s$qeU74MvcFFZs?pw791CSIjFm`S^ciLO*B+w54SNm><Ch<G%|=><(lQ_J
zZ=e296nPDR-;*m<hJMnJB=0UR5j0qWfDZd~`!&B9$0(M4=0a%hy7cS?Y4<0?8uz5k
z=&U?1e|uCGBTi2Ua=xuDjQ8Dd5w7aZirc@W?jiblO@L-P3MYsRZ=xtj;uvv`^9u2@
z2P*}^$GooiVQemR$2)l)OL_koyG!XWKk8M0%?Q<DKb!KMjaM&3^Y7<h#-N4g&2;#=
zzd3Yz`=M$+E!p*F&j;!X(F^0Nj<3)!pLP7wesESxt#l$Qh@?}PhwrJoU-DspK{tlH
z(?}V4D`1oGhq7o3wX+<AH?HbBY<@8s1Z8Snp=B8_+dd<@LW`_g{~FaOeFJZA(98~l
zRCXHspYM0;Xzy%J&^)en&e6Uz@OvCGHB~w?UAXWz8b{hgL-25gGcUnzB}x+^-8$B(
z?37L4obchp(iTosylS)FXGZVa9_X2@Y(y2uX)Krk&GpF^JHQ_9aO&~a!tkrnD51)g
zZs3SXh2j^?ni_|;UN(i13l>5;Er4Q#G_a%|*I~E%c+_J;!QJhw{DHCdADg?M%#g1=
zelY%WbdKlT->}YLC361{uX1i!HLqYD_5geSkgdwxD;F5FZ+qKJR&xf)Nnhz)EbGCP
zJ!p`w0o35+ycUhT6r*7N3T}DAZ0%N*0KFW^2G(qBS?oRwd4~@rrWi1z2cq8ON#@Ht
zTBi((DZ69`FJ7KY&ppu=f2dJTt)1>+!j;Gj)cf!#Jz+h$MenDvGvgt`^(MCYVtU^v
zU9-AP?nj3um)50Lj*ttk;@%qDmN}Xmjb({Z&aYMuy?!rAyfT}s54ld+zZ$n39s4MC
zW$9&7GubqVCsHqUbS8)gCr84<l!_T;?Ie-j+4dujd_H)hSp;P=jOPmFzBNrL=joV#
z8pD|j7Pl|E?c8Pfy1bJXb+z(i*}r9%rH@qS63pe%fjGcgOjc)4xyYlX44mkm8q)e`
z5X&)cRth6rEGcb9V@Q~Lj>%KJ+gXxepySc*^ZmST?f9ElJxM9kH@}-E#}|s9@My*%
zAGug`_#j(AO0Bo*vjMKIFU^1k`MCJ_K@QL2<u}*D1=angv7-B;k}k{aLVKO&uis=K
zlBH_I>aL4TICgh)ru{89=obl9JGycCX21V<51kwagtBCMETsdoA%cSOlt+2r*87Yr
zb=MWWzC5M$7W3x0hqgM0S@<!&JE?ReV0-!PzS+-5oJM4kuiG!sgzjOhrhcnd?R0DD
zUGn;5_>R6*SOYLnhQ}Xc>-^scej~FG!<i4AarSu()^?!T_IuL0>wEK4)vk`U&&!DV
z%5F7&z>lkeMTp{SX0-T01Kj$BlN{v7*of7JTn7Fjg#OD5aINL-8(PPT@t)Fm(<6Zm
zIqoM`D`lir9O0rp{T0ka!K*&*Yy($=>1q_g(0rq=;p&oSuk!8q*6(bQJ=XVMyq1#(
z`RR=H>I=WwR&(sgUW)Q+(e6}GOM2w_(_iffE6TAGu`}I#A?jaWOP&F1)=QIR`;Zf(
z!8BxhJdx}dJvOae%d0uo{;1xfZ&$yN$4qbYi)AoRy6jg+x^Hu%j9{&e>SdSKyDs{+
z9a~!zDZS@=l-RBOCCC_a#}AT~kqBS3D|TS;Wd)bLWv=q@>m6BJl!8V&EA+BCj5MO4
zZujW0BRVJT>o>dhAo=&)K|C=hKJP#1A{8a%E^m0JBzb~zoZm__SyZ^=vcM;v4-+UL
ztzo~i!hOcXu8Wq_>0{G3t}HlvUdTBI^5S#rq=xc}dNPnGIpGeK;tW0i4o)<zn2%oa
z(eUc=#)rAh?b2a}`|tjkYB97^ttqVUjlX^>Sy>p5G(T34dgvf*)fjYTxhNvHyeCGe
ziAj6ll3GORt#hYn4fp^Cca8H3>fIY`>~R=c?(3pu5WZ@}tj_Z!KCHISeQEd6Ss<`n
z#6Aun3^<@X`h%Q^H%^U~kO@a&eW!Bs*8ZjSm#^PNE0j9i3k(%3jF(!_t7>}4<fcMZ
zg1Zjm55WcOj}WpoMe0s;!h9*F$jOJkZ6XxJVaLj0rEKZ)R-5GCivtfYbh(SzfjJ~e
zQ<7on6c_~9S2CqKf7%Wge?GB1OGl<+czySY{8F)TdK<Im<Li3I;~-ct3>RnJ>c{7E
zRxPXA2)@agg>VO>?_0ZkeA~=5y2Guv;@SrqP+U|$Gfq6(w^Md!c-U6ihi6KutiFd<
z=siu97!|?tZPd?2Z{vjNg$%~-siw3BdG$N>B&%LNyWLxPEjmzWUiwqq<E<>F!oO!z
zGsTn3hd5>(Slti`{oCGUvGJO~&s*I43|!dy<@|zz+^4gnGVcr~YzhpBqHJ^T#ykGL
z$V0^6Qx*RkXPuO;b@Fqt&~4jRi@{8usT9wT!%K(UzeGld2if70GeUnqD{{X;&EY3^
zVN7(Y$<;pmb%hj-aM&5^Q<E#+Nv=&Yp;wBNw-3>$z0YTIBNO)&=BdV+H?}VxY`i99
zY4=4)Bfz+7d27GLllk@pT&yHU&*-n&fO0!yVl5akotONxce~6?MjmK2{Wf($`E>3Z
z8tR(Us+1=t^7`I5e}a^3$q||C)&ITx{8za!4fB*wt&~dwG9Vi^>~&B5$jqMq%2D0E
z9W#^fJ&_s(Th8mn|M_e6@#kvKMsu{#QG9GQ%&6qS9<$gD#m<V63aRIzYYpuSIi9O3
z&`CyA^&4qaXA?xj`#jTG=_+R{!}ZAS9v$~8v2|i4lzp&cH|vYGd%}3b8n3pqIdNOc
zZ1_vvMI>i0K_ttYu-wk#4T>IJxBKq?_SVPv6MJu$DU_yHJ(M)APQvisgS~%}ho5)d
z7NCEI>y`bzugKHlKP8kjY!)d(un3LfYt{A$@H@6bZ+G#S5PCSY$K9;b5OHKj(zvId
zhK=9g5}j|{{nb{fV?)X;bR%uuW|?yCFnk*~TGrhsi>gTRRBoLdTRUbHo-){8GPT@V
znBZeB)KE9Dbv+(3=aIt#Wa$@ZKI>Wy^5eiBL(<YYI#CMNrRjs(c2qHp?`ds8>5&Ap
z@ZNu!@X?*cgkAQ9lBphY2fZq!{#JI)!m1qvA3(1fSSVs|_EiRKPWPn$5%T?4s^CUM
zFy{bp;N;tx)vddmhJH#gM{Z;;II~ab=&0vJ3&1>?q{#UUM60-61j_qQwXM(I&U=Tz
zJ-*S?GH>b-he;Rtn~p<WQGpOC9<NqI!S=DA5Z*pHxdNtO{R`|d+-IuN3fFi)={GU?
zwn~X2L^{lW-Br5s35cHKPBVu{-OVw7x1qy0MX~9V9+$Z%LpH=Wcxn5Ed}r?U(~|8!
z+gv~aDgSz2mZ1~QcQpOdL;O9SmXP{%mDzZO9#QH8yyzEHgSCrXOQg$W(htYDL?4>b
z2grkT3UlNIFmvmd_fh1&E<QEg#2`e}S+(^T$cArzl&%_ekolPQ$sK+1a=wjSv%PK$
zm&e+t(+anc=!sMwvMbo?5#md6rvi!+HSs!K_z$P7YI#F8vY%bJTLOmcO^jhWI}a)4
zygykCTw2>}XU3k?!6H~yaZZ`lgSg?WAw7SfU(t!=>(tghEs)!Y5K{b>K|6X*J!}D-
zY{c`;Zd;kz53@l+u?)99yKCo}#~a3L@<C1bC34DwEnOL?)|7WN1ZpT#Vqx#=88Cup
zPpzdy%s50QNOi_fw0HM8kUT*3RrNC`r<A>-Um*5#jr9)nO`s4?8&djd)(nMC#>53t
z$C*Rqe*1Pc;ccF&C=p9;4oR&OPTMQLn-h*c?W{1Q<&+b1Bcme!+FvIj3%>*rH9pVe
zyu@eBp7y4$A@O>`(SrsJPS*~tr93(g3PgX2(~3Ik^uI3{K|je)whg)iA&zFz8~j?Y
z>l@>xE8y}Zw@w=JUkDRfOD@Xn+9ct}rcUs&s(%e+AyqR4^PvO|GIa%z@kcN>4=(Iz
zNsKG7h<UkcA4`{NJlqcV@00@#$^WNWHAdqYkr~O#O`(_K3|XGRi+jytKD8=akJU{&
z74-{)F4cZMp~dP$vu||vlzxd2?)i$X4!y@uj7IkjQ*!%<zu&Ckb80Gmv=v4E?mqCT
zE%nY5-mA<NDV$S5QDqZ^u%X9kvF^G(yRPx|Ncut{frYCk!aS01e_L#`fFaeV6a_Xx
zqBj+LZT#U1)wpTVu&Ak=RAtE{<5CHqd3}E{YPijI_xk9)>=6b6h&1MaQ<m8b@uhTj
zSv-T2mUYl;=WF>UnhJT|x|`VsJ5@plKAY6DY1r3cj>RlQmNWENd)aZ@<TWr+-Ze8n
z&CJ~3Lo>s6L(UQVDp`mi(p=@ciJX^$vQOzY9TW5s3RB(nCi!W3mS^pW9~cekdZ8QA
zm(7E5l$fmxF96#ZC3NH7&GW-~>o}6;nE?h;?xs0gb3+|H0Zjgg@{~cFx7fsS_Is~_
zwkeubyE)H^S$hjA73sw%9J}T_Oftt9z3C{K!Bf5V0qTiU96KS+O@S2J#t(v#6OMsg
zz#b;Y9j14#)9+I+j8I5KNr0fd0{~FULi4rt&@p<>Y}Xy0Z+iquIQauw6>g|Z3$|IV
zXx8eF<I@ACW1HNbZ?_mpy5^=)Q{8L>ETeqf1PySIBIYUQey+bZ6uEunr)CC@Ohn7j
zHldF|Cq(KKszQ*%4=cJ1AXX@5G5b8DG;^|qXIX&wTq&|AG$wFC+D}C{0kY~zkp7}y
z+}pk;_M2+Zu77FwPvPacF5HppM{~+@a^=u>cgn=1J?3`nm+wf9?srS~O2e7&8_Y`_
z`4((hN?>q8qu%0FtSsV<Oo&NW<SBnW;Kuav)F!6)_S%CGt|vDzr>bXPFC~K}4W<s>
zzR=Dmdy99a>`EQ-n0Q3s&9VboqV*U%*^Gf0a2Ncc)7`mAmR-r2?lq2EJBaik#Vpl@
zRn(vb2>C?4jV3FL$NRZ#?B!1{p7}UxuAIG&%YxNOYpnq)DNmEGPc6yd|JgE>_t$a8
zsuxanmkYJQM>t&a;2kX*+1wjZ4OxzfLd}z3yfp&p3-F$0IzzP+*OzXX_6wl~2C;0f
zdMzA7;5VnG<PVl)UR5R{o6eI6yD|ELYx9*|*fF(Q`Te*o`o$INgS>=&!6nKGN3&@y
z@-{fh@lpPk+pNWOG(SbU+LU`1`5AgE!EVfagr4jR(cZSGN<7VNOPp1$sjMPL>OvWB
zOt*8`k_Lkuv+mo7yHqFtmC9ohn5$te6!j9%@x>c*Qxm%VT*G!R5}0e<?w!`=LoEOs
zF#s8*2r^Bs{gg<X?y2~3|LI$n-;EFu-yQo#BY=>x&}6qxQ*iM8IwOgT_0tGqU?-PB
zae&bmK1cewvNJ>Xr*F7;-u|t-;JBA9LxkVut!%mGZiG{Wo}+eJQG2$^K7T#6P@J`e
z?4JMNj>sCBrM2c_hAe|tTMG@kahN$b+*=bFK>dtShV0_w$-mj@>^}}2Z}zMoxWYEn
zUG8`MOLZoW?0tQ#Dtnq@JNK-j==Nd6apID!Ccf;$Qiruv{zg{#PpRm!-`jOU7i8AR
zbD#?dhG!b|*m(#9j;e8y-cxZdZpTpbv2ClBQNw7{hSE)5Wc)N>!*nEQDgzvGyS@11
zHA)R_hKiV83>0MX+i<%@Y&af0Gpk@>8Jp01;+qfu6*dY@RPY0^CyqDt#Jkf`K5fpG
zHf<dn-*Z1u!2Z*SR48`zdAQfJYn)z!I=mIN%SYQJ(oD1x%r%Mhuj^Tx9OjGWa-``5
z#;O<fteEA5KqLr^-S#^gp$50iOJ+Y?t{LVMAex4Es=Vz1rhJuKSb2k*-aR<&BPG&4
zN+MBL?6}yNjKw9}m*Mt-88pdFy)_m8gp9u*zR{7oPZc5tmGSxeT9}2;ZQKOO40roh
z!dI){q8HJ<d%O0kR;JKzN-n8uux*{6(f{T+<n3rrPaO8`L~fIrKeq$-S2MDcPqg05
zk=y&Vs%v(WH-?{4H|S9xPVeFQ>+gm{P2wnHw%YiE8nW1hUdK<eC#xB{UX*B(1VM8<
z?8)X`{9s(d;tD^LuDTD;6Ac-s=`j(-8^;5_{C%f1^Tstqt6nadpX~QCdwNXp8ygcH
zg+KQ_R#Jq#eR`dS_<pdg2*!IUcew7)q|Cf-0<QvQZyvYBnV&yfSbJho{oR@|is1%_
z#9KSVo%=Y+E)EX8@BX+&++5)%YjDv&9tp=E4y$_l;_|n{iiUT##*23#TyKg(X^VT;
zX-Q_op;%DcZHYUnBR=g9qT@|{TCnZu94^fMAwj4>!%LIDJ2=-tvnyt6{9~Q{*+nr#
zm*uX%82U7nlT>J5cS+-}4eix;v6M$Kg(&bu%3vu-w418$-NT#tuKhmLZvKhAf$d<|
zJb72#SjpD7vEm?}e5lpGVe&G@)X!R}HR4J8!}k)zPlvI0I8`WNk2zk2G3yC#De|fQ
zXt?=8uVz6h{7*h-S7OP+Ux&#R`pwq+)O=vJrzKI$PW!mm^;@kQGH7xS?2m2(x&4!c
zQTgAFDN%P}k-FOL!$+qtY&`v~W^qQtO}=Z*V}jKxc5B=r#3uP$Hc+5P6DzxuA3rY?
z7yP(HI7t;O9(<#Fud~vj$<0gYjUV@UYp-KD-dNoqIz6T-j-1a3;^mIGu~vvwqn9%-
z2$J@`*;Zw9`KkNXiwB#ql-q-)Tx}hk)m?&mFwdIA{Atr`aERBch^%_`-VPrQodghh
z|5~1XVx`ntzJMbaT$jEO?v05MzZP3Onwo=U-<-jqHsMCuR9$?9#PUK0C)paTR|mRF
zu;io1ifJu&dR44I3U*#AJR{s0&9?1><?f4~d9jRah=T-k+xNU=XWS|Gh<j8VkDQ=9
zaqZlm`yy%NO@Nh^g2Dm`ZW6ByJ^R($N++s=n%Pc4$T9#Wd2fM8qsM>6wtZ`AyY&2Z
z-E4X!etk|r`{^2(B7sXFIv(A`@S8589iN+R6E=IdH8R3z$u8hH0w;Mc_@%!xADW^U
z??&EBfIZal7BzV4SjT(T?ex%lwKzv+R3=r`{7fEFZWjPMSm?j$hj{Hh%Dvf78?THt
z4o_s7oAN{Eu2JvF2*kPY`iRr5T?FI+aaMXx!Zb4#Z}iqKZ*$Q<5VABH^8<jJiBjtk
z4Gjo_2rglayUj!#XHi0E@6Hp+G1qTMb!ydYn1|h{)HH+0!=&c12*D>x7?QiV1=(fq
zt`Y`d#jp;H_jVg^7oYj;X1yxhS+UKt70UV&oEEIWv7OB(R~ngG8q9F)Dh&Xj+99d5
z#T|LW=u>UoFx+90RcU%;!~RiU@bqy~R2OC}mD;cg8ge{QZa!LK>>kpe{ieUEx(-Xe
z&^q|R&ps8i4o(9QBoH#xNn_#|_S~p=_^r*3S!-+8M_aq6g{U{~k#yk!%(EQYog+EB
z$&h#aB(T`F)CZlsAyIz>pUba3^|r%gX_vQt&E7{(y0LX@+MGcQJ0h#e2=#nkW=&A~
zvE;F6i+i9(mknZXyewgQp-CMNuw~%n5Gz;bq?XQWJgR`+a#C}bXZh(%PWoafB#?~Y
zZ^5bj$hY!)G<2(Nw4?T~F;^?7MIFdHVS52*A?D6V;r*8?9c3A1a}N}A)5e^dtX3n0
z+`2^7KA<VFvoLRsUzeSnjVG>wg@$5TS_FjxhzCKOpf?V$Ohe2dL{TjN4uF=Er3uni
z#Pnbi7cV(fu<>6N1Vpq15L-;vJ9-BZKJv>`)bWw}DWz6(KuZ?M_9|lV4*#2iA}oyy
z;LD;T1VOgrDWE6Vhd{3&bl5n4wmyT_?*@TS2nKHl=@i^=FV%6HCo#>`hTuAdzvZm+
z*G)gGk~4l-ou!s?f<MhZMkex?96|DbV@x0Qi1zbnh$sQQpLFY}Cc-?eb>9c=o>?lj
zS|_<?N+}_`<C_2UdxL&=OF{T36>#X=`3&8w!h!c%3wSRyC+3f5bloziQx`$PfBv(T
zQ%6$=zgnGz74kibZvVqnK{EMl?w!5dy1hF9t3{o>95W#Brf(y_d$QjPZ19qX-`2TL
zJKEX!XStS2K`l;h0_CzjFMRmFS8FsSuTvXCGfLL~zS|tOi`ou;Ly-U>F_V<aG8#_5
z6M{HmJuxmeBzT$m1og+&AddU+s~zC0b2_M{qsW+63#<GROfLt<V4Q~F0N^_Kl{W&|
z1iuBX&3KtR^;as5fvF1Wm(U{Fedy0IPy@x|Aj3Z|@RMf8{t;W&(P)2Z(lE6Lgi&z4
z1<fCEz&1S-p)lcz9Af|8fgdSX0a&=|9&g8qYM`U<5JCpOB05+ofXimu(vpsQN!e2S
zaWJGM5GRkoW71t6?vC{1I7%K3VPr;}0ouzcERKG^HjDLm)aC9&<Pb%FPJo9Vy2ryw
ze&G6{+8yU{2;G*$bX>-=6Vez}%cvzN9=Q<Isj%n}F~Hrx<O>SLWq?XguOq(UTG9;1
z|9_x@dmCZYP~r5ypRm$p&|I$&jG=%6;^QET7@}YQ)dK}`c$i)}ht{H*hH#Q9;}eFe
z{|$8phU(!UZ%q5o>>wxs+6&6)DY6R;kr@-C7>HqDT!k)4yHCLD17*&)`d~2tHy?0k
zgZj21(c?_mcN@$CFQy{_{JQY>&bu&IZ6Qselr7_rWY=Bv6#(>v`u*QoU^%EJ^N@Hr
zN2F{2{T|@T4X@;ZxLGOHDPt!y%J4iP{5ll-+yH|MjRcYU@CY}40gC!Oq#-bkFG!((
zr-u{n;SuUKC{pndNuMEJC#UV-F_}^Ge?!*iy^^sX(@_C>8X0O8K`)}B{;O-#&oCE_
zQN<5H7!v_n4?n;2EqYF0cEx|{8V6Yl90~O&!f2_j!JK@tY~_75PH^aSP?QLsm;|S#
z0)Pv}aK0!a>42FbaFUC1urwWa_24JNI}+?9?pV8bBFH)qOM_=EqPBB^Ln?S_Na+xi
z<tYTL4%Wq<T0S=KI5)oRN<#(>1JS}q2bt`ou8b#u9*@AOhYpP3aq54|n+#A(8p0De
z*8iJX9)L_P_Bakw--Y?QxZ3kYK@BxIM|d5)*8lf&j5CbWbp=p?hyT~`-!Fy^MOd}V
z;=+MmryR&!|9kRp%Ri`ki(|k`ZVkF3*je&aL}30JAeG+%YI~ov4}35U887if!F&~w
zvitug*A?qH4aFJcAy5Opv-uSQPcK4lK+58zIxpBAr`97x8B}mON@lAh5<FJ}IhGRM
z^Ncc#nNd>PwOK@T&cP_Xg+q~H{SA6U$-&jj)9X4aaXr7o4_as}JX#uJbU!nrNMyAC
z#oq~EhBEvYz5*hK?9!T4_dE4mTzDAo#UE_tWA>9Pn?j||a+h}K-j1V^x=kSt_QrXI
zQizI^X`L5hC+Fy)Ur!hEMmHa2(w@pb0A-XpDowH%&yQt{Ze27B@bGeyytKU%HtP$f
zxb|LFxIn47O`75PkeV$iG~?yQKeZv0#X@39y}ta9bN>|i>xSanRM_O?T!qs4$eW+J
zg-SV}e-|puGq@n5molirVDC=o1Upmj++JY`qTr5o7n!@)!BM56M_upa<bbD(T0fq8
zopk*&mGGtAPu;LcdLX4+C{cu)a1HQ<8eZD0uYq6b?e88Rx;g)ut>S>Bn*E+AoiW1n
zAsu0;PTcqYFC_ThhXRLl?+B9*O~WBzWh#EMQ#(&N!MSMl6ojUyPAHU?Zf>BiRM6A{
zUqh$`36(3od!aLwUHIs9us3n-ZCcYS+9~)-W9A@P+w}u@VunAMVDR5=fthGG^<;g%
z=2^7LgJt7;*Af8MfWUq(@hXhgAOOq0zzv#}#|t22Q_=hSe0j63!|I}{kt3^9KbNJe
z{YatIm9IaZeVt(^Ys@ttMFe#@YTFu4TtZ|tTfe}>>a(s{z%!iST(fWa(gO&s2)Oqm
z;0!4f^dSPtF~TNTtH$3W_*|BOKs#AX2WPV!kQJeACgQO!pz~yXyoQ^&Sp>hR9MemJ
zi$PC>dj>0n7(M_^4FBTs3bgRj?PQzKyN%Ob@;&g|f&#=xW@){zM~<SwK+Kpr!v3^&
z-WPVG;JUfs?}+y7>~BW{QagSJI?mJI{`LCX34lS7Lg}w9Q@{r-yR%S(wYvJ4sg7sa
z7m#wg?hRH(!E#M;p^L@|25|6YJpyFSg6jQS@6=`z`HJLlt0&AkDI0JJ25LD^P=MaM
zzJZ-*DlQJtlc0Yg!*Tu(?W@YBJFJ+FrHwr(j#Wbz_Rx<hyFJ^;A)|bIIsXix>dwj2
zi|oKAPK65o<-sq%=7;Huf`fK%Ha*|5+&vwKR1D&f$c}L1P|Uz6ExVNqRrtBX;T8lM
zvc;sI>gez13z0_m0yY2s&4Lu|R15N{f(yqp7!%Kc%doC%Hh-HVk%PM4ynxHPTq$)h
zzF&|or6ouP04mPKXi^tdWXwu+uI4R7V;kh?p}OeF>(V9h9^=gxG8;dM3jTKA;nWN`
zv*OD-sFTxk&K{oFpB>1u?5-Vy^O?%xqt^VuV>*IL(h%B7l_e;n<F+xJzn?4<?m51g
zB%`hy!qc<hVv-s@>WC*GG{H4&3t|pX9-(Hov&PA|RM!v1`=UhxHVvZ~6Ib>}&<Lvg
zs^bw^tM!kdSj+?6{F04$Ojj&C17S%J;H`)#tFz)=w6^xSO$t|c^z4|xmFUASciD8M
zAs0>i4RS1CTTkS&$smNo&#M3?DxtW9Mu=HF7ah*krp^~(I(9p;8IWTkj1>sZPFPJ|
zmGluC<LP_4Wk_)kvL0D6Yc$DHp<ZSixECOmZojGUX#cLj@rs{W2`_NFV*XN3CUOY{
z!W>IgXtK-!OX_O9`o!GT5U514#Gc$FheU<qH=G1yoylP^nw>uM00^kPRE*GkkqC1)
zKf6IB62V{-SAh3eP*Vg^;#zAgo7vi?6<$06%U)j=tp%2bFuOEPUqm(Zk$J9}w+`FO
zTZsRR9l~Lg86dE`ehu@aUS?_d8c^YyQ<HvYo4nmtc+0=8>K5kpVww6#+G5lZ!2Q||
zC{08<Exa*Q9(2R1(2+6++3Y?AY#Nb~i;=l0xN+O5oOH-4WzaF>(`m`}4!eCp5kGL4
zE@+_G7f!lIJwTQkKr@Wru3s;I4w{M2Lrd}gQTp2)Y<uOLv59XCwj=%<#?yP@kGo`B
zN3I6bUT8qFpdq9J)k{zd`s$6SP!9b(!Z-Ai;A;>WFQ_PnKHLD2;|4W)q-bBG*MYy0
z;_O)Db4K>e<bN+31JV_d{iapAxuX6Ez4{qxW+c3UNycD0+^Bx-DtVwM0<7I~v{NM<
zi71xC?F6dWg#o#O%CoFu-|WnTOvtYH!Qv|?4n_BJY}Xlz=7vsT&_Xh}S6!`ZmOAns
zrG8eCu^fx9qcc=69g`RGS7~t#ecd20<^RxLRO4lWuw6S4M7rK&NUD3m*8*3}`1P#I
zU8Nd$>D}~aK@K7IK{RBj2j~H1z%|<Ce4&V;^A^4H<<m;huVYIgD<`72o-#reYA`j3
z@d9#Sex~G;$`yh^q#8j{6n%iY!vWo3&Txx>lVS>%x>I{miag8)zEYhk(NNxp6h3Hf
zY`;8!h2t@BgMp}=zwKyp{_p=`0rr-~1K#@JA!w@0Lj`{FhBXp-Y2-rTvv<+Zc|hhI
z7?#^{t&YrU@V4ZMmIF3%?vv4C99__5k5?EJK*?5b`~LEt^(#U4E;!$9G=z_fG2B+|
z5b9-r7=zaGK=@QP+m*eb82Gcf$b}700*Uh@z-O%PgD`^xE3#h?rL|pTB^>dxUHQX7
z_GnKvC)oiRKnsa#OgC<hO`)#a$mQUPBWO0rZnByk4)zfn7I{%2^Kew~t~sO;x&vxK
zb+99f3fPWQaLreF!?q3t6BFq$9fl0Vnh6)0vTN{}O%+ZENtr-S0a%sswtE4$H3?(}
zPO^t^#sFq0iaMX2DRmUyH8q;G^CRkAcaTf)>w6JK{MMk|{A`W%8{8R%v9mC8BxqAC
z)h~lI>k<t2*{ELL1dbbhTH_f5w{QefdWtxvV|AHKqnrz1Xfy(H6KJW$+>WRgY|mk^
z5!6{htjo|{>KWGf%B7{d;6qR3fKLG_&f`1;j)^fMv?gj1kxZ+T3FRvU(8!0<f8Cmq
z(Z{Fd=i#-B^~-o){S|sjMS8A&GA#@V&-fs=#D^Xs?W>i%VU-fgL~!y^k5~a!kfY==
zKczvV@?u|P`*2`fN&w6NY2^&HwlFcgstHTY8YUj{^t(?l2Rs$gN52&An{JH*vEWS@
zIyWkIKPnyqyaR@R-pO>mO+8;oj$<*ZF_2JY1k+feAt;KVz?3-g@I`oZ11vi2)=8nh
z=g!{x&W3Ko@tp3tS4{_34~!`cht6L6&PHD0y`rUyO}tOt!STv|n1LO{Ig?%lWbXz2
zi;Ah=40J7qkgLOBtM+>v4qoiaiymVY=NV&FFaypbZZR|j*-;~!vg}YMIz-6>%Spog
zzEWvHK83$HQfTnN`LO@yc?r-tpu*`Sj@U{LEWdgIacp8Ju&%Qp9K<SQ2zK>$8>jL-
zXC~S*FgyCqCj&j8KIqUnE=B(<pvx=!{PeA!@)X=G?NNDp7oa1u`Dt8m+wEJEtQ?(J
zBkxT`9IVtvHKHg5UL}U#JqeLYg`j5Y{cft1dR|>|SPTS?8eVj|{Ia4Vd@}5Gk$d|w
z4C<{>omTf43aNPd>Ujy+(pHWjaxj&Xpya0)$D7VyZvil>0zvZ}U1qJ<<qIS13nEQR
zicr=qJD`t_Bn?rYxezr)wK}w(Pjr8hmS()VUwttsW`uJ=71PlLWP05-8O~w)bzI+X
z76apBkJr_Xh3-J3!We^tX+@ZUZz8b64Oek}+pfeQ4oGNmww-TQRTi7*A8-d#bQ~@g
z(F;`e>(b?6mES8}7XtM`rb_;%LYD}k>IX|E7mQE?a1ZKQU}hXuSDVZuyKWCyB58@G
z;jw;*kEw!WUu817y<o>X%%51i+r?h%rGyX~25PkfdZ_<^2EHBPg6uC+W|15EN*!PA
z+SO!zA!8T$8s~p6mke4kB62oJO(nZsepNMMr(=E!0OLIu%g9dhbhQr_rbVQSZjpu$
z1}ryCUa*~0X!6seAxPuBc8hHrq0nDCV2C=K%%Y%X<FEn|z2_>t6!&5iS8aQ~@j<v;
zf)r@k6_9;E_IK?g|NE{V9KXl)?oG`~6iq+qb{O>uniD9`()PgdysL9M7dEx6N7lPC
z-CGUzs|~E<_IpOeC>{*N;YYtk%VfkrgX66RS$5*@fN{zDvmr$f#sNBqrXxaAsjHz+
zU5)&!R3Xdc9GD8Tg=ZeI58oEZZ^Va6EZNLD84Sj|YYV~jK!6zlUF#hv-G(~6x9ydV
zoSj%dbh_wJl#({1j}6Dh7tH7p8p7P79?ejc8Ub1zqgvCXJM=9}EQL2NPFI9W5DAWj
z6cF6{1ikdgMpXL|>5|jwqDMnJXZyH+e3FH8)3X84tZqEf<{=mNP~sixXciuE++W^p
zxo8=j(Q0#CW^U2s%Q2dYPhlrl%?6zqVeS>DYTkzS5F6;N)ge0>S@m7PVpuNCazOAl
zTmc4*!E*>*njIEj8jcf3sFGchoB5cRzN&4YYOI&b`06PKL{_7A=0@#I%^W)G(mTr{
zK%dK`Q^Nyw+dOMx%_pmam56-x)Is4CdNlv*X)pc*6e`vLas?ud!E<1BqG=MaGc`2A
zd^^H!#I>9!6MRKsQNXQ{8t`u5JP42MT1i@P#&N-rOz|#|V)tLTvG%p(L3}dq04JPt
z5O{7@@!F&X-hmR}$>4N>_{_hAuYI(gS`6BHuNt^1kiN^tObKG7hTg}0B;5-XIPtDw
zRa5|q)L%Vhpvt^l3T9o=VZqs2@RLOgJ$i3bttAH_6L&i;9PFd`H(KSzhm47!gBrh{
zpoXzgXn-q#_2{imaM3JH$!UCW7;x&pYdhf1yigd;00zGR+Hn?6Wl=<#qHaHomHc#I
z?xl7rh_e)tR*9><11nM&h_S!xVioI~STQ}>tQ?OfU#fsbLjfm29G)^_F1wb_lOcEM
zJY?0gW*8$rj=x%|qZ3y&;@0aaY!({w_<@rHU?s5ZqZw0?yG$^BT3#+>BY~IiF7Syj
ztwRNyz3=jOB61yrbj5gf=EP9k=KjX;FR8t?yWP^#@LHlRF=Ev4wc#lima>9kY@&I;
zkfZ2T;p?!GZ*_PtY3GlT#++{ySLiJ4h-q+;3XPG6oFu=yXdYlN27h7K@{}_^@9<i)
zNDpH28u(0t6j<)%55|9N5#H($DulFS3ga6awx5}W7#gdZxRpqjk*Y8TA)h~nFYK@n
zK9RI_X&knAiH?5g{p><>^%zUvsTF--F_5o@DWXHA+;w1+?(NU!%*!@5nR0^@5<hWK
z;TcStq5yh<yw)o}wyJ+*eH*O!0Q5zw{)6~Zki`gRZ=BIbl7NinuY141yu0>AVfMJ(
z;ziBzquZ@-elAQ|8W(*W7k<QdsNKWUHl3}@X1+g)3ObDvNVPaH%xQB7_1!$Z?+ztq
zfR*U<YkSD&2Ip}QV{WLbc*(yvIbt*!#yH&xW!K8s{fo}~HG(|Oh)ulkNuykiq3pFY
zx4;wr;(#9+DnEemfArR--5|v!eLF4)^7Z^vF=|6*)r&02dFdt}c62UhE}2=cp5T)O
zc@v3W<GZUY5)tdKlJZAmp`P{cTS+|end8Kcp|(RmPHsG2%iE~C-4WWO3vKyMZel#X
zMlY#PUqd;3nNw><m~<xDwEUh8{fxq`r?pMzd-p=K1O+5u<=O<nEv%D%zD|)p_q>8U
zMJ;T*%5K)WZ-ft|aF5?Sh$!1<=Iw7!JT0k?NV@RU_{$D<K_cB4{Kt&B)!>h~IP~HV
z-z1te?V+iuICqf-t4AW7M?AbQWN#3|MFNk>JY0CJuhs2bjF0+8BVDO*GP-Liy+MWI
z4`NKhpM4>@<JC{rinpx~>IlIv2hSC*=8~P?QGGo~Ip2>Z5r^r3yM@`Wh+SQ9q3obL
z=c%ANYra+q&+7@xi}W24D_Qh3gqFIVm1s<4Pzly0)xjxj4CsIdgq|gWjCK)7)boIM
zW^*q%x1W1nc>S3I!hlEH5@#Y4pA*=LnA`c;NtVXu5gtp&J?8n=&RpRIj-QsijrrQl
zoJj2(<dz@b3l_%bhHvF-S{|(^sAP$$fKEg@H`oZk<^O-1P}Ay>jppISypSorKMUL2
zValoL+8fVdt}bBX`0A4Srt%03NM#KPu_|NFmoI*r(hIZxvv^)PHPrU64A|-gL6X_U
z`G0MS^Zn1A>DNbne-2rzLgiiYC2ew%Rm&f!;73?GQVhandkb;_IBV!6S!2Vs0HW+s
zBDW$N=9d`SH4xe@%gX!y3H`NA8BE8ITZD-tW81&`Bej3)LES7wQ1m~FQycbE^hknl
zJVlHBG0}M;$0Tr3E^+9+%)tj4LHJ%qCWJb!L1j06Y$6mIcLby459dI|M)#HWA1QJZ
zYCW4?GT<>m=oHT|ZIib!2I{)+f^rcgq0h_-Et+@!T8@pB-<*m;{`dCtxa-5N^gUe1
zb@co2osI)1`qhs|*>dCfMuxnG#=qN{R!>F{$C^uyBC?q^fo4DGm{#}Inp8<#?ap+B
z(^VhW3kqxw=4E*dYSANdRKw*(vf+oK8qf*YYgIJwx;1@v%3oEUtLVObwv_hkBll~+
z=kw0@02G$6PuUx#D2|+sMlQsE%QoHeL~u(WHR-Y!=h=Ej;j7uxCN)A23LBQKVOL?R
zOz<Gx?NV-d5&qo&YvAY1+69LC)HiOmeBC>+C>g3SbUZjyxy?alo|pK|gNH!v<HD_i
zb4AbC4>R#+Jz@OYP%xa(n#q6&He+@92@=7G0}@B=Z$Cb>t)*L`b-+Bh(VuJoTjT6~
zNiTvC@x}>T?kwb1Lx)WqgB5-`o~tk)8m<;rw#0{jmSi<ZcLR%dTnfkD9sM9f*atfE
z-HBYjO)Y=-%Lkk09$!)TRKFnce1K#7LZL;R1|l$KZ}#(9;$Zzm;IKgfA@(>+*&l5`
zpV+<e(qZ4<EX3E?LH*b-&fV;Y=%A60au+tZL4tg(pobIycI>n5KwK}W4WRXUZX|5f
zpHUJ@k4PFBClTXbv}-8jB-EL8`t^w=d?a^t%0EPR;6iPPw;kl3f<Dg{TBs=_If=Pa
za<f$e0~}`8z$%sjV%)9L=6J6rUt!~qX5^wEA-Wu)V(3+Lb*Mq%L+=*j{#TNge<d*;
zswKw)ZV?p(gCFxr<V=T+4bQRcVl*%LeXz0O!tZbMbU8ToJ7wNeBR0xzv*l9+vWIot
zAIQ>Sk}+{BoS~879wBT|CroBF<OsE8^u^L=8x5;(8{F-6ToYC;iRZ3|cRyet>Vf5o
z{f=eAkFeeAm{LBnN50C}srpz;7os|nS9P!^%>TTv{Y=6d$fyaV_amkVYM~qDlB1Ed
zCpwOwja(^+<*DXREU{rGzg031=5RAB{$9w%W_!~E3?>}h+LyiI5`ep!pgb>T<Fe5@
z>fF(NE@7$r%Nw`K)3~!3-s5Lm*35D*3Ehh~l%lbX!Qi;4pHOn=ntfgNbmFZ)54ZOI
zD6F5EF>heRo$U#=Kyo<?!IK*)t&5kH=Ura3F=m;yS}JtY5FXXZeD%YgOM&!jt||gw
z_W>qaGlr1P_F408G@v7V1>H_+wuibm>+n^^&b>j$PKF=_PV$YtQjF;3r04!WnMMo8
z-(C@Qam(fS+SqP6!18DlPOf4<0WFJn<$ZK<+_)*Hb<Wgt9ZTTACN3`5?d8al?WDg_
zj!U!@6cN^5Iugo<?bgyw>}Jc}{q^G9K~$D|QD{AG$$|!hH>tSL=Cnvdm;f`@%d@ZP
zu?+#jy6}dk3BJ!faw8wEi2DeJ%o2UQInJ|tFyy2|iGWCu@O03`G0a`4c?1?=GOyn~
zUejm-mc8TsF}y-l=7U0W7A$2zXU+RhSMO50t>&d02S8c9&f_M`O??I27)5zOaskd5
z&R^U*iSzV95nkqzs4NmFc7}G9c{Sb}?>I<*A4ehhVmbnV<CF)fjL9B;UO{k%scDh$
z3Z^hXUUTn~-OiV^gmb^rFbn;&eLa!LMMHu}PBwy@#V6JA2`_y0JUhzhH=A3G*X{9|
zj9d4g+b^!_cMmo0535Z6*BT8pFtjj4+_=eprOPZ5%t{NvV;i@;Je>x&1vnWa?t|4M
z1nQ=~`gfrM(ti2wrx^U}c8g<@XzQW29C8nd7=bZi>&Y666E@NN^W9}9j56e2;&RGi
zcgfpLLuL=N{dtmM;e%e=G7uGZH-7BGy<G%%ecs!tVr0KkST0&@G_O3(NfxY0P36LK
zl4YTG-`C$-lv<j9tw5Vd;3N|dK^DU$gVLu@=<1Zb@LBvu{r*j7w0<mJnV*VVcbeOO
zlF3}VuoKf*-Qz}<!V}wau{5LJ^E!3vCRhJF{ONx-Z1+sR|D17{SK+FZR6I&7FtM%&
zh_318t)h3DlMTSPFda`}u{GY5>Fn<cIe9tGtSNr2Fns!FJ1ops@hG9Dm4)%{f%rtM
z`8P0FgepHoF18Zj{h5rQWjx^UK7a2U8fzPiNZZF??a{~A{)N!Uv8h^j{cAS(CVznd
zw#4TTGlSu*fgyO|Kud47$zE1HhZW$zewBxo8R-pdhdvAsb^)-W&t*-G^6vTtH5s()
z?SCtup=@RH_?k{)iSb%fYGK2HSUdqNiBEr=TWv`no0?(h*M>a+r<SAH<r6BDJ70c&
zOl^Y0J3LH$Aj)`1eZJX)U08~!)2!*>FxKAnBf+I$3$6QVr@kq1tNhS2_TlTD%G8>s
zdtq47i|%Kzl*$v$kv~eFp>I!_PMLi<6!eTer(oFHIP_EPTj`8V4x7dF|HsmG$5Z`(
z|M#`GYj3WRghGW-Tq`$}y^@uXS(z#0$}E+uC>mB8uD#00Rw$t)du4Cg+wa`Z_xE2O
zz3=<|8fTy9Ij5DY^v_#_g%7h=)_ov(&SCX;<*#<~g5sC5MI#D(m&!xR9uqFS-LmDo
zXaZ_}IM=QXY2WEEyEU&AwBi}CDnb!<`Xcwe*7~WY&=<u0(te}aQxq6gsnMo>!9#B@
z)zzn&JLEl$!8FPz8v5qfIr&mHtX^WsfWZShk<asvA1HdioV><)4_hzJq^_(M;Z|g_
zKZ5!zXSgL-Oh^&z5~^jh&6({nW^ymrZbw+~4-EhhT;%ohpC5BwB$|SiQ=Mi-oZ-UZ
z*_S^qZRY5c+Z&Ka30bI)JuR7wI)-81HT6q)2i;8Id*xYVx2?LrZ<oA(eOm*Kv!qe4
z*nJ->xcm9WTyVFdV#(Ag441vKW`xkGE}<FPbK7bOA%ba`U<*HwhRa@mt9Mu1)%4V;
z-_X@$9_FV#XDG<_Qf#XGs3?E2OLaXqx4+k7ZA1oVWl|b_j=6HM>*5Eh@-=cw*%Yt}
zs4p*9zm%EHuny1skkuDkppI(ROE42?&pDMjp88g`;RC{BWns>DSqWMGteTBgUaFv;
z+RiYSWTu@J4ARJ7%F-lwP5oPn$|Qg2QoHQ<Zb$UoXb5%-HB(6^+{A7sz^+BvOrgOS
zopCoG<#ByZlECQiyr&F=?5-0gre#Wdl0MbQM!tEwF94bTQac(w8%F`E#C1zaY{E-^
zeELAC)Jh;ZXX3!pO~sA_(}~6-9`BYULC#+6vb8RVIGt;H?-lcJ>JYv`m)|!)MMq#7
zJGAkFjQk<Kt$w=tWz^^p?B{1@0^Q&9^@+;fmfwS`{4>#H1lNI`NXCM~PB?-))vmLg
z(l^$Zqfei^9xd-jbCQ13?+}Ktr>TiX2yF`MA3c8gnL7WI{8<SCbl)CS9z^)=atQkF
zcv<`XEd4d(d<rypj4jtmEzWzsAxS@+k6!F@i=`}h^UlpKZmoA{lZuZD5Z2;P-OZX5
zyn9+h%Ko<kOAqoM&=+)>?d|OrP{6ygOz(P`R=rJ>H;Q<iv-a_M2DQb~8r>&9C}pM1
z1PqFwy#%Dh>Cdjn$8NK*S8G8-Ls8Mg)rVEJI1PN@S&i%jPgnSABuhhFTY39LNyH;c
z=PZp-AhP#8bcCgYz18;8aE9!xzVKd;jnGS{YX2N;{~CDw&Mjd3%f?ucQ9mWk{a9HF
zs|w~WjDH^4*{kD_g%0pE>|_a1&7;H=u$c**qY<9JkyY~;6tmZYJ+zi(>%A4ml;&#z
zDr0Rxsb_3;UC4_<ICyaH5qv{0Q)XP8Lb#o(966GV+1mo~MGR&8W$I}`dtfp%g;Gc(
zI%3in7MFNFCmbIC=b}NMGc(Xzg%p$qT<j8T=UV@Qy!TRKA7m5}%gLT}BW}du0<QbT
z-mOtI+dW1hta<~V;kRi!c&?|p{i{&-V{|S|(fQ4B@5YB&dyDANsdo}&gqZ<4EaLy`
zxR)(c!Obmk2J^GFyG(?Hye?Cd(qh@MDYJ;sO=btLmfj#E>lpF}?DcWq<JI1)xdtb`
zii<xu5nXuYxF(aCz|)mVQHRU+7ePLGJ^#KdVt2OoASA@?X92xV{qm?yaK3@sxI@O5
zQqRFiH-fNaKaz2JbgH;lh_>a!1cS$4uTnoV8s#8cZLz1fs0{Mnj_Xr4`@)eTD!W;H
z{%1QFM~mtke~63axl^J!4X!e&SIicNDw^HpxQAY#$LB<<7nzt&XC2_$t!9qmJ%UZT
z98~!k^pKMR6K=@v4Dob|Kuq-;3-W`?u=q&yxcxY)vT|Co`@m6^hER+S(U*U7;d@;K
zs72oGCC{D+;^WWbvhCaU3plvI&caG&do=?_t(w7N%0JS3m1?s;m;<NlBNBB9JzOTO
z)TpB0gVug#pV_KDrXE**_a>{an@ox|lPDUh)at{DmzAvCK{mP>l~r#Sm{jCP_Y3!X
zphW3Y*`fz`l_MDB?sBMxUxK%I%l>m&sxsGgrK!_V6q@`!;v@2oNX`l&QQY+=!*O@&
z>7UsJD)YW+Pl+&u)w%kELH#+)dEw^yx*$TFKPy=lEq&h<TYJsfPIK844m1aIH&cVr
z)f>4ZQNnQDW=u7D5B75Q7u(f*xb0Kly>mM($VR1c9bOrF=<iurLD?W^Fc-I~?b(gF
z=KNQ6t#XI`9=ehtY&vpTH0n>dv(!cVw=W!dZt_QVG+bf6nn?`jx;XHyP;pgz-^SI#
z8abK%&P`^)8=2M)Xt-1MYwB=Q(7?T0VbtN}aSS<duAYbHx1z*YfgjkCdZxqJm^*KG
z=lLP5xuITri@VxmL(H70+;ahZPY;FNyRN8IPRma3G0KiOMXB6^odfLy$r7(KB*H8K
zBVv-qCR*TImh|t>bj-Hz2Q`!E<S_~kr@m=lOU=$seSME05HVN5dz1geB*vSlJZ*iV
zMv;liQt|!^Is&az0zWuSdQv&>+@iN8HVi7mF$NCrR{}HWl>(^Vk{9AWRHZ#2=;WCC
z@T+dMTS^9w$ZbjqM-!Q-PGLXY&)Ul_aiK;vN4y{|_)8ud&(k8)!@;+4m4YMc3trV9
znEyN`vx@m(v7g7FOD)bJDHVd7mmG+8OFThSZoBLCPGdQA+5UX=#z5wXGmm$~?ni4g
zfrm%lAmgAg4$AybJCeZ)*S?}+TBZzB)EYHkg-sL6-?>%l5}0XgzO|=|G+sqyAD}S-
zsjrvV)W#IkCC5dgiG-t3gzQNS$0l>1#bDof-EWQCd#Ma3B9MrG*GMn>v5yUY&!`nm
zCRP!<oo<jWqJ<`75HHcMXuiqWIJI1n!K_(dQ9qZ6AFD-sv%VpQUt{>~b=M<xDz@SS
z&wDb$eW#VLD2bMQ5Mi?qG>2Gc9S`}>Er!)aL~ed3<Lpz5?hcfj$ncoP{JVKRT6jED
z%Z$3^`!#`0x9SgZe;zyQBPR<<<aUZ2qZIl{igtyI^W}+?Wfp7^NYytnv7s+Nbh&@+
z)-SMWHk<hnM9c)P9ee6G@Nzpt^@_?1NM1IAuXx&n0i%=(rgNiH_+F$y8&~q0ehu@g
zdRuojc|kgZ^O1E|D*^BFALw;-L5(f#nWz_b)S4z;>PFsHO|NBUm;Nx3mLUfYTG7GG
zq~JF+Rg10jZ@2Lit<)?L2;cYR;({9i-(|%pri!Uiq&-|RqyEB%&%E&8+AFhm)i{D#
zkzb})hV><EqAF7;g=^2#z1T#3n8hEJH|wVySW4Xq(Ksl)IB|9MU{Z${@n6Yvw;ORl
zzWpq%b|-Eqy!jzDcw&6`1@RnXZedUg%AGD{6LrL}3)NrV205}Se=)fG85<ZOh5OUg
z(S}Gg1{sCIco?hmD(RK}3Lwz$a!6`W2-g-(bR`E05h8cH2%2Wp>`Q5x01!ao2VwLI
zncwj@a8_*v0<9|QG_t$AA^Z_aoG>xwj@Pr??E0#2>p@0`qskgG-hnc-SZ;$&`(D%B
zQ%r;tW*Eb?JQpuZOzSO70fvI^54b8G3Mz_A<Qba<#IcIZlml6or9ujxdxBx_+-xZD
zB^>fthOK;!%Z)S|X=rc(QeD)_hR_0L0_d<ja;;BB65;N*<n4Zc@fbHnu|{VXbTZ*j
z`;kW&Tv3rQuncPUg!xI58W^9;w(6%%{jdWRakR!LR(Q7zi2Rn_-5{gkiid`I_xirl
zXkbJy+tyu!r|zAc8TV0ym$sseP^{E&mphjlxC}pRXH?TT{Tn<ntH_f|$stUjJ)UpR
zPE^MCjPK<Xou|Z6fMJ_->pKPB*q2#>+TRo9aH3gTo$pEoMD^+Mf2zr~E_|2ben@0$
zzG6}uI&LVhWcPbGR{*lPVq`pw9Vm%Gkc+|QI~R~@(6DD$N2i$wBOee}OP7$J*NGor
zTKm77;F#Bj%aD9yM0F_r_K7vUG&0@pYH5f}`<uOvpw1koQ{uBZwtpkN!U|0mPut}>
zxVuv2PHt_~g(ApuVB(vv;hB))-kOpylsVXT+?@Kl{hq;G8lyh++OoMFej}etQicoO
zR(28I?7El<)M|ohcdaNnEs2Q}JfAeXqv`JzYPkmgUYPzAYGqlo@0Gs(Jdan5;j$`Q
zMD14Vs|X#N<JK0(YxW+KDfqs=fUMkEz`diu{40~ZZYYjz8w#L*4O^U(B-c}IItG!q
z|MdlMFq$Z+EyolaZvQ%7of0MBBNTkTepzF^w_JUS9T=o`3}QC5Z55J)xJyFIhG9PH
z=2di~?a}Yt)FL0CV-02T@7xSDDLE5BAjn2tQMF*|etb<AVU5#+R8cS3sRpxA;Xv3n
z(^m*@ozUJu;3v8dC<;nDyp{%vk0hIPq4Zm(E?$MNbkrz<!NV8DboT8?IfmIUwuHnH
zT=(D>)KDH`kiC#TV|m1Ys0`p@vWTA-Agbx@!L7Xfs($L;+24%%hn`B(gSEaruZYYi
z(~0EvSH5^8ZGkR4yrR;)1xz{XU!$~+SZ&+U->wyhziH_Y{k;ymkCJze1`<_q2}CB0
z>&33gqBPsa7m;*?+daJqA$6=klx@UH%18Z#hCIb^8?92OIr>1ai~2sWHTqM-GS6#y
z4h&0+#5szQ>}(Kc-Y4)E<;`}LrQNCne*GDUluY(fi97~Ahs~EJgAke+Ai*?lp4`y`
zpXv{kn1@H_cccPo#IcVL@`C9Lj?=$tuV79*+2?4K(4ny1dP<b7(wb38qhqv~TSC{Q
z^m($W!@*g*-(coBpQq0$>k&YaR%nSTC|pz*J8Nk(y-+imxM7(fW*X%e%cfSg{BYi_
zw?dLapm&Lt3Zq6wD7!K@N=JCj23-_lz0$L?`Wn#pdj9Q~Ee>r%yfq-*uP6DL)HoP;
z6TuOf1mUb%M50rjHvclh%Ej!CYzOu;O0J`6=S712`4!CWI&W?k4@Eq4P=g&GYo#qT
zNxl}jyxK~oM3n~TA6i~g3)5yQ+~4zK^q_V2-DH{BPUwt3aA}$Ac)ughi%Z@ml^Hs4
zpAth*1TMhrj0FCoqVKU*oDyMBSM6qX7qu~KmKl6bL>s3Ka@>UzuRZbL!)cOzL%P$`
z^<JrmQ)}ecW<nRRR6FQJo_3A5<o!k*8on9@+eVdAU|Ex6$VLM;mz1u={?Ay46n?xb
z@ekl8IyZqE7W>G83$250q-vtQ<G1E8MuQIv&_Oh(0^yqQxCwTAt8;P9l;At}FpgBd
z<BUj=FMr=3WG#ap+6z_vVRd&|s?3*_%A{9so6mG+NPjSQnqiUJOaRfJ!9*<dg1AeT
z9WVy?YLu?TamugnkC^9s)t7(n5Q(kMr4V{A`RT!1SRosa-@k2(MUJ0jgyz#`{pW7(
z8}0-m&88cQoVC6sjkAOA(Ggn%&NBDnL<XfbANP9viRAwTr?&FM2w7PL6#^=h<#@qg
z$M-zg>c<){Iq*ZS_q!_dGA1=mN;gMe`LAl^ox1yo0k>=vu}i&>?PcbNV6T8=_-9B-
z$R8`9A(M?Mz=nPxmRaQ2m+uL;(pyCd`}?eZkR905T8;;SkK|N*yY{edv@gE(dKgDC
z7%PKyHP1r?k&_z%%-?Idfti?M*E#K@Z?Uy4MYj7n+YS3f3$Mw>9rc8D-Znb#^C}<o
z`t^nD=S}gAO$}_=p~v<2cxuxsdN~}_H_kqdF7EO5{2DS-{emcew#we&pzZ#q)e}=c
z#IT~fye0%V?AvwdRXe8&?$EzJBRmT9F{8p>i<01%DcPk9+)oNSCTCAm2oZDszK4#*
zwiCXg=l&<)W9SHH{Hh{{6QC9M$wWWbW9aul2|cC@+LlQHsY*GUqjR4Oc``1Vi`N^j
zI(7;E1c8L?X;b1NPR<I0^gCdo;vj!0DLs-BO?l_*5rzw<N$-pIj2Bp#N!Ki1OgER)
zEdiUFfvH7=(l^U#OtQp|Co^YSrOy;6sSvx8g#)BKi==zb<EB|iC)qf8@(m(3r-UIR
zoGFhdZ|*m;yiJh=hCpgG(UJVu`=6!4yXm{2gH$7g2iMC=KBzoO+%VVCh`Rv1i2nyF
z{dKe;{xhTn^iN2a2=Ne9%e~U~HMd?wmJ2_Z3X4&nC5N2Z%_GZbipNVN`!jXZU2O@G
zz28tEd{oaFuLa?aMe)5&2q0l60h5@)!g-Go7uV^A@y^w_79bVYw4#^TbY{`Q+9ER5
zaTAM(<!AL>;rtVtA~PH3u5&7#Oze`N8?xd8A@fIGawnykLK$+CW19Mx*C#3>wuQT;
z=)d{@P!lOBxlAP(O%~TO(8{&$ke)Aq7{~iPr$gZ)Dr{^nc0CK>MZ8_)kQiM{Ej62D
z#;b*AF5Rf_-gTNQqE2u2_R^3O-W7FdQm1*8^aornz_bCqR&?G&Fz%cbc!?ie>)Ixz
z)WQ^jOOi(%<k`1HJU-0!x$Lt@Y9CnA>O9Fg!)&IT->}r-G<{1VC-&F#WlcX;B)Rh2
zwZ}bmeen;IP^?)6t8Exn{OA4rNEF5y6i+r)%O9KTRl7~PdSB<3hg}>${<)krl9Wrq
zSG=5>AIX1VC#3pAyPg^?GJgC$%)kE6`4@+)pCes;)f-t~Zj3I3y=5aXix*c{oZtT4
z`>C5s?HQQ==b+Xi^z5n5*^y*{$dHtkBYOyvA&lIA4v6h-6?O<Z(=R-EOfnlae=Ri1
zbozvSd4r<U-VxhF?D=fwx=j0hqAp_E2Sty7-<jt(;lz|bkxojHN`uziK1EG|`wH|E
zIkJ(Zi==tjY~3;jI|gdYZqWVyr3}zc(rB=ifN5UxV>A9!Ke+t3h7O=?lib%ULJ0AI
zNXTM9ll9RPbOxozFQy=3wyawCy{g%7!8R@!d7?U=Ly>qH)$_Bd(O|&Dr^8qbak#Ro
z{koHn2LB$=jZZRpDJ-Lez^Nn`Lab+;FM-5VEIvH&dEmXXzX>J?fHH2aVrU6!C>p})
zE{vh{C^fQ+tJ)D&?9IDKgZ&E)sWG9K&m%3?SybCY;(`+ORZxOx6Zs%6K<aSSv|q-m
z65yv|US8s;6+q85U)V(VFcyFIF%!0~XGS*G3wA_X5V7LnNO;|z=K_t~j38#X641GG
zROvMzp_RMWTg6rNtvgjKX=`ni5hBtJ%qq61o)*zAp~g|Oyl!=bRWa59ahm2t%h<Tv
zOG=G?b)Zo&*L?ix1OsLdNjrKpZqMB~PqnONB1EbCM>6Qp@<IxU1}K2xesGg~It*4@
z1>$HhJmmKH@G9(B+1oulaj-7}77d2mH^OYKqP@l-Q*Pp*H?t<wC{+g+96@m4nO$<K
zqsV>Bfbd>Z&zbkAGzvgv@X16#2=6PO3j?=$_n$GXEmUoFO4dQr5mmNv<u}RV(9p9n
zxJ~mqvQ>|qk%+lTj%&R5VXq?@fY9TY_v1U4S`w_|&s{)RYhD>^At@aTQJ{4Dn`-DY
zMdm%M+q!Q{j~5hD;z)}g`fRxWPdksijP0pY05Im>=YObg9fQ|tu$Zg$jA>{%-5vj;
zx*D0T4LzmO`|Nnx`->OXhO(%ehm0OqDL{gyEAM04<)JNlMf@))lbklYet74_KdW_>
zQ{K>+HINOJP>1p5ZWbN=>P8uD{syrNejzh^(SMq(R^gK3fPTURve<ZS+XH3*+Ff!o
zMb1J?e-*SBvZk?x!Y+NxIl%cLpGy0iX|aFd-qRSO^G*c;v37BqGWVO%Dk3}o=7Nl-
z23}C$XFOo*IeDJfOiFt{r+6)n1{t}?r<x+H<={57&0M6YecH-}&sQ86)chsWMp-LS
zohmcy^PU$U=3!!UyTm`@m@i*j5gqoxWdX(y+)o@_G%PaJ8%7y>%K!)B!1WnzdZ}?~
z<wqY2u<eBgvzenv8k#dio!JJT?l;;L52qOxJg{Pyy0Uunk|;w_f6_5<*KPyQeKHlr
zFe4rzRPT&X6+5ms^_PlvkfU(CC-h)CNaUHDq}fTeSm48lPW`iSzbDoz<tra00}e0-
zCLI3#!9}X>J|LZ&W@;hA;F;Phbg}E*j{d98rSAF5KJ?gM(84f{;j(?51$=33stGL6
zTdFAT7S$Rb54u;j{;1~RKaT+>95~TRj+~o`dYua5IFb!YCn35)b-hMv`PvkeS65m|
zOJZ4N?V#Qnq5El?D~UGTrz^;x_{<EX>ev^s(e$$~{`7S@9`LS_#v_&9CWyUhDx(Uu
zy$7X5=(VGtV9f;I=}1OHDh>=R$=*T@G<BiF6ryiGJR4_K&qsEn`*G&+?Emd87VsSQ
z)`OqpLfg3fgklYlg2Z=j%y)<fIB(67AR~ILh&XZ~`ZWP@f&nQ1TGhyVbQPDzI$VxI
zIcx3Ik!-*FHMs&XJqT*Ake=V|L{%gSn(=LQblQzVJWqKM@+^F65C0jVo-kDg0tc=z
z3az#5ox;B#bPc4$itX&#BzWTqCVV+>N=0b_l8M|Zbfl<0S^M16?-V+(p<&8%Yf7y?
zw3>-|DtO^i#IfKMh-Op0CYLQu$yT$6u(_7+{*{-+<NK!(_H+mZa>|c<&se|vK8$)%
zFoMsHn5mc)+_B&L6kH>hVyjI*k(=V`o5EXVH~%3qjjqF?kHCT|H}7^Ijv4ke2p@4I
zn7PoA4tC0LPSX%&T<|jSrlVEeEfu@pcRz8^jCxzpt`uhVJw->1ucYY?g)D@4c@hu|
z=it|>n=)OWOsB3+!X0Km(jX(0TnWUIBXse9^JEkPN_oAcvz5PI8Gz`>YOjaC;AKVW
zYz^Doef1>sO<SdlzDK2zKox=Mp<`W01P+u0MpZ`=i>1W<T{OS<sOGY{X9v;EH@#?F
z&ppSG!#ii6m!*u3Luip2iMjOQV7hAGtiw+WS2*Z+i32kzulj95RSS9Y3_6k`SlWug
zw#iiOCFi#f#`2$;9a}ODg*WgMHHPx`)wv&!kmK1I%=Y7pa>xj;Xt2Mo9u>p#6!D&+
zx?8qsFJGR$%rzY>sMA_Mr!rSvq5evkMoHn!YZR?2f~&9X5<1o1@UwYR8Ge_sB!%S}
zSgx}m+C>M{7}v@5o_(AY`QVvTth577@a_Pm=RGJv_ddHU{?;@#+NU1_+KW|C1BHJA
z5%D{>J}F0wP6qN9-W6j|VzTSIR+wv${#Ub-0Wn_v$zk2Sf2lnu@`gggG$eij^J7Rw
zU%i|dS@&Zwr*$-GLN-p+e{{g#PN<=kAWHr_ux`Jo^aY(1V*J~5p@qh*Alh9gNkakj
z%M-$)c(1G>k_I;44V!b^%C?PXAG1fe-xRE__!2gTj^WQ@5~fISacEXWGCdy7#wEBQ
zL#|JGg;2OVUT3vX<N5s;J&f2M&|?>c+D0v@1pH&)J5_&>aR$<oziTMqeXStWNHuaq
z^9U!>!k4up>i3D~HS|f*|Jopf<zbo+iIyHFXP&wh<Z9(4s8cPN#iVp4i|OYHDK*9K
zbH~d7!2RB_>eV~9xB(%96E82SkP+6d%rP<}37Ap!d)cdJ%%dOoQ?|{{6TCPZpHuH8
zVjF`)UMy;UiF0E{ir5z|d@}=kJuhwgT<ofDbI^=N#LoG%pb|!}J0-~_NN=cCq}JbE
z|8thfpT%GCU_DR<ec{`b;mj?go%;ypu4C(g<vQq0Uhlh{XIdR>G>|8PDi09+lg1&P
z%|3g_of6&{-^xYvdbEnn*s_x8-7D8`QDSN9Cm$9nI`N;F%Bq7>fSFrQ84aUM13qJi
zugZvS+B(TPga!MhRba32YA_?Z3jXUl-%RmZICwYErqdbU*Q2pLLLy9m9@k<iMBbF!
zDYZW*JqX$RQLUHp#=(MZ$B~w+#V{FJZtzDyMgtaw__ORzGNWjo1`4B--ReZlEF7Z8
zBGo66<>#IEFGWhuow@ceM-;ix`DoAv!3tj;4m^$s^D>ji_kPmsVs5Z#J>~bcgyHOo
zh5-)59!%H4;6>`GYf|NAc$g6Tkktdf*IP<&_obSx|LRF2YXPF_?$Xt-CmEFJm_L>u
z@()M0KUq9`h5jsJFKW_ufLjT?UH##P-{So^00a~=lT$)So^C;{l5%3v!DWFDoxWUr
zXE#lEd|g+fh?nqLcbV5VvOA!X^>z=I3W51x>Vz*l#qd+X0^o$kp@Y@heV$|Vs5-?&
z5xw-tKPNF(`|VjnPdB9!9iFEvSMM%;x`#uie<VP4i!a}4*1^V`sng<50Q&rE{Hq`$
zabccWHR|+}+(dsPuDGhNAj&O<$f@Jj9;ja46*{-zfcR9d%!`g7c$SE79o$4UCZTdg
zT%F&g*LS@?_;cYiTOO$)hEGU0l6sjxY5*+Md7nElf9I95T@J3gZ$Fd-1OWMH2z?Nt
z`k=sYpG6N@DIlKaaE{YHk37M=9Y(MYSBD)Sr3f(QUp~A)_a2y%69$NmpIlvdkDzcB
zi@Kn1v2uVpKx*+K*$4O`kREU8VDw%6H}s@s)%sH!1pD`r2oX%JD}e-S`ke9XK}rnN
zR0CKKS`8ZR|BM^BY=6XV;RJHwIRd|HF>B2)&FUM!J4S{WLaL>5Hcm0V>b9rz7zS}T
z`5%%Wv9}WvJsY0&G5H5H$yiwk`QHo27rw4X-e^>%{;x8=<$lSIs1;b$q;JBB!W6P*
zYp=@l@YNWDhj8MMu`2K<0J7-i8h})A8I!S>0i2)k-;dWMS_@;#cSO68@sI^v-;)$_
z5#&O@4cI3b$9rB|&xjHTGHp@PC3OFLF5@#KqQ#P*y!m<iZOeG9%wXpCdK4m|2QvV;
zwqyO{1gMV}Bt85hhop(gJ%3VjSp{Hx|8xNn-1UvTYmS8lp9uyUA-`uzpq4!&kL*J5
z84Q9r;WBp|pWQ?t9Ga6kB|wM$C4P|t(PiDOGWb<>3ts=#RYc}DmFNa2bZakH5u}cU
zu?X{<#KT1hg3AMW;-%LO>JuMb_d#`QP+(j^9~0guP4U+z{C8U+#!35y3A6Qgy<Ywq
z&Jnl}gNQl&huOmzs1A?bDy&g_GQ>lPV23o;o1!CZul=H5Y6O|9S{Z>_5k<n9zSyEj
zlPfUJ$IL=Ar7QE!Iou3^GM1TQ92Ftex|{va5yO2+(gV7*=Al79O+CGRHhdTELq%mU
zEONZ*2kY5|#g-*~gZruoQmA}k?OReYSM)W-yKq-7@eG(#5JsALQU5d}k3gp~hrqlq
zuos2vv!qTE2flKWxEoBk&jV#C%Q-#Pji6+an2TH?pLN%WnaX!XK3$w^G5-s+2qrE@
zMzwo15axvFuAz{as9EMaPX?r)0rl>{L5yo7WbLu%kP91ifJT*mdu3lvudKfBg{K$=
z=Kf0=H+m-|Q0|aC1>OTl+2^y%t8Ymh@W;apFPk+GHH#$7+7>X%kP0IaK8R@3s|}s8
zSi|&6ilA_U($7%i(2w)8ef0-3(#1HdI^Rt3kbR()bo41d{Qp`4d2={Iq2R;yFYrz!
ziO0@AGg{XnCQ>V@4j<(?Pm5gvqYuMOhVIdyHv_VeE#)Vw*+T)`Stvcg4MX?Dg2E5O
zQs8Ch3P3Ga{J6qy!@eJkkeB75cSdHQ&EU)8Z9veb_^*ryaDM^2e(T{4Di~j1O#hxq
zffGcp%5SKQ(faW0_VeCe1Mksun$*Xt#ZWk^lNZ@hx?{!s3jb|f@cGz$oS3zY6RB6@
z{5S;1tUDrq015m>F(UY%PT(gLW&bk3GEiW)m!rsV&o?XzA}Po;kL*BMgK*PqTr%VN
zpSY7(0JL7a1`{u;UdFU1Q=f+Yf^Ja%+9jmGU3dzGQ(b#Zje82eeVH_@m`^gWYYV({
z4{%ogbEU%9^+*G!-o4!+_h(yg&@w3{!ku$#TP7S3{`D$!iwTmU#oxebK^KhXrze9E
z<SRg6Q%L!pnV??>bpEj0xN-mUD1?wgMpUc5PE`29cwWiNQth$|s}c$)4*X9^gS}%K
ziUrjN6<4DrgyNhp(kg%htv$W?pL9^swO=L8Z@{ZZ5@Xn0l39*$K@WfxZ?hd*1lL?1
zOKAlgL}W|ycE-$vU6jgq=k!%J#JV5o!>Iwbr1s$I&>oDOL+oYKcitpySe)AI{)vWJ
zb3Rz)*K#1J9vi9VKECH%(2*n2bYK1K&^!O*uol_sQ&aqRSk@=w3Z$5!1xQ)Dbk@!r
zpAvsD#`B!|Fv^b$<oCbI?<LF<`lE5p?RUJ%$xvX@70xoh13ZLrJ894mcel<I-yI);
z?JQHE)mpS}P@eA%fw;`PNJLE3pPgK53BoXpYS9OzqLwrXz`C$2-#Ag;%clN#t`vSh
zV&oi(jr;GA5ajJoGkg~GW6AV-6@r%-q{rH$H(656VHwEUyOG&A8IVAhDl{@^{P@ug
zb2Rc+8CWUxXGcv>He6bo%=^gH7Itz1zqLKgtTpCDA%CxJP&0^5+W#BuV}U|gb(2yZ
z+V(n(j5C~0Wi0CNsw?SqxVR&J2q8#9?L6~wXUBNcBaaa=HPWxg&T~Yuk<P~i&S#_Q
zy{XMB%L#Rt>JL61VTr%_c~Q6!;PpoBb!vw1lkkYQi^-rx3nfP10C^%53-Y)u;0;}P
z>^b}Y&ZZ4kZ@T}F>v(}kyz$#gL=0pRV8AhgF2H=2LyiD5U;IsZY3Sn2QF~qB#Xu93
zet!1B86N?A_5hYt=StwIo(o`%6wENU4cR^6t*#PjVw`KaLXX0w07_neN#9KHq4=aE
zI`{!p<0U@(HmvKm<v&S*(T5^*yz3zNr+jAI2CXQV1^~6ifO?Yp<91XGX?ZHpgmkio
z)RtXk!rGEtHT?6yydW)Zy3`l^-ENHPF2=^%_?asZ#w%ZCe)HfC`c4M3E3hCW9=eHY
zDVblSty%Enq~<)n^S{FWX$#<Q<H!+vz4w<a&AkV5Qd-4jNK3>c`eU5{6jk1ot>{?_
ze!_!>k#{8;>(R)#YfFjk<@hn@^=p^+>98jObOWyK*MKE)j(733RdFQdxcK^os1BWm
zCD%C=uKGU%L3CFFA9Z0+D`<xjDC9G4z3II1=TB{=)&{Je1t2mWRB<U_FL^;IyOksI
z!WVul9Z*S6<Net<t|I|AJd4Lm;2|&>9yT!vB-yrBl1dp7kNV;x$Dq|uCj2qB)ivT1
zqXGXjltVfdh@qsE-59{J#xBOilshfuwE~$zuh3Dy@OCxjc68*2-Pw01F=&_{d;8;n
zKJj?Hw@3Jq|9|H7^aSnCnEk4x*-P@!mFC?}xE6`j;WG_8kR;-2lhYENr6ZX7>!7gG
z6|*e`5)7d03M0YNf3p4kz+%2#s+Sdi4Knz!+lHCTc7fdCF=B>~0L_Vf>|_i-$j$2e
z4#wOo6>pG!g|l%Y<2~p84)(><fGqL109nEv^Tz`HK079#<k0sR(wq&U3$3uWuk<2r
z{N5Hd3HkVGYUl;@P+x%{Us@>4X09Z)ReGs%cll^#dQ;5@Dq+R+L=)D^Y0;;DtNflF
zFEHNH=fsbLozWqan~(8&p2v)29+#%63H_@rovq%ghv5o&_C4O6ixw<#IOjFJIVpP!
z{|!{FbDQ0k2>|E}K>4c2(CIySyW=P`wCe#vM-h_9p{lOIls`$HJ}rHsz)Pm^5S5od
z4&LxaL?rJQR<gU`ul16-E4&oQ6}bNp5rd)J_>h5eCCUvB|7{c!M-x0AP(EeOsNr4T
zzH5>@)J*VV?F9NHt&<tniTaQ2kY9eBebx&a@-$ihiYtV28~!>_(R3!uxIsUPgOHCO
z=+;Ok+u6U7byNL@j2dfTuTWbMaf&?E*I_r6KD3CxKcv(BC$X3FuE-#`HW=OgDV;Z>
zXS;VE<jk=)R7+v8)*8v7R5QaMmE}v9?UVutuabl$=g(8(sXy`uRWo*Bv~<>W@;`qX
zTUOYpNkha!@BAU3pVX34$Nlna44q*Q$b$Y_8{9$FSx)lJRvDFFTH-GHJH>8W9kC`O
z>;*caJeIm4YIbu7a{(9zBe2V$I{cM+a0izpPxh2Xcz_UQ=bDjv?q7_wBC*NV^(fMk
z3iizcMEOf!8sjWlU#fkz96{m5*3N7Nnb^F{9X1P>O*h#LuhNx6TFic@X2DmWmqE`J
z#m%vv?R%NpRoj|E-pH0->i>58GwT4;T>9f95^;g_*g#>q5aHu?#^d1CXo2?#`;FSV
zsh7r#^*yGcYcgNZr@Ggvz-qlj2C}hm3pA6A4P$eCaHEVymMWsn=dir3U>YvV*(D?k
zC8s=BZ7GnLIuZ<LS{JKubqE2&FwNJIQFS=M4NV0!4vegxxfNoDItk@!JRkwjE;vKU
z&e?4njJBMbC6q)+{Gs^YI@5bR6d!)d+K)WtRqjbe^Aw`+Be!fK2LQdj`zqoyJc_ww
z0&o6Z#5)co5lqu1WYSg{Ca1OkP!u^94rkW%Iw_ID>VXncm_&w+7lA8zl&3rKF{=+c
zws4*^-j_?0HIa}H;IV!1L9L$><5W=0V{fClwg>oYLU<B6VO)0|Wp5V`-!N4y9vvpC
z_ax578D(<g$NQ+HE|U>X_6#yCAJ=RbzG0+hYN>@v!xqA`QEq5|r$1s}Vgf^+Aeju3
zakMG^$p2#ju*kvp4xi>LWDS(e-H#FMI}xFv>SJ9Pk0W~nH9mi+p8pLlr6a`CV(HRq
z&ehsgq)#<PrD(ETUCebKr2t1#bt{MumXYw7d<^%mTDcn$>+`=xM(`eZ9zury>z5j?
zLp#qvy~DD4*9JI28|SgS{mwLeS-MLI3Lfgm;k@6fn6Xf6v-p$MMz9LNfjG&>Y*d^D
z7vt>Dw%50#rV`-e-_i%^4T}J{r2PKZ-4Q3am&~m+Dx_aG5MEc&y=e`3a^dClo1;@u
z2H)NSqs%E@xAd+vB+P=U=no^GxV1!%u(ezR+NhvhntSKwlXu(URLZ%gBe%!3!GQ24
zaiQ+7bbUFCnm#ClS=7y`UL>lA7%>{>-5exAj?X{)`!M~A6gK0vj|6h8$qC#oiMAgA
zrt$Ahw*;=SCrf4`oixEa>tIA1TswD!)$_Y1c(6(pOFIT_T&3GOh97!{57XsokZW)8
z|B<vYcb8D7D^a2ETllZj03i7KTpBqBc|j<y(G}i9o_W0jd22@dAN6H|b^VTQB4d|+
zG3C&|D1+e*2>tPQ^lBy5DChWgRG|qYK8KyefkgF_T>e$=HLVKXp5YweOIYQBCyd>w
z<_bZit{$Al-FnZ9oPFO2GRe|B`~!P)d)Bx27hI3?F@udHn|5Mvxq~u?<TQxNZUs3G
zifn^`wS8$#h&J3$|H9M%t(2^h0WA*6KtgtEq)@FWsN~vO5E(7~fP59|!dMyZ%T=*2
zWm95AL0%Io3|6%l>QJ}ACqlSW>ZU497@x>?3H@9?xF5}FsecJtwY@yCcjlH^SW_#P
zU+bnS=K}->&s9P1`8>x>-}z?r8VmSPxGtAbYC=)RNeaZ+e{y#Hygcqsg!wJpzjIIB
zkrl5690di2@_rDPSgnGWb8+%Az}w9lT`nMG*dkJzt&4t5M;<2v|CHNO<0am_{S2YN
z|Mneif(n49fqo%-HlTwi?9M`#nL>}<2wU6RE<(L|E{&EGCy-+Xt(6#<!?A~a<nW=)
zfghUkK$}#OG^KeJ6EPdN6%nY_k|Z-b_fUppgZo1k&l_snFiH;T|H7pdUkE{T+Ru&t
zbF#|ueG05D1!e*oW8ff%(31$KGX1=6YHW_k7-GSAvI?!09L$!=KFqc0uCs!+v6O<>
z_zzyJyAKZ=wWbPi$|AT2byH7G7*C!nR{NXq_w%b){r1}0h_T=es0`aoUukgRDtOwg
zrY4O+5g5YT-@yC<5#if+EXHG_e<Y*o$LG_ijDfm#SUm&FBk2*=tIL5`Ov3@e&z;Y1
z{e80HycFW#&B+?ZPNN2`cJ{2ETrF2cBIUNuUM8xa&)5;YbBqd8o)@6CX(fgndnmYr
zC5sUHZ^}7-pF2oUu?y3n(y~vfVUXdzDuo>D1WOc&dA3Z>eUD@?#Me!=0M$Ve$BYGJ
zb0yO<o?rEQd~sHk1)tEu#}ET&!u{Z`5YiJ?H+A6-6i|4*B%V95ueH{E7cYFRas!-o
z)0dwqFiu5fG>zxCPz=W=+c|S3k(lJVDc9M&UT8@$Z?LYTyqBYMgy=4e9D8a*!0JZ`
z)piW*LK98~)%JUCgnd91>$v4Q`GlNj!OJSeKE%SbklGQE!-p3N?c@+A*{!q8M0J1m
zw&!Sq`n77N3`)+Y#q_K(kV50`d|k|lyoA%xBdUK4c+qE9c9R;~jtU-yPklLW?^e%j
z@A0WH<zL5D3M9jRIq;8ZxQE0mi0fX44yTLVkH;bV)A>Ti4VrW$cvbMRjZ(`NT_=a+
z&qL5s*5=`_5<)~$Zp{YQ(s<i&$&p7$43sg{Qg~@hL}NI)ty@tzH*!8yb3)ye_6+A{
zC_oU4vM%R_n}0aKJ-a)5TWdX81UdHni;leqEJRn18gtnYLDPq~e_ze(j})A&UhV>g
zC-(NX!Rxu5=9i_SY^?YMy*VCxeR$jr<k$!gRVr7m_57i>e6wAIx+|#gLRA$q6s}xa
zgUpd71d$_|a|W_ouhO>M2(ny9h=X$;`gp$h4r4i}a`wK!9VQpV36CX_wumgBhDkD#
zRlHj0=A@j&hgih;#0^>d>m<ad<rYe7{KT(VhdNq(3wKZ(+k<Q>qy6}53eCz_iXU`*
zz`LAy5XdD)s3u7Vfv{$+yN7Rv6%e+QTd&?Hm@@(;1}|of!QAr8@t?wwU*dbnRgP6A
zDZnf}Y#Z@WD9NE}QNUa$Zdk5UvvtThQjigfzVuO%;kx7MnK4)8)a*fFb0^kKd1Pf%
zZ38Uo1Wn7W5UaxQ;Zsk4w@;GtjAY-@z8Ptx>B#^b$_)~XNd^+$k_m6`)wYmZOMOLD
zujhXi;69Ae&bN_=?#fWIMz;2rUajr*MT|EbX6=a2PP~bHjIP8x-_)7jxXEI5#8?4v
zSow=w>uQlgSP_!!w2=HXqq)+BA*vOzUF?5*oTSTN&}pJ@Fh-?TwPJbfI@ma`wK0^d
z+5$e5G2X$*d52{sa$GrY<2*Ar7-{klA|O4R_iR+Bjl2?nc2H}FD6NH(Jrmx}W9Z$5
z0Rx$%Y^l3i{hO&-(~$>;rvF<-tk=I~s8<n_?2{x|`r}Xpd3gS^ZWpG$cJK3rWsVu5
zoGc1g_g{FyV@}*Oq;cRp)rb<D+_<b3J08aq)E4us3*%DgwG5`t5VI@{D$p8jb3zo>
zE^MJ>CE)%UT1I@nZfGiwC`H^Tgxk&1a``#_jR8$M)t*Lx<){KlK~DlQEQ~gG(Xi3W
z7<MF*$e`-C0>{JvnI59S4m;BeS*(xaI$%H$v~YO)eJ%YiOv()h{>%0(l+ZHi6_lv;
zHLwyMfz22gZT4_M7{Lwez;lh`T^J~L_Fdo`Z#*YIjK)L6MbHO?$^oeRskk8UwsF|$
z$ir}V?Q8FHsFXNpSf4g4USF8AVF(3x19J1}yR!3OeW@UUWe?WOwEp1{tT}_~QS&zz
z;U5kp&byt$l4i`pjm|>Cx4VrFK{6p<%{Hn`%U#T?wXVaHk)%>*0WmQBU`Yy0Bt#nE
zS<nu;ES|}MV&Up2s7jm3+X*)XSLXy(9_(B_=W4FuQaA#PU&&zjxm|c~>&+S)ioMQ7
z04YDU^@_b}NjVYX!vmYc=S;N%4H7_}z|J}f`}w|YKqMj#$V&Zc_2$1?s#;rE>Ma}G
zza<n=T{TZY*y3JZnZE7l3B<vfON@PilsP`OFNS=%zdh8{aUR)tyUw9Boy#j`8v5C4
zm#R^;kFyF|cgTVd^@Rk4ImeIsazE%#JTQU3^RiO%Og3qY4y|3W4|p(Iu#SYcFLzht
z;H?3JVfVf$lf$SwL`81v)x(7=z^>%tM-gE<7<0-W;LuaPdCsuHQjPj(C|J!_RH;vk
zZL-x%f=-yYy?jto%L~;;z-tm;FLqzn-a;*F=WMF^OOO=+fgWoH>-vkmXo>nS);#^b
zZ(ki(Hq(%Zo?UzL{VjG$HHs9(PW$d*Cn=$ge1shxnE^u%<m5`^t~m7VLD7WXFJ)FJ
zr~$Ji7&Q9U`PS6??dO`wYZVz(-`fwi@B5jQzGpTFn~nQ>#7_+%WmcbR>C7HHWx*Ff
zQ`D8UV6Kp|kBB=QF+|@ASi;*!_2ipn;!H^d@p5;jOkerw#0_^HiNx2Vgy(t0?ChPg
zn>HvxzulfX+--YudlRbE28-`*gvE2WV1z-&NmtVR@gp1<Lfo$Gk|u060?1eiNnS&t
z@Ta+hnB1#P!!5@|ej@X33pmx1S`j!x471{3+vs+Ne*^V$Q6;YZXC^a@Kh~U+y8VhM
zF(N~TekT1)V@Eam8*`X=t@G7fGDv0C7DL0I+qOyZTKwXJBTiH_dYt;go~aBf)IEKk
znXx*MtVgi+%SyH9E3`MiM_lT1`dasq2f|R5{J6f&dS?7<Efwm<$MQ%DNFU@FY4cCL
zdbVpoln>01_grWV@A!d2**~hALiki}5;NpnBP)>zGmADVu`$)w-Lji4h(D(fL>uFN
z!i0iTS(KP#rE|IvH^rP&9F+0SokKP_SEr_bLXhnNP#2QrM)WV5;zQA7i#<Zu7^JU^
zF?ZA1tEuXtaNtfO)}6-BWDX`zBVuFVysG+@BX|5x`5E*bg&3hdNOhz?*>`z^$$M!<
z&Pwkj2Zm(P{@bwyxkLk=wAPOiAN*@E4m`WzYiKh$Vl-H=8VWFpZO35>`x}LeCBMc5
z@JDj<k&j%CiHdA!{PJ@s{X>!6DyLmlg(KsB3`~&Ww5)_R@;Vt(7?no8{77n)x>h1%
z{}tnL14IH8G_vaoJNT%lQl#XLM5V2EBn}>tEhmxP-;>Bgk;&+Xzo`@<>Ji?K+UTUj
zd}?!GZ-u4A3PnOU_y^^`z%s_B!<|VOx7lDJcEocZiGY@ZVXnRnZHFX(WdL>le=)9@
z_$e~{{@ah~5_6oE>7`@S;2LyRGOwzhxI&M=a7Fu0AB6bXn_<gCJ%;ShFQnXnQ8@sl
z`0CfWu6}x+AFl(1DFFruqFt<T8d#*(S2glmT#g<;iWNOaMQEX-B$MTVb?*2i^pv*-
z2jjqo0a?a@k$r4e=`dB#jHJl*ra`c++jId8H{@C?0~)Upqz1)~Cls)!GX`NQc>^NR
zP(H`dk^Ot|t<R0HBakaCWFm|F?FYM&v->URf%GIG6ln+v4<5wSQJE=8q@QL5(+m66
ztNt@Hc`hQt7D#Uhk)2666#OU+_Vz={%hTO3b`&oF{=rIs+ag=7><i-S%vpP8MV><m
zeedH3AN?tuPiZEntEE;rOtl@wuH}h%o;!IV^$PNp#rfR+xGy<_c<JuUt8OQ|Tmhai
zI<%nUbLF)$ol$D+$*aK~IL{_tq+d=5jlUW(5^73@7KAYVMkk}nAr!06jnNYxTPos#
z;z$M=^5%^0{OPG`x!^TKi(Z=aq<_GTA!_WCtAogjKj4g7PHpkykM<-DK@)Lz;G4L2
zZrzW`Wh!V#qwUODXu{jf11_oUEfp^h?_QT#ZDJe!w?6yhI|MuP_GvMkaaGZ8I*vct
z9wZ|Oz+HSz&rm*LquutwU6c%+;_cWZ>@i`oiFOQgvy@8z>UOh`*F(QoV`RTCo?0;C
zyP`0^6{Eqku$Bd=!N}XE#|wYi+YUanp-F}`$Zhf4n`Zs^-D#BR0<XHt!lkeYIIC1;
zyIp$baB6s4k%i0Vu-)6eKEXoXllhTHg{8~q>IsSVnbyd@W~}_Q-Db5hioO;H7c+9K
zJip}yO5=1Mqht6Z5(x;}e?;#H2u0c5p%xy$ojW^k1gOuI)vfQB>ZnJXowi!5IUd#y
zEs8Q)>&UQC+jCQ;l0Q5FL5BfaY)lj#Ove0#^Y?hyu&VK$*pQee+NAq9>nwxLv%2Ok
z-LB@+RHL2;j9_Sd1?s+#`H{-O(Xkz<`^!tl6o0OI=B209=7O_KX1@B9Hd{Ngy9(^(
zw&t-(GGqo7k4_^>knzMmAg$VJ(4)82diC+a=Of7IF-h#mt-+C5(T29}$mKEPWtO*2
z5-Sb!bEOsZ-Lv1HV<`^)Rw1<*_+io|NC#AiCg>scCi5QAeyJ5U*7b2mU(>5S`6q4~
zBb}{fP99IMHpVXf2hp-VfnQ7Jqp5x8<!x&>)Au&6*GwC!e?uqn>7M64sWP~&ZwxS6
zg4084J3podm$=J#Ukv4UVaGo~uK8tdEINv&@ffsXLGHMKoF2D5>QC!EoN#7#9puxi
zoX+z-^<bxZHvM4(FPB!cEx%r7X5!wq5Oe*b{&ef(eonbkhwGT2b9*k#sWNx@szU&B
z9CC!AJZ4{p>Fxssgy-&ac4S|6iyuQ5JzD<k3=Nz=r$oXc2)yp2D?Gyd4@5A1lb8Ks
z?~guTY&c{m1kH67DT_t?2SOfZyY`meRWuKO(X*QuvEvD1s{QD7%I+n%JOM^ny>h1y
zW1oi?ed<>*k?Qt8ewtQgovER_?weYT<X%Y?U2fY@w7FHPX%r#7630bk659PthOq@w
z&>F)O>ZQxyh=WUQYO~e#V}nZ#(};8r-M(2Ucee3F13@&sSus)AhQ?d`v>5rPcq$B-
z-oM^FI)UXkrpI~*oSB?s!!Pr@iXPb^m7_-pofU7DEw?$|b%j>@Ss3nqqEEJG(V|A`
zTx_~abuISlaYdnZVHC-kWvUhQ4t=IT9&z2WEaNoEX=yZb;WLO3(Gf-~NiNrY>Q_3{
z+w3y+<dR5nkJr9>wdxQQErABOGvjHWGo)EbtJXm@E`+?2abrHVCc@x&m>v8_7xQa@
zBFMVK>fofzwYQSvSNu3=V@e;rEDFZ^!dKDHe@z8`b^h%a|No`S1;0&mh0wao`yg}L
zzf06Vt{qFnW@hpgPUH~c`W#uZ(Uu2-V|F*HKh#*Oz_?Y7yT1>8%#e)Lnk<iIsnLLz
zq;>^hY*=VcI5wSm6U?vlANubASj@f&*LNg%D1=F~QwD18*yw~O4rAAN_iS#{pn>XS
zejFe%ztl|b97x-n>|F0216)S!r?c0dg0eH34xxhH5WdwPDg^{Xm--5!x5-Pgyi47J
zbDLiAnEA4339V`=eLiV?3{V5|j|IOB1G1E6IiE8}2sOUz?;ZS+0Z7$`d-a3>VVZJJ
z;>NXwO4&!2!_X3+<XkYJt3XvO{dqj@R5B-wj2<CFd;73Ssxe#@cVn(6gaYc=?o<tG
zwl8#_^B!TWbg91V>b?NvFk>K|g51(uuvOla@BNwA1aL@Fvy1U@QZUfrlD9^w@up!g
zZ=d$-YiF@l)@QZ?OiC>rEGu|~^+%O|af;`IB_vxeo3nA$f(-flhAiSa4YoOQIb7N|
z47+8uC|FX{UZ(x0GLc6(+I=|E;mc(dNCWhHpKeObovcB<scLbRK50-?GAwvPIB4_n
zckW{f;BZJCFH(&hJt&{KM>qrvUeMp7p8IO<Sujk{B<1=fzOSl8zBdIFn|XKmLHUv<
zS@qJSM491uj(hxinxt5hm9S97N3DxpAy;;p62@}f8PUw}JA0R?G`7T7(Th*=chMmd
zI`6rq%!CIYHLAH3_fECi-c?*3e=jQ$T;gr@&2fVP;X4ToE|6t5H&J~oxMVn$46Tq(
z7eR`I#V?0HiL?^7(Tl2y-mp{(WSb1Xay?etH6j$b1yTVY=2RodCwYweDB=LYGUFl!
zwLBa7t-f!vB~3fS5c~6S_R$!M{%HB$eK>62MkyLO+u$sPZ|uQxy*8riq{sF^<*Mlb
zjoQeq^m9-Q>9RWYu#XRlltWwro1k&NJn-Iqi2o-g!R@u^9zzNR`=Ms(<#LoLWj%9G
z?MWJ19}REbq#?%WgE--tHB#H@l&fGUhR;?gvEPg`!=o8dG=<htLZM~G1?7ohGfI@g
zYFSjmJ|GUn*%hpTvk2nt_isT^<+`P*xHG)eBuX86xa<Is0e>T6=$~^OD$_lIa#L`k
z$mriOGW6fHw`i7Ku(6`+nWuHQA|eFj${F<R%)_~Tn@(KaAH3SlTkG3azbA)qYcARZ
zf^9CTBpng|{IGp!aQy3|w=-nUwrc~`QU!NV5nWORi*)mXUz;WItG@ZQZ5)|yf>=o%
z{%1av9GBH~V<;0!?tL^LiG3Pa|K%Y~%Z>wKYAO(Ep!}9-PVlA(99j*wqfxtLW5V5?
z;xJQQa~SPLfHJP!mN#ObQH}L{wG0&>nUB*9D{mrJotHjpfTg0#L34~Hq&AH49-%;V
zth=>6z*6?0+<mv*rhm$OrS<a@2INN>D(OpkCsS>sDIS6|^_s47T9Oe$vgs3dZV4Rz
z*th6B&6S+GTj0K`yf_jOjq@Xq!Nj>m&{gLx4AT}QKZTq6(!3Cov4&iGGV70`VSY;%
z0bxUX@pOR>?<$(Qx=<I@nBxQX`<-}SLAbCaqwbB->ZPf7t_MF)|2X`rTg~jOB6kFc
z_`yowg#LH-O+V7YDQSGzLa=1d=Dti#+%c*TBFJKbopj`ep+&tj>u_rO$AgVea_DV~
z?v3<}C27;>vh(~TqG^2_wQh-`X)#3AzlsndBtZfF@X2b08zqf@Rg8m23U*)fz6y2u
zsZ=7mBWD`z>v?#@Jo*)p$w42~Ov2IPz&n2&buh?iIzUtat}iCpMop`7<IwJ_XCb^n
zHB0rT<;dIXg~Tzr*fyEJsia?DiP~Im<vfEU9mIsu#n;cmZ{XPR%b4`d%2Qt$U=3jt
zcM5q+zI;o3W;qY`pg8AnbZX@^|IXb|j~A1hmIB^_*_xl5R_$R01cdJw>GN{li|dy{
z;J3-pxKr)ryYl9>zQ|{m&;1#S<Cm$>^xg^ccXRUvrS?7zHO&$ZA31DNFRc$Wf%%i+
z)JazUgmK0hPhdC0=!4^&{J^uYo^j&v8t<#<$cch8ljmX{iS<_|`(W><bnMI?8){Ua
zt>MdTJ4dppU1_km2SrlvFnf41>F(I#Gh*kO+z16D|MV=``?u-jD=w|c(_<yR;o$4;
zXK?%O{Fw*pwU&yc+k0-Ur!NqgasjD#{D6#hL<kuY$iVGB4Ln1RR(qZ>X+oy5IQ(^%
z@B_16T*iF~Mh;O+SbKTO>e<Bw7yDeh2G<U~W243P@EXwEwgB&&I4TvyW_@*r!!94j
z8mT>H7mZ?26W_RF+q5*3dW*2*68`%;SV2gF&i}q?2;VF_^ZB^+&HZx?7CXvO7=KhZ
zpb7Xp^kKbo+Br<U493h|!l@BsPGIn+@s^iXNQY?dq%UPbfN3BE2u=V9?)k(W7EaEC
zXAXKfT(`IiHnVqNrh3D-TTQ_<U)7kXvQnefXNj6c@MWxkcjeLt2hAPzrF78pJ>FH8
zO4bjhOBxE3XcDdRxTbhMHJ;?JQUzNQ%jy}tZt1`>5zL(l7j90KH3j#DBqbsg62_KW
zXK7XHZEQcZrycoogQt2+mVXfcTQ|bt;C}V5ZWSGjXmUyQod=5H>a*Rj@5(*f^L{~j
z<fdZ98(-yfUJ8^{?5p`duH8TJE~(AnAJq3?gP3n~NlAM5qxMucj;-68M@xl~Kg^4A
z=*<5+Wlhuel6xnV$>%LAlSQ^89N_&^Pq&jH4rxLkd^l_+OQAsJqwZbI^Ei*gX#2@t
z>&c|lD_;<$%|8|fg*=%D`Ec?7SJZb0Qr*4}e~!H=`$-%P36;ne2Mx+f_NF2;BYPcL
zg*Z>8$d1f1vR6bhGLtQPl#!La-s_|1`+NWJhjZ?8kL$kneT^3Eng@ty^>ghGR`Af4
z8ckg5JoM$qw{JG17sd?<2h9%Ro)mI9=S-Q~XIR2-RwT>H%KC-}e6I#<OP613LVuec
zmoQ@8hqEQ4P!FfCr5`;XP=*zA+x=Iw>TwiSp5XL$y8{w_=RdnD=r`|mhrz0^;7^E7
zW24Lohf+(xjh;>t?5V4y6l!a-jv-<-@#C#O9OKFejNFR-fg6I4HaWLC%XV{6m@UFz
zncOV-SU*XU@%0=Z4Z3m(s0^t*)(d=YTA7&sh$Tt<-G3eh)@OCa=MtpAuBD@Hi`?MT
z4%tny*~v8;^o!``X0cEB1XMOVwJ!16Ap2)3$mthTp0LY?a@`zO7GnSF?19+od+yV|
zM;<XjeMjl%Jvu2K$FddnnX?tz%=yo7f(4EUY3{BzaxYo}(s2j<7;IkiKSRmg2+VSk
zyV}B?EC}AP{0&134Np?*n;dV+hC`#+J|nJZ<kGkYR8!;g5DEcH*9R4RAr4%r><VOk
zidX*3C&W$Rd^7)aEUC0pGV|<M)#GmN>d&(TLB+l2{hEH@s6cMnZ*+>hdw<-P7@nxa
zUv!DLu#NTyVozb4Lg>O`Q_r_#-+w**lv<>$H-8poO)Cx9wVVYLZCB3X7zN@QE}<Re
zcV<2+h`a{08uRki&tXlhUbRFxuTs>uXjC0!`doY-Sg);|XqeJp)kmZ8;Ptd$MX^b}
z+^iO923%NP{k1nYC~)|E=swH&&_96TQ4Jlved@encJZmICjsC6xM(ykc-kidC%u~!
z%%U5d^qh$qJ2dsB!+EqL5ZeNQ6w;4+boycHgX_KPCKK2-dQv(KG0;owBz$_TE*{Vj
zF_<bZ(p)A_!;<(vxM7f*is+l%Td+H%eA%#ox&jmoZVp`WEW$X&2B#{J6Ed>wo^;A*
zgRwg72@kmygO7eZSRTC=TKJK#ZVo^IVP0!pG~}7!kih-6?z8pIlQ4o+Xr_G;XNe<^
z)Fm(!N>3K;^i85Hg%2_GvSx_)4Ie@|oMPx?te$6)t+>p09%|?d8#Q6h7~(j1>FHHz
zQ<nUN1cty&!&B~Q=jQ(n-|X<54%Os_pK=_ss6~w|x+f!H=p6L|Rev~6y#NbJb6Psj
zvE1-NPCTvY`2dDV(Yi2)m)pPfzUhqSnXkNE(~38)pC$OgookYz`$Ygfg$g(+d=22D
z;weq-*+Z~qW)`POnt~;;4k39vBS}_o#<0B8;g9|o3$Qi^*!JVanKN`Ue$}g_$Y#lq
zzH6H9QyEd_LqdaK9;GKfx736x`Q!=Ssh$TZ-idnk+6rVU1??!Ja{Wcry^c@swQUgs
z7eG0bia~WE!Uli$GsENqcH@5;9>t}9mx`|fggKIMQS5!L`(xI8$;nqB3E8t1uKCbY
zFO-ajA4N)EX@6(}^_hu!#HFHRn@X`8D1_Qk_MW@Hal;J;ZpCs<d<_fyJh&Hr{+}RC
z*iB$Ls7`eKh#)(V$DKM5;ijx_`Y)i7OBYNr08@l<0g*-3niKF6xAJRwuR?BJP>)Xd
z&#Q6$%QrbvKZXW;=i1pv-H%JGU@={pOUc?R1fbi<QsTB>&RwOj$rY;9d{BG7FFqyp
zM7`V&Ob}LYK{urW!qAH&)px&2ZWge8iA411Ti{JiO^&yo%#>YJXJ~9udPChavii}+
z>zwqr7v{{5jW?9r%!L^}nf-cdv1_>iypYR2gO}5hC0z--Q(4KRJ#wNwaEo+W*tM<H
zZSqDX@AhU9k}WpR<VB8q_A=y|2|YS3^MK!5I`8Nt!eYq+KOuy&%f~npRFGQdXkv|5
z+2XovSbj(Qx)9~ufeUIs{o2e<dmJ#jP1I@1)EjLHmgvB$*L8^SXB_C`IRTmTi9eh#
zJI_gU>0-^ESDK}{%VQ%!=@<!J&2zzavOSRfjidoMtnd4~FaUTINEI*pu3n>_v@bIb
z#BQ9Zdv#<x$v5JhWwc2a=J5|3jyNa|k290L^Vagu%s&{4_GF?|y5t8RIsf3!4vVNb
zKOeL4u<N|Y&WFp0K}RaJL}uZUz!}Jg3b`H7?yvEAqrffZV_b=2Bfl^(92kd|n@0-1
z=BIqR6N8bL6bRKBGcPmt&Vgr)druTP56*N!4w{XZmdEPX{7{O7xfXT^P46n&%MW|a
z1gc?~lTs+W38=qA#r%rz*FS6VWlD)gp;}m99`R^hpR}tai24a<9Mu_QtW4AY#hk#H
zC>L@^y!BF}7?Y3hSznoteG)_`AN$W;pE-({x@J?I{}da4vK`tgmI)AE{jw-C{wYk)
zbgtN`rRdv2RPxV)8!P+Q?=g^%SCJvSF?yas;EFJWKplup)8t<Dzy`l*KhwR#r6m`B
zV~!u7+f%fc;fw<Y{|ZT!He2$bJ?(<{HF|R@vW40=eES1*17U^tp)Nkc_iq=^8~vU+
zR0zW3e>WHIX|30YN?PuqG!&fS+4k9zFjWSUMMUzR@Lo=l=>=3e55XY&_Dd4#DJ?Vp
zl^OTXs2?3~zZrV%$Jwh@<;4d{Ys}Diom~XwHv%kQ!<>L!8L!}q%y+62g?#pMD~e?Y
zC7QX7PP@C3Vx<k{%jOdpkc_LM8y)&RvQLq~i<1LFfz^^X-LLc4oC0Mk{R(R_*ZB2S
z98c7^Wg2`R*U&74;Qy&~ih2%a^<)N7(};@UAL7w=ZQYWX1oBl}+VgP^2KoomH*I~^
zzUYx4rq@83g>dwJNSEw%sw!>S^tm`cuwUu?LP7C^wFdI#HUJX&&R1|_J1qX>6mSd}
zjHU&6ES$lZ-Y+wbyXSppi|6<Fbe_gL#Olj=)^t7;CWJ@5cYGms{R@<(iH-LKelbKf
zH<Pn)E|5z*%eg=kzjPlR7UfKDB#5E71F^z4*T`#71<_@id%4V2ksK_Y6Q4IIkC`L*
z*HaJas|F-Ak}it<fn<H?-ebb)iuwJo2mia?;Td|%GUE&+ndxxZ*PRJAaJdFU+&6tS
z{Say8w)c6yEw)J}_8K$|u&SxiV71Nb>G#59i01E%bw)x`XAZdi^M}Nr_viDojbf<o
z2d(Mx3z!;so8+;RA=q5xRJV5J9Y#2~7S;o*)h<!Ql+=2f{kv+aF<)&%5TOTjM{vFx
zcJ;9WaFXT73m2f2CFg}1ZQTcVvX3F~#)0hLIM)9syr)?YsnxYUTg~_B{VYAcfj^14
z2bx2s+{`CRy|@vya~~j`cQQRo*CsC#a_S&^bj4A7hZ1qm>Z6+D>tf7+#*v@B<j@Jp
zocaZdflufKh!6)(DsrtlKp2aAaaXunvbOF?pkyU&e7N3uRXuZ;4zE{`9u*?0Yvm!*
z<971zyh~+oQrSkaD8t?JYu=o<4id>RoT*i3M<);c*GA`&9tDo=sv*q@pJ4D7pVaL7
zao6*_Nd_5*R_F%KH8;OK{i54948mkl`0^%WhPm^qZUHTnUTLChEHwIz`G`p0ewX&O
zjJd}v;KTLj<8>iaT>B^Xy$(9{Fi7cbRSZQWB=jg};l5dvT&Q_Gz8f+kB$KXh_7qGM
zB@iV@l6cX(PZ2AIuw7+~o2hd^_J=Hpqb4MrA8S&-m^h=fygyUlcEmajz+ba5Rrn<1
zrAXf`(Ro0S=TwA;{cGe7NPdxN8?!4{MX}DgC26JMgVLN!D3(YE&u;z!V=My3!NUgK
zU6{Su9qXBLb-duM=fMOf;!E`d1b@QHe+}NKzoZhKQmJP5rE_qQpughRRpiq)a_|m7
zm$e}qEUuknv%}E#F=tO28p(9ThO53%`FVJ_{pGhxfYScVf(&~txIdOkj&$Kjs(C)?
zK*K;gq-E&c#>nd*9mePt7}T|6c%HA~{;)c#3#mOHzf3?<?L})~K8@b>vLS`u4`e&$
zGmVUJBL+FtvTvc7qu{?pWN!}cJFGu{+XqytaTdL|1c5NGpJ30cuqIrTgdjV%SUy4_
z#9*YkSYSP)fQ`wa9FS^tUIls;e6gTYl(a8AO&qN~^yIlS|5@VBM4ozNvKv5Zx=M}I
zbWLd<@hfr;tRlgNw?6WcoF6BR{)8$C1XlLM9W}ByvihNzM&7A$r~<x2e+br_svGS^
zw(_$55-W;C47_OZ-PNWts!1)5pKW!g+3|Oa1D;wwCYEyc9f3IQ0C@Q>juL(ym@OX8
zif0Flc*$ea=F7~!f}#2p=IDNl7Dgjd-DCaD`g17$uiTy^8m)fL$UR}tkPq<}`gK4f
zSRLnfry5#1c4~0=<`Sh6<*#+eqOir?v$jItzs@-}@UJ=_M=V&fiF}(kB`X&PWYUkT
zgC0+Hg;a42W%6uMJ2OO-xFl(@uWPk}p7={~AU0!{i}Lce9Uu&g57(TI;+MOz<-_wf
zdOKdOZwrt>g;ED?%X^y=xD%*B+oBLCmWAVNnLo#K$O^h)@ikjGKLo^MxxcQB3v_NV
z(BI4XUYA-*{B_(txxCmfQ=S?z_0F&7rS$kMas=-{F|F1z)5F1nKQ&dUzLjOO(-og$
zTR<Fk7UjMUY-J=^k)mo=JTd|`0gi%#P-{M=^`-ZV>gwXn70eatf)#MK<XF8fDN2N@
z?XT-yzZSXoICx?xLQJ8;=70$%bxz?+FOQ}_h1~C3{lpZ)Pu}Miz9mM)IgUO4=DZuX
z2&p~yj>tfyN-=L`<L0*a<FMSJbM<^&^bYsnF&V)>jk8oyy@u5OY)Oi4Z3Q`z^QVY-
z^27{ZC~J&PzOo!M1$hbzr&CS?f3&_zCQ&hr(my(b|C~v5);QD|m#~(H`v(PgbokE9
zpJ<HyGbiJrCa})2^jWy(D09-sHCZ&4C=TVlh0692a)MSVBQs}i%w;#>*TTBpTrTLN
zD{gVI<C-q5%tdKUd6GAU(dZ^r<eF(bNr4k*3R~_HIv~bg$ihX3X8DJsfD<g!QT5Ox
z!Kw!{c|{OAgs|yn6P;Cl_ghJ|cRdTYveu*k_5R&5EQJ3!Cs>hSIYOxjRuUt~)-BRn
z%|I>o(D%8%?+({GmqL3*#3jIEMffQ~(u}5M31{I#UH%=V{+bzi5#4u7tFx+S!mjd3
zWK3P4QH{6z<uSw?8gr$A{EI|Ys@0~`NM<I{6+~VikcRcuT_K&QN>%)L2GLoK(Ac9S
zSauZ9rmlL0HKFa#y`fTp!UsWF+HO(A<2Gq+GQ|5kp|SwMpF1OUol_C1<<2CE2`*&C
z-XYcWkNeG$8B4{G@D6y<<BzUn7{nr~Yj3r+?Z`f~{^rh9jt<`9Lbkqo^et!SECgW>
zUXGJ76r2+3DDt^qw3NTTiXa4h91%fZ^ja)jjwW6i7%^@d6%Pd$gnXGLN|yft13}S=
z__5wOy+#QNXxymaxsrAsFf5hmE)f|ghUw%C1GlDs<)DOq?jVVY2TK5l%^^8xIF-8<
zpWi%A#6YJ++Bh~<X~2f}C(6RnC>)e9iTP(BN-t3OG<p2nc{-B^`8BYw6wpD6<#<L#
zsACkuyf{6>M-Wr1;y$Myn%K?<38sK&2*+b2FaUf&EHm_KjU?&>T~ep#%ltw#dun_*
zcS6pBEGkP03E`q{-QS7klw!-_b_b$_z18J;@GFysq$?k7c2eR~)<D;DtM}uVIPik%
z`@SNiSha!g@IKig(7^?Gh_3~vwAzx5Yav?RYN?B}>@oQVN#YT8eG5-c&jb*pW+MKc
zcbjTOac<QQjnHGb;du@-(fqY28zO{|V@SksF7KlPQk$HKNF?>~bK+M5<Ht&3K4#^m
z?EPr#3>E05K87m=Ck7;(-77Qx&V-i+RYaixfwmz);~(!DlbSn<eG;``r*#sDM~D3q
zR=9AP52uL2rpd)p5TSQYfb7A0`BhmO4>=Wqz2j{szxRmEus@4jPF1-AFjoPXi<cmz
zVQ*WiEq1AFxPlYR5p&kT@Nrv??pv_(``4{HYB6GGk+CFmYI<bU%E>-pO|(riLo1Y?
zyNEtLF&15UOT8#I?fQdRs67^>-<$`PDjcKNuYR#ydpM(b8T2ZZ-t|R!-k;$J;(&-I
zjlijy{?y3O%rGa>NwgC|p6gZ8MjG=N-?oDY43hQdh3ie>%uJR26iXE<T=b)$?K%fz
z3}2q%g*M@wG@7~&8(KL{d|onKH7>#0{+9s_hT?XfIz7^!LUl^m@v)D!K&_fGdR&1(
zTFYt?mDSr_mkxehYV|wc8^&dRbDZNlTzhBocfWZK|78&IqaL+_e<EWN>cq_0Jm2`&
zBpbnRB;P*B7`M47fy&Nj50CWnT@b4Vl>d#9S2+inNvE0=L=kC)Qtrip{oXXIVM|X=
z1?I-|_>`%e%W|`gRsDC{G=D&ko@r4s;_S^Gmut+&!+|cDr0){ftj1H~J}`3T4WC+9
znY$zHpR=GQw7)@x5Mr}c8uKZosWN8W!(SWEr6lG8W*Xiv=qRdUq(#~pT=`w>5)E&@
zC8w(E7&+G))~@GWGNDvN6iECH*u$u)eaQQ4bFGG~^{(TI%x)2@X8<sib%DkbgUFIV
zGS%cOWi_)5qRexMQvPRS#K}EzXoCom9&E+_)UD4`c*V|nxmO*j)y%m}K~%GfVt3Ah
zb3Ff&=zO?NsEib*5mVozBg?V_DTH(r<{h=O8d?p{hqN#G{l4W4`knHW<R{KPgpjft
z&Z?_+hxz6?Q2IT}oC9y6^tNOqRwr@%;=FqI#R#Sudd}t)l&dP&$Fd{g6Oc3%qQ3CV
z^ujQQW#gngdUt*meVPwxYN1HeCyBU;hC&^v`OA!H+*G~cC5L#M^l^6=?Ojc)@G^F@
z^WzBqv*7*Ku!%M&H;=jh6UyB+=Uv6qPm&!M`LUQ@ySH~7mV$g<1RAE4R!V64d-qA`
z=P+?yiI^bfo5;*8I)<p{W`BAY5tS8@8aTI7{H)ir(s>dRN7Eo<1^@3|8Jaz#dzePP
zPkGH8gd;9?2TC@Owk=pv*P~@-)Nbl@)SQgs*OLWF!x%@sN+iSJr^mKTo$wN0A@vF(
zl6`%xWy(JJtwGl%uEkx@?tWFUlN`@xbM0%4OMK1e2-q|y+7+Lb`Jsy;$=))C469-r
zpmh`Z@BwFBxH_N){5L90jyn5h?6XjfuA!*w@1Fo&e7pB$uNi|qYnEr)yWT|G=bPlF
z=lyC*GINh49M$EpX8!}Y9H@87P3o!t1{G7AVcuo1lGfY_{4pbI>HftSR0D7yFpUJC
zozLnbE0jjX6=m5W=;>@6)-q>b%UY;tBDF7S>8A`Vy)~!t$oF%-Na_<U?6i7|!qwla
zD72Lq{z6-{ekG)jJ1On?@~FryK)z=(k&C5oIA;-CN~sDkanE(pk}ZOUqu2DikUCjG
z;y<g`!Bi(e?>N8K@w|!qGmYq7De+yFfdJMx%YX2dkF~I_-`bOGb{G{daOK+UEG4a-
zEm=H<DE2JmL49lKp_FBsl4Xf(G9rd&r!qMcxzms+YUfMk#qDd?N?t;`2T>~94D)48
zxc&0KaA#9)i#~tZZ65el43$@>%Gf8XGssoyf=k1en?xhp-^lpud()pzp9FO0<i+4a
zO4$nY$~C(&DPBuy4sfjOOePzu+-AQgh;)r!8b<N960>5c9j>U;n*`VeUTTPD=Hcf&
zC?xCL>0=2sEN<Tp6%o2ziFvH`QY?mS;tVqhHd7nF<bVR3H8wOtuFvdK%nL&cNv@T%
zEeN-s4BMCVAW{UdVC_z@<@k@be``+-kZF=O5~INGE<4`#>#^MRQ06N20`dp@jCjGK
z*UuU=`#w?P7~L{v*zlD<2lkEFra!JmeMs#g`@UC49LO#Li{UzR$O<H(CN$vPkIMk&
zR@u+Xm)(ETBU7PTWMi1$F2NU8jNX}^)w71vID4|eX_9DAB<Ei0P>mzf(#rhPkq_N|
z($elac<0vsz9PkhJPs=YOga(zARua-halKDNNB4FYCaY96(PKhmFvh4H4E|L%y@wW
zX6mKNhCiorZ6jLpNff5V8B0IhP(5Ee_atB|!n`7r$w2jZy(_&fXrDK@+USwf|AV@g
zM~C5ENZ7makm5e2_5I^SHEx0Nb}=QNnrHn*G}S*djGdxm9w9kiR;VmFAW<6(5{d9K
zb}TMJw>$YO1x+B5_raz2mDKfhFeyU52jgGXz}vMbD#*-c?h_S1ifBDhwMuBXO^I6v
zUngSWRwR;JXX<3i1s<y#cCe=LuL)Y*3!8qwqlx$OUAmW(T(p`t1c(Ud0Higk_94!a
z<{eP})IEc|h@AzGlc=??7w%<Dvd{l<_x_P3zB<N>{g!&ruc7eWfTruDds~76@?lQ-
ztq{WTxtnLQuP|Su8$<4BHnC+wiHojlmi-(c&WuMGg38ooE!>5!(c{J=_9s5&Y7FQ+
z9g{mfQS`W5cF{(b9?YH+gN5uIS{`yb@Xu>b7eSlTD>J}89>|+6zxaVSkZZUVOx!d>
zn8@1=K#!I%Y0>_U&gN*1Cg-1b5Jy1Ay>;-jg)0z#XFFi}!=ilC?<l|S`ad+MSRaOu
zX8Paum(l7YqD43-%x`xd34nt1gtRQlMd?Woc)z&^-GA{<+hdAXJ$j4wtQj0=>gbrM
zC#2fk9rk(6=dwBY(~waHd-Fzkg3S|(=1}Z*ON4h9<@57Le+~>kk)?qyz<rG(h{prE
zy40)$;x{1AqbdfvYG;SzzawQw@Hh{d&nC$Cg<&H>hT|i>PVa~S-s%CZrYqe^K~Y(B
zytnOA$W=A*gsiaF+np-&ng|iDuL}0^K&7kl{r=q=PIP<*DpRfQK-te`mh9J&<kf5p
zFf;HyKXB(4IwPi_(MhTPK5*)6Q6a`!{s+;J6&E`{>FDR~M-SXunOm<*T`z{h5?^nS
zHp<1%TGHZd?fw)nV*Ee`ol#iBG&Z&-=pDE4lmE1?>B6CR^9Qt1jPhh0knDs0MI}q7
zLq&U0LB_vt{ZP;x64AMBau-=~%Fq1yST1D7lh?3P_D3K`mgF@a#O!<#?PN?{CZ-hm
z+z$0uc4PVU5Df=Lg$VS-pC;Aw<g^-^lAcCc7R_w^4h9AL#hlOm#UufiB+o=z&uJME
zt*6#Lq&3Pp>xUqxDo)Qjxx2`kv-QV!b9>FkE;r`NL%YS0#U)>(9M<%=)r!b(fETOS
z;LyZDHv|52NXLj9`0pqBX?RR%^>s66@s9uwg-}PT-$A(Spz;B6Da3`xLTvZzO@{rR
zm{GchsKVCo+f?|AMt1TMD#w6_s~4+FT)uDQ@-FKn`}O5L_X`*b=kg54rD>YBJ5;o|
zDj8~AX~WlwYRzEK#QUC**D(IDFUl<!jpl$0k_?8b@Dbr)b9+Cqo?W1=F_s}NZC}1@
z^3~WIzc+aX`u~>p3ujNX8P((VLDgAK`cP-Fup2kD(E@o>s{9Z5o=foiI1=M4g2*>=
z7INqH$LZec;Nxsmp!f;OYS|tRmAR8mK2X!TzPZ-?_FN)DGP@*M=nHR%mN{a$B5fju
z-|F)`Px`i-gOB0Me|#p~5xH-6Pf&sh?Cw`y13G0~0)tiU!bA+ylfifN6U&Qb#a_@R
z>5nBJTz{2#IrLow5L(g=9WQ-d53*o+7du&7qat?ooU9a?4edf|T=er;f>qVybJ*eT
zKW{LbT~1Y-Lq$~upNzQ$c=H;{fOky|`~`mhUCN+;G+k`vf$V4~af&ZvpZ}^7VK|;-
z&C1DCT6fD3#|JNR$knoeK#tfNU|765z+*IBZOL8?ey{cUZMP<Xn29FSbgO>XiwmJ=
zyjO#0ZQI_8mf~2DjY}+5P@m(+OB>M)=ok%Fl1~lX?sl}b;0^)Lo4wBP5YNU9egV9-
z-j&hw^(0uJqq}1$>ww$M=y-aU!HFY#*3{OqU}M-`0U(h^WyYDz-1Ez+N<4SDp7=Z8
z5QD3o-<(;%<xpsmSWJIRdib|D1}|Ymqpxd}HH&u&DswV;pB-WAZE?b_4Fg$VB{$!T
zTR8U=RmnLbYkGQEi^zFmLf^Gd({%W)q0dR^9ZY#JQoYRz_zbSOmsEtU%EzlX)fQq*
zMzbY`!fR-&hHwO=Rhn}VrG%(|$jlAi+wW$@hqu?7r+6+lEbF;}&0N+`E0n7q?A~*!
z)vEOjCP`>OHBYVQJtg=a#G?l{hdvG*vSN^h#~T8g>5L2-hv`kKeO;JiRJ`x(rSl6`
z9Dr468I?$kw+8-U*URFyJHp|%_@ze&YA7HH3)X_!cbE-y*_G)?sfbg^xf{}=qGpJl
zT=NYtsIL1Qz-tw}R#<I96wrm>H^iDJ1*|LG%KDw+tb#fqV{)|fyr@FcosMLACMqVe
zP?|xV<C(Kb5IShV?8@$Hw|FA;llnuvCk2jI{vFSH0gXcmh*w8;1C&gOV5HM^w<>Q8
z#o5y4s>O%gwQWsW9HHk)Fubuw3G>d+y4tS|b!K=nkB*!tJNNFqmJ2S1OzZfWfSS7U
ze~K!E=fQ{lXx>wW)t2!Q$5bCN2R?*SO17f7x@?i>h>*j)C0oXK6&gwH02Xc0d^vw0
zy|fQ^gp&;C)Z8Hf=WOYBKf$wg@H9w)D=YkDJ~*80Pg&4M{(aP%(aDyGzTHYaA@7I_
zgA-cW|FKPsRCgqVu#HZiyPO+@Md~Y<@C4z4Nqp_lm-gxIw5Ny6J<iOvP$bS!iySrQ
znb>Mx^1$T%uC8Cyt2p?b9-L!C*vtQEnboal(M||U7KEM;v7(^bj5@5-$+O}KL}H%5
zsJL2QflI$&hayQ}%%{r6E39Es6+A{Rtg*?H7k}nqFjP$0k`d%l$A7Dtg4^@iX{hCt
zEqD4c0}1fd$gMEJ`&~1aYn~6$Jc{_*SKC~0o{2}>h2z1V=ai(vQRCk`JS5nb^FvIt
zBXO0jrhnXA1u#tapjgD$;gI0KEq1bLhl}^kTz;`rHp3g(SGh(|5>^~47t!N}9(&@k
z0!_c#a~2N3SKnqM%Z>z5P>XUIDU(IChF~_QdB~1u%Te=dIjKjhW2B%SA93^hTXNha
z*wpcXkei~uPZsi2ZDfxiq<N3)iih}cyEMdi{_=u5;IVdeP3AyB(g9lN3)FF5v7Y=q
zY9oJfN{XHo*`it;Ga3vbP3%2?vJ>5G89jz`P83%B%fb_MyYnd}pgX{E<9V+rxGFPo
zL*L=gW!Q91HspirS;P!mf_mZ{5>cZ`%hqhFpOH!^V^*BKFyH9`brjVi<zQ?PDK@oM
z<$i*31H<GM3L?V$rTx9(sgsh;zpe!CMCL5GMG$M1_tBh=lne2=rXHQQ&akK@3Z&<@
zut}CxB;2Kr$V1lF7M0ks>SGafgmctaXsl>4slP249vXguOFxs0&7WEqoD>K3NjeIG
z8%xbvP1quQD-AEmeD^(pIGK}Q9;|(%U=j9&)uKr*|9^Pz0eD|GHVM59(ls#huWJ>G
z>tCJNW!rh+E68yi%g;h!m;4|>8r|n0xRn+Z#Zmzdr0$C}01YH0?{HT)><f)}<$s>^
z<Cu9wA&0Cupzz3+z+QZ}yh^=Q`j;O&6TdhOxI)h-<*iD5yWis_ypBDy!6;r7t?N`<
z7$RzX^kbi9LHg3Ew)P9Dzg*kjb(>!``d=&nT|1dN;WEIY#|0m=ApI41-jg3*_xb~|
zXE+}s&t`mHC&zzS{@gD?w_5QZ4b&>}Ua@tl`th-Oo0b51d1oC13=;%P=RpeoAA)64
zDcoxvHy;%*c+OoDV1=?{;8j7t27LR<t$~=e$O&Qb4%&!3nj^h^dY%nscSVU5_&_7}
zD@rd6NGTlH#8Am*5g<>KB`Jz_a7hAZzQ(vkxvgwS{3-Bf7p^m62pKk*##H;G!zwY|
z?fz6eZ1wd?LEUdbfq4mtl{w!>!|OLDM0}cR^+|B7C}8wwT31MdBMqhJ%s`$ovQ!S2
z3#62XZir=<=9OBpuAXjbw0=FEnCUx_@6=@}@?yqSFnvO(ZMNeY9aVmM)<ho}Ym)r+
zx~J<v!bj{Y7lyNIcN`d5LQ)KLF^VCidFkxI942Jcp(EM0Dtp39;vdrtQw?tsJC~ub
z1Md0Zb1TzzgSsXt({2mb^xA-{Pm4lIUA`jJZJUDlRNc<<kA#1mhMK-ab{bLRGWr%k
z+mpBBy>fr*LwEVCq852gm1=M-_~BEhzjeH~4m?);RhJS9V3}I5Ode!l`~FlPu()z;
z3iC~61wC)!!_8Z#v*-kDWOX~&>0-}8!S*kZn<v6)JhyT}8^x$^4qBTLwG#3XI~n?H
zk?f)`euB4!Pt#?R=?2lpV?Yao>LEsOo49Y9z;^$k&s_t|FcaK{XIElVi(XO^Y)JrV
z-5d!_kZQQ)`N0_?j$$vLdj|x~{a0yH=%vQjc}nc&QsWe#QV}GfebcKB&#O?FKHE_A
zgl!1NtBaG3c5a0`3Cn>t2l+2p6*|w8EgHNcdyX3IT)`Z%+Q4g(G}yP*0Jd8NewaJy
z#&H20Y_4?E{8LxGDsGQ?*poX;o}YL}*Dk4!hhQfAq8!PUGD^aW>W3l>u<we*&C_ip
z67Tnw5oNWnQC4M(?2(B^(+@>5ZWzF=fUrOsM-C-0yV8x`bzfdeU*<=MGXL-UyCW~u
zyv&%fnIjv!I;v7VKNN)g2QL>$!T~XVrP|4jvipe0&bk1+bTj?<62tI)!N)e_GzlhJ
zu`i!v*y}bt_1`k9^S}LZ5nNQK?0$2zcXgX;H}DnbX;_hv0+3^yBU<rJiCoCNt#yHu
z2=~=j+m=Tu<&ZSDsLhCml-hygZ@ovHIaqz2$2gy*mxGIdO6$19-Vm`HMJ!LTe8fqp
zJr6oH;nJQHyC;|1&$yp&X#^=3i@M5H-8*G~eQqZFcPE%yjwZRetUKrrs1u13A?xl5
z75&KvMjT|d=i{|FBJ9oRM)T(1Bx*N@<u*uN|2A#;D*4bM6ws6mbcnda+w$2J(^?sM
zs1fBJ8L!<;{K7dKSuQY0AN&*-@l`w<RS$8X5OHd{Qj}rbGoH65g1|pPFE9jm?%*yH
zk{-1()8E<lZ=uya&5wUQVRXC-|5KqzO(DEXW0E^~2e6Zle{G{@h|GC}pT^+#!2U;B
zq4Xh^MBo^uKZLUt#HnNE2KJ}0lW6k@ZlA#xcxsav8{-)ZLcU>1Fye9FM|5s-wD`o%
zCiUd;i=}XP{-#{H#G(8#^xV5ZJwjQ|LI`(*1+FZM4oO>C5WWswn{U7t5z!MZC#J@J
zTrbnq-t2F!1%{%PG0U6wn%cTZ3xw5WV9x|_1ZS2zbbTg<UGjc%8OKma_p~~wUZ;@)
z#Fz%m2Wy*#SM9^2BgnYt7_@wyR0YKSn7z5*d`ZKY4Qh}s7f4lwsa$Qq&O4})u^-cP
ziK7|N^>{#vy$R<p(!kW7gsHzwRXx-{OYhcZHyxVzqYib)2!i#(kdSPSig^6D-TWA^
z0AI*c5aDt(_J<^gC7u<(7<@7{i7JR-iLQXr<=W_&3S(<Qv)6a;*#3ERSrKl}F;)6S
zg?RD>yV|-6xWS8-<Bq6Pw{}Z7nqx&QW0sBXj7~QOXSeST@&tK%<PjpBxS=NMG<ba8
za>HIMAn6Ws9i9J?y8_xSG-v}kWa)vQW&sen#<&!>QX&Hhe#kIY--R)F%;JxSHBWuw
z|AgXy#+1Ta9z+@sfw56AG%i(!{4<f~Yx`jEaP+~+gn($46V|nIp{29?B?wEq&>v5@
zdomE4IFSTV4Q=PQe+4=37Z<boAg2%JjcxfP$;?7jIH4P<QAxT_)Qkzj*3PvGPHo(;
zVNjqyf?8~3g(tu1ajWRNy3~}>&Y3bzd>}3fFPc??I*WfY+>rlL41$KZ8CY|Te-JG>
zTto2(;^2QP>BG3?8IYrCcAf6_Li)Ou|FQB)+W+JdB3>D`DP}8bXY@tI$8X4h8i&`1
zyHnI_mfCgBE-zCRM9PjA=TMELe3~Sb{C~0Zfv6_KKE(ga=*D#NMi(r{;`>;(Tt1vP
z5StD0s=rf-2+!p8#g^0m^KDUaHGWUXikJ|$VL;qJ#+Le9?exCNAE=?i;Rkk)^2-Hc
z5f46(-rcKj-fKA7j0oL3)_q92;7chv#Pxi@boXKvudH~!h)n%zDx9LWJHC+d88Icd
zqT(}IsZWSkjGQ3-%;iG|`m(=@7WrMUMN{7QXrY~4MmviKZ;Qmz+MKncfr2kZlJruQ
zU-;6Ad6nEB6jGY8j0yj;3mwt@>5|xKIqh8C{ujF$ROQl8NuYfXL^!hfabaC^giqW_
zUk$iIIlq*nIAN)y;OHZSKzPAVW&E2%saK&cbP#-MY!6G%;Fas)!0%0R4b_m+uI_}f
zag!UdW*`b&Tn8N$FOWeG=pH26pqZY%fxXqF-;Fc(uh$X#zzaHI#%hruxBFT~bZPx^
z?d;=`!0$%oF;g|h^n7vxfrw!Gi){K2nFwV?H#mo_Zf89Zl$hi%961I?E@lcn@5n-?
zE1$Tg$N{K)-}ML<RL}<xf_A?5lbN39eyrxc-VAIk5MD>rBz&sXEB=!^ACA!Bo9#-{
z%Q<bA`gN9Dj)SmPHE+@!cC+KsSfOtdM}*52A9h~IMo1K2p&+RnUf0wwicmx3XLkcE
zZ^*jZamn0oi+4dbA)a)JHy|tGx!maTfF4N_QHd8>*g<}ifmhEjpyqfghP3sYG;+K1
znC{tuVe<`d?I+s!zIfW9v)V4Ud{ThSCPQm87_76-pj~ER`i)meVCv~%>R6|s<ev>P
zh4@fP-1KwXH5-aA-lFn9%yBX_5)r`N)RPWzgl-`ds;qL8>)2<-==Qx|2V;_v%NA)m
zyXPY@MfEwQw174PSIWv+m?NnToPzrhJGPDu+>TO0<mm)(!XXUh@esx^J5PM-?H`t)
zv*a`v+#-;E=)!_CvtKVtqnZmFi0?%QpJ!YMQrSWwv@PcA^d1u}fB#~X!%ll1Xc{xT
zgr~aQj?x+POL3$)`<!(e*4~6rDN0<Uzu1N8KNsn)mW&eDXlmFUWD=1G9RVw=#J9?6
z4^bRia5dmt$b?`x3JLXuFGFp#SIPPABzqZW+V6`GOAxi7eij4nhJWD_ju!t&m^B~`
zS=ZzUMFKf8z&8PQb5VZB<y@^d)X|SFM&Ifq2;cwfU?Il8uq{d7W^wJ)Y=&MtlQ<$}
zDw?b0iVCzFq?y4B!6)iSP#KXIw)y^jv9Fk4z+Jd3V|QW|cQ#%ZN`+1xP+o^z$fK{H
zrq>qr!=3)0xbPd>CKe2cT`1NZxP1$pa%GAxY`kj{VG5l-o5ZK3oLnrUY`yS(bl;F0
z?y3Lz=Vp!}X%CBjyu9JXXN^U;S(|?<)`y8R{g7rzg7RGKLFDS)xrAJYM7ELZz}N)e
zqU4t){?0@lQj^O{dp2GMMw1f>M#hG=d1ZCyo(TxC&d~2&AN&gyx=GiHbKPlnS+j<v
ziAbO!Z~aM;X@BJO%_5@Iv>i;vA1pUu=a_>Nu>bHW3lkf@Rk6`6fQURIAKGS4F+Rh{
z+sd!=&^7x?wuzc+1Qe_QPSA5<5uP)8(=K<bG6TRJbRpl*%s+-H$jC2of>;Q5WIV|j
zKaLW<+`W*O6^L}bt5=pqmyo6xUo^T4Fj2Z+L1Gg6ESbZg{`iH$kJrryb#*HZ@hPi}
z+t1^379uwabHP@tQ2;vJ*8Y@ynK>26i$y*xIcLF0VA|<o>8JjoCEnYl(Z(u^6`3Ek
zh3OTw-<ci@=0F*pJ3jkzU47kRufDOuKAdLqi|RQ##YW818DY+&46cl6<y$A`(@F;a
zEwj^d0VkN3He#CCy8E<y$!#Gsi4KnAw2&NZIWRw~OIt@LC5h~xm}18kohwf-->Qpa
z;}Oo7?L+;r2wQo-{mr+RnFUWF+-G_@UEP7&YF1OFCz6Y^DmBIYIOtu~YwrWh{(3+L
zMeyb5fkeaVoMo0EFxP23;OWy=y2!6`ePh$)rW~#tV61eua`|3!e+fV!1GmuAZW~MH
zq#Is?x2=?D!>=Opssi?q1K*e&$UM6A%qZ|(o|<zO{T{fTN9l|P=@lYS-B7FShp_H$
zq^0Mo7(NqnBA-BvYKehDLl6fd9J*ksczx4wH+po90iSm#JL^u@mm6B-xc;2tK@BT4
z($s6PhPV5)l@w?|CkqCNv6s(YupRl$aTbaRK0}=#C48VHAulYu60Flh6}<Sc5P|*S
zh$}t#iyyt6lW)Wjs$THpva;!DnE!n;ypt*(9Z&q%6fyL}3jyU>i>``Ee<eN*7D?<e
zdZU7JwjmB5YN`2MgclMDekrXCpAiVRvAgvW?Ao(*qvWGwD7X3M`cDSLt_~Se<LG`{
ztJiZ+A{jTE-#@kf@g#b-s{P;fRFBXCU(rLAaK{F}Yq-FEKIbxX4GR!TS@AJDrr2X|
zyYt@EsjA{<*>&R*zFt}M0eQuJ7W_U#)<!OqGXG$Yl^il!B6kRaF3ZOqILOl>oC3ww
zN_y|#|D*Ba6FbXyS%~Ro$<MmOh#DP=BY@f$0`y)F+{VD8y}bPk$NlbBho74~^A2?+
zHH@h;2Pr*Xcum<ZEqsfqdbgv{{X1`+sIiv^7cxHv9Tz=KqzsjF?5z#^Se+2Tpzp*4
zeO79X9Apd+&jW!6d$kheinUjFd9)3xW2-R)HrUnKwQJ+9UO(N3*iTF%rhG~zHCZkt
zcYm(_DB5dVCV^hqO1<mX|8hk<B+Hk){gyz5HGvyCYA<@!h{XM|4|fAAaSKRY+wA8n
zm3Z(ox|FFn%v6(ZpLty18c`hlJbM<2?&&^czDP4D<=4-iC!#T;aeYi7fiyxBs}38J
zaEcAa2d)v%pzAYIFkr8?_8!Fq{5BxlEvhi2jxb?xH6->dB82+MTtYF585Vg>69$KF
zcm-Wj2XPe8q6P9kJea&lVAv|mLWZ<6j<5i4H0GyO_TJhV?nD3CjWQPwTm*XmLVm>f
z^rLt}ibL0`YwDs`*N(HuyPq8!jQHl%k9VrpNh38)4w{mx6fce|$C-7YI<x7e*mX@Q
zEe_FRL=F&v>GY>B_5?RMGL&qy<F-@%?8N}<6>Gmea&WojxpW^|68Q9fd$n%cM@|cw
zNOTx%Y+;bpL-@YV+PQi46V%8^)b?)VEUQZG+~R=mj62b@gZ_T7UIat`YDLms!~{N&
zR#am8vXl~tDO2VJbD*5e+v4;WtYs<bLAd?JPiOKaA04mYFuzVY3_cD-p=#yw_GB}r
zX7#htaxSCnQ&Gv?UqYWkgY-gX=(8kM$?V=~9C(mLcUkOzvEKArh<b^jHLM^Mfn(Z_
z0=NG#-V_ni)4JNb4v^OcFGIv%DTDz99Z9l~XmJokcGZ-MIVl&?z8LC)*>ykLr5gk%
zUKW*vqG51(NNFrO*jPdnfB)-px~ALW$03Oo9I&~4b5O^Y_Nxsq*peamGoU*nni&AX
z7y;42?(K9<*6N6AR*nBOJ=c9KuFQUehUMU7pQs-(LI?H@qMpt%U?MW$>HQqKxBWFP
zQ$<TiMj8HNI*8Tg*j#V!d8ieCue`Xr&6IV&-l?kbL`IB!@A}!{Qj^bDWwnmunnXdP
z%Mve4C&Cv(1~QVN%w`zhWbTrsMekgunD<6Lh@4OXSJ9eQl(?>mpna_noR6xoNBuzX
zZj{j%B+{)QS47KQ4c@dKxgxxA=z(Pxg*@t6()Rh{B1@#MV`g28EK5t_*EL*FodscT
z%GitQIa#6k87V6JamekFB{nEQh%fhUoa}~3Ejh5?EGjN{mr#Mih2Sqjq%1P~W>4#5
z93xijFP(o~lh2?=I1ZOP3f|PEiK{%hJ>~~5JHA2yS^NZOl#l(^tmoWT#Sr|d!wDQ;
zck*`+`c&ujZCWhqAYWVx4s`?sD~7I31vb(5ORa<9#+mg+d-EA&U!4Bx5J=J`^n1xk
zp`DYZosv_kuVP5`YP><U^T{4x;-p5t%cIv3LeE}xV<Gpqg^no0kbTM90nN5^z0`}z
z2m-CMkR%7k&8_Tk<G1TNZj5-`@&Bj~8HM;01eyA3wdrvZDSPEie6O!CeIRqZBLN}~
zrDeVMw!43kAiSC!zWcdx#y{Y}%4`NZ0%C!T^Bd@AS^b6UUFcAKNc2XUUv|w$TIBJ+
zu0Ug`w%c-vLjF&OLl7&lS&_qsv;h-lB`*%~cmIiW2(RVfMDXD#keZo;6RR8NyRGO~
zea1Mdl=fl+1MT=)wd+QT(uoi>ZWc*0Oce6I$AYa^Bc&Kxu&6i}1viVVp(xA*C=9u^
zS{AwU)@8=JLkBWprQdDQi`3%)c8=s75?I<$aH3e2EN9D!3#SJM6Zl9ti8K&|^AM?{
zAsp*<nn(Ot_EEevu5W6%$Y*8b%)DcTW!@$iv&!@Xh++e_gFvXD_)f|ZymYfx8aL~`
zih;jqgg75=<CL~vWz!OK%)zpF8?*CYh%PNc{dOh@I76D>Y^Ts=D+iqaR)j)ux8gfM
z5O0WnMfI=a+Vzu&$EAt|k9V;??=x%Lzd=atLs4k$aCnUzW!ip$$EOqB=$yEydu%HP
zgbfXW&XFu0pdDV^bT=2P)b&kH;<s~76@Re{*_1&^hP_SLml+OiRc37HW|!E#(NcAY
zL8ItRBMGX2La6&iEjG;~YB@VEV9&~4sQR}EuukBU6lU5BXUGwR4vnHB<bzc;ExmJ6
zV0>_F|86f4;jZmK>7iClj35@LU?Yu#AuX(*imE-!zlP6zoSgjMB@rNY7wX)aL+gl^
z+{ASqwe%0B9DfZVA_OmlBEX6ZJkW)OS04<b`JI!$<lX;V?0w)Xk5ZkM<9#(!XoA5A
zSA7?*dIAl-^Ig#Nla8$4Nkd7Q+3&&2xuC=g2$F$PCRWXo)KILOtDRw5?V(-b!o~qk
zY)AigOf?1~=mXIK!bXFMEJC~b$cndE4E?8(|3iKRwNVh<weiu_qgk@P1vQsL=K_fd
zhn#332F17<sE&sq9$PQAMptROxh6{E^8dO2e@p}J8a<9sXVIQg*CkmNrz#Tcg!o<N
zR@7o1+n57yLe*+I?BggDD@7WwQ@+prXCe0*v%Zp#_qd;fu-_e#T_f~nlbBF+qj_k@
zrEgMoeo{YkpRL_U?py0$S&o38VQFnnhxIswd>IXLiK(o5$@Ts`$U@lFXc|7Y9uhJ#
zs)o+-*~PB<wPVLx-{Jee?=*rS;)MqjG{jIi590JmgSeiqLp&#<49Rl{?hQn7K*zc_
z1e=Eyh8IAq0?6Zu(F&A=oYhCQkvtzEBMpf@grb~d-r8Jk4n#o1n5O&w5MUeKw>`U2
zoAVW7gTb%^6hp}05COosK{XS2sJ_|X1_k{QaV!dCeR=hztUMbhgZmkPLAY8Ju1_F}
zsnF{62B~pmJJ@Dl+aMtIzu`pVLy;PTSFHSCM>Uh^VBs)l**3u3Tcbs#@RkqZJ^<L!
z8uY7G>am77`P{m#!}X$T4n4{V5C#1W0-WjB?j+9~Kn4lN!r}2K(IyAcN*tcX)|;If
z`>>*^DhfIFzcKVCR5BYSko1Bef)HGZ)O?2b|C}Vr@l{}pADo$BI1k$UBwC$DRvV&F
zcy}xP1|*2!W2p3rR@;BGG=XM4SN$D|5=u1g>e%%=>p)t_Sq2!xp?hzv0mNkK&>_ee
zQB3DhzxTf}nTKN(d)L!dx^|6kZ63*z)jm9{DTKel?K~c9xDXX@&<)KHpf;PVA+Qxk
z2;msM)VkBGI`;scsiErP6NChB39-}}R<GRvvMn*Gu5c$%6T!Lb(gQweW-iwV7*-RG
z290E|($^FK>eWUH{@i*9tV1gHJ1?CSeH2$NzxP%(gw#Sd0*n?sDGUWY>(bfqhOTxG
zSjD@atjcId1#^{H_`$b?6U<m7{0*oVu<eukCFeB*)WdW!Yj^5dchjdl(bg9T7Hvjx
z4Kiq=eU?P`H}?CO?L{fxhOR!4(a~SaKe8Xs1-9h{DTtXv@G(~Yq&3m16OZmMy|H?o
zh^9LCLoR#Y%It@grIVY`MiS=J0*S=dt<C=~Iq`LxM1k&&HV8drCy%do;f@W1Tljln
zN1?6-{uWH#ar9@&<%8BpN5$=m_*@*>c>C|7rHNR2sq5%u+~{ORL#O?Y51KCAQIzag
zU(4?uc{LYwi1DeQxR^f7Z|(kd`QV2boDs;WptO`mX?9>gAS?1XeB?cFc%e_wVt}6j
zo3=324JD4Ek4d$j9U<RHtj~+6-d^mRrGv$u0V^LhHFs&a*L5kEbIENtKieCU=@z|7
zd5-#7C@d`xON`8wOnI6`(8FjwKnVwR;9{3lR@<-d9v5?zX|$f<cfdj7d}u(`;%lSZ
z73%L@m<)yha<~;B2@XR;-TlqR>X{STffVxM8Nl=>l*2+a`MS}tX$1KIIBbflG}^kk
ziA!#j^5Tzm;~%bnPW(Es3sF<>><qaE$mEnPRL$pEIp0R?Ve6GF7`UAXKfz88g)=1Z
zlW`@|i2LQm_Wc88Ly-?a`1mHkB6)(J^y;FpK>V2_-qQVk0QIlR)ow6?4~}fA0l$B#
zARDpdHvDD%s%5Z{GncST!jvE6MCg4PK~a|($U(5ovW2+pYwksg{G0Kz07;=@J4t4k
z?g8MkQQC+Uj046SZ44%pS{(VxWu1!@ot)Vk%a(Ju<0ORF+jUgrv&-&uYr(ilXuwh<
zFfJYJ$N6)SZXsVLn=13Vt+R{u#|GZo>O{r^R~Xb7kC5Q|QTEHU=RI02s~Hp+N^q{|
z|N5<H&(YTT?Z6#FzuQ-V72zlWxTpgwuVdTy&Ei;zF8hie+q3k(@mZsH>uk;uG=AG4
zeZ8H|!>qjiFsoj@S$8%&OF<BK41=fgG|C(Fn`~gJBqAUN3swcf9Qz=fT`d8aXzB14
z-*ZM!<=>EU8>hMc8g3KSb@8V@d(dT*SV$Ps@+r{xC#Z9TbIC_CCO4$!jCVLksl!rC
zAhdBp5QtN;=cn}3p!{ia_$+~#P17Upvk6&@n%X9c82PaGQ>Q;M-2KTzcH-4VhFjb#
z6#30(NRG#jnA}@!eFa5jVN@qND&1yh6&1V=_w2>Y8nI0I(YuRf=j-w&bc3#IK&~jP
zs0J%O6QYtUwhKAY`&K9Pb8|$BT%TiV`AI9NR|wh)6obX;84a4ST%wUGY%h=a)cA@m
z!n^4-$CFjmoJuR7cneVlP@fh-)S<Ev(iCd<LYrCO!-K4AuT=z(9&A`IS)Ok&E{vGj
zaCf-RXn*PA=>5VRzR)G$&G;<1e?|SP+>N(wvu<$88)TIm0dc4vo<IdXff@x-`^p>$
zCKoC=RYvQ9V?9REXsF2dsKF*ezu^W=I1vQidx&tNnvZHycI^P<QupAq@9=7b(+<Qg
z8I?E=H#BDgZ%?w&H^mT`7xG4p$42U*QaB8QHSQ`>5P9vf)J1;vF+qjm00>1~abew~
z2Zz-g;!r~0gjN}dUKqC`+n?Q@s8soBXikLG94EO!&Siig#Ij0P<TSC+@e(q39#y)D
zWHw%<k^NZu69(mhu8O+|F7l2`t?fCy%pEJJfQ5t-BHS&INp`QN-&wt8%@H6if1<?&
zjWl6ex81~@Y8u1?9`zwuODXOta(c_F>r%tveYmp$gJwEQcbz^U*`%WO?s-k0xPKm^
zdyE9_B<X%|%JVYywdJNHXZXln8n#_8%o<2zRG&q^kOLo$K7k`^!bU+OYb*ME!m%WO
ze4-@?z=NN;NOBy{_c{KLnfP{Yj`$NQ+1TrcYqEtvF}*CX(<^jo-<)PSTM8vG0$fr3
zLlD)xw19WsqmdilrZnXdySTYI50fD^o9H?!A{4@<Pn>1i;=SQBaSj;WeVexS3JHpP
zg52=$72t=Tv6E5GwU7UPNDLp^g3P-e-I{ccrTx?<jKs5p#%&r2m3{zN8x<x&UPhls
z@3@R`p(`DlxEr8@@RD&)2RI}Srdi1}j81GP$fCHRd<7vw=ow}L0(*2H#9biEF~_ZY
zpm8_m@Ff=VnGp9twm@(7BN|16;sOW2z72bPh0yP`(C;4g{WJHRom*?`Trg)M8pQ)5
z65XM+0>?{EK6zEpWTp&RW=g~d6~a)C+!&6KAlHE3RIml!kBrLg7`8tB2R_H|q9?eU
z&v%N1`=Gi?s@RT=><yAdTPe>XI8Qr%<XhT??(c%&Yw85jRN6^e8lvj~xXI=S`NxYG
z@_coLVy;AGXNQm7u_u;(8a*I|2?s$G<7Js11bKh1l$zsvaW0a{GyFXl1$<?TnjhLn
zTM0~oapslmA0o~YMRF5GCI_hicH!pWUY69}9Di0vNSXU!JpMW$Vw3J4R6*?EfrDwD
z_~%3e#g$=m!`L-lYuE5v6tzr25kdHLNKW1yd0%qPDdkSM(%ja{YX8ADBYc~LcIcuN
zU#wQm4;$k66`FS{*DY${k5mwQKBswnKt#X6aTrx23=4NezqzHs7w}xC$?Qw~G#PxH
c7n(C?&t>?)-8<<q{EHw;S5>d%$eTX;f9ky8TL1t6

literal 0
HcmV?d00001

diff --git a/public/third-party/s3.png b/public/third-party/s3.png
new file mode 100644
index 0000000000000000000000000000000000000000..f86959a934382c0d05f44089555b5857a82016bd
GIT binary patch
literal 13495
zcmcI~c{tQx81MPcj0S0llxi?Z5<<4dK2#_|(Mn7aipoybuPxa^mXvK;t)aBojV(f1
zijZaOOSbH5-822}bMJGX=l*m5xSpq{Ip1^MbKdiw_x-%fIU$Dn+S}Ooumb?Lozyvg
z761(Vi2<xw_+Qm4;W_}Yz);Wl#NWSvHA6%w!NPhm5@bJ;f{%bokkIik5v>T(Q_*5-
z!NNL`qH<mWG9JW>$ujzJ62_0El>$hV5aF|rBrm7RsRap{K9w_kB&icArV=0|>bO(P
zna?mzQZr1%?74!Z>mF(MJ;Jwl=*LK$PlSX*63%=g_B$or_bB<1&L_&~MT<$e@@a+$
zOM4KF6Q$+6h{q#D&pwvE_L5Ax$$c%2EM&)h_OT@Oxq?-O67?ln+MP&!sUYUacPdg$
z#)~N7y2tFP!sS#M%QW)&WEsm0C7Uc25&IoNb~{AvcM8~W>BWeVeMpvRN>*7)H(#r$
z1qqv`%8A_Gp%p1=`V`KyQ^AKsvg4NX5ipFCAlh&V+~m5LDnqp5vU#l{aFg36OG)VV
zj@9**y;g*Q=^oo0waveqGmDd(o12TP3(W(ybIUX9o9kZ~pN3}`#tCvI?Qc59TFg_9
zUrbQZkCyKm`yTw>A)zeHBggV|v{YhcSZukE^|RBTdn+FlxxcE9SzcdkWK{nByE!#K
z@onhK`_`A;6K$3+j@zc|6}G*eU!MClKWdSx8<>B`_Qlz@k+0*wM||>bcx2tE{#o>-
z>fYGzA(I5Hy57>-Zn{O%**DF!xYEG1+C=Sei3EC(L*}{l&DGJ_!H+FDcXQ3$vaVix
zrvCbC(y2(vm$eC+_asZ(-=B+9?wjnO|M++&PS!Q&V#{ECb@vCxukI9jjN>aR^@(n3
zO+?RlheNtaRIyKHeX{XG&73b!{oh+xb(UOCCNHlqhZZ<J`xNu>duDFq%O4}H(WUM-
zDd$gy$!9b?i7p6y`!)Stb0)1S#yRWK!s=W_=SP!7_3#4sGttWT-?=-zx}IJC)F=O1
zK&~^rEB{k(;nTW^(05)YspL0JFK(ru$!bh$9j<>+;B)Kc`Qu@SiraH+UY@-5-1L6I
z?aOgGr^A)aXe!AS50w0bU)07P50Rh*i>L>Qss)Jozq#d|edkoPgp7xvycg+W;!#DP
z1LjW^4IfD#^@6G^trsmp2@x?)l)<N)wm_3$v)8%g1i)4v=05~HN#X;51Wq2;Fm~^n
zN@g=O?kxRlz~ezeh(=asEo_UmtUOl-VvS<z8$7R^iMbH>I>|$SLN))~L}__HXWcUi
zNg9omLlY&1?hSh;BqqcjYSL}!z~WYWrDgXc(dQ48q*^@wPOy;6r+@Y=_o|I{|MdQP
zB(7eVcewY@%J_QmsGE=Z4&g$zwXx@s{#Rae6;yiukgi?)lCtP`tF)&5Xtr(Cg2!@?
z`tgE`SmE})zb0mGp13N$(|pr3C)K3gO}IUc@GI5sm-?SUYwllvFSZ*Hf0Qp}M_zgD
z`|DCFIosEv@Xva=@4nJMS8i^W_XcsiV_mt~Ve%4peBqDdNjf-)S>qg=d4gX2CFOzJ
z&^v_uU5kml!ZmwG(6@D67eUJN{+`tZGJK*+jMta($3>kezEi|m*<r#;$8)UOnQ7EK
zT^Q`<*ugKY_Zqw9kP{ui?hHr#Mm6j{KMmgZVRiy0as4RDdYv#fV*)9^InfW+^UrRL
zBjjPI%`Gw1TqKrEMGX`g2L<?N-#Fsay}92ZG-dqp*(uZ@R++I&jGv09+#&E)fBbLO
zHYz7ja-!h+2rI{fu*T;DO2JqI60qWmP8`*&XB)#(%n7qAT6MYnvmrO}qCNyVkX~sw
zx#|lCe5|bR!!rOYe(V#H*~|Vn><g$T0>DLR?)e(!h}oe8FeD;P7BAYj%WzGNj(~n}
zMUhfdhPEyv513?iNahmDjxtVr424WNN-%scMO*MjWkDrURwhLo^G0#ZpQTc?NpExq
z^Jlpfsd#4;jzXsYSY{b2=cF9ts6>1Uq)6-DV2{jkGX3w;f1mHM;#bDY(ClSoCkVuD
zIGR&>*TD{HIKp6=#j=!>f*_U1pF%0pj5lCs<s!@udLxnV0lPG$n<+y_Asv<#Z|`MB
zzXrK}(6qIKgG8iH-9-|SKx~1kRI>&AtlzYCfsaB)zs+O3w{Q^{b0sLtf1?@9=4=VN
z4K{B#ZKW{hax<gh|05#rfkgR`2+F|zt{J@(Zp}1#7ajSJC>Ab3R+0kD=5z`Aj=7?u
z6oVDD2iBu3rn@0=%sj@%7`B^6S(?+&R3a*=yC~1K*zmKEVGR6UJIay`C!h5+qi=!D
zkE1M;%%;cxVqpQE41M&jpBj`-fr=E0z~<mxga{cVG;Ia&>x%M!9NaelcW}K+EX|(J
z1F`PCyC^fI2Z{9gGT<?z+7D8eStOYID3PMFK+gKSk-cy`-P2n;nEbn#|F`L777u3A
z$(+Usmyld$X;z;3J%IjB-o1SI*T{{ZMX466Y1)x%PNh<4@7-EK{#g(GwwG8VldeZi
z;tl1h#U(0*d3y@YEZBMKYrmA0zO(3^8^4eyP+%-SDt~kxGnVYOQG@t4kvB^gKWD!U
za$uWQyLH#rx8>DO{`?&M9#0SbZ1b6|q;JY<)2PPoG)}$8=M;`0XD%N)F>dncBeCOc
zyVNpE)aRir!u^C8`Ni{{lPcBMzED`tJ?bkv>fIIp%jdlmswdLtL>cM1@v(k@J6b{f
z<;GHW%_D);&t>r31sy3><GlH|5AIjZe)eM6=;KD)=rTNol|Zc0a(i4`^?vWy69uoo
zE$1u_Gi9XYMzQ)_@$!VuM{%F-_AEHfSQ*L>HkC+&lTQoWU;LHdKV3f{CfL1e45364
z>T*;Q)OW77p1SDaqO0E5wQG!pVoh-O{CMEUN41TVI5*F=J%aEnmZD8aFn^pH>~;6R
zon((b?Ijjz;M|YS-Wv_x8U07)>kdh=$i(E7*vnRz_~-2!);O=9JUN~}SihD1<S!AQ
zZ*!$Tys72@Pw~WCX6u~ZH~UIt-|dlB&tI2c3Am@6i;MYvxqaIH`0>%C#I$7}2g~0J
zdoRp=t3ANu-Xyn_pJBULCIvwAcO)zHm#h2B9{$xEQ(>InM@r&5_#e!6?;H3onD^o4
zOmzJ4g*}5Mt4gOzyj^l~mRU%kOOaMksx{1S7VA87()PT5KqDcV^?<785+PdqoVkSA
zkLVoN;u}i~g?%kkWhfSOkx6OZNudU1BFkFWPwEHWvL4%;qIBG28|{U5T`S4o<-V!9
zH)EpYrx^Ku>NXWxnm3{iI+RKIXERof6yn-Wi`_Q-abV}u@5onG&B%7WD=FqF=?lfc
zQ=qw}4CMiK{CPeaInUC{0>8Uhhvl~|vMueQJjR+XvZ-CpUok9t*0t}>uilw4Xdk=5
zJwk%-89#j<$JAI$kIsV~VMvBqe@EfBcqwCw#+QY4rJuW^02+;LPrVbn{y_bD|7(`r
zIFBIDZItW_9a<V~#;fbRZMx+v4^oy`UI1!88ewF4dnV#ihnb8I-y5_3-e8Suggm*B
z#mG>PcW!r!O3qjBmcJl4Zf#EC23>@)`o{-<nMHi@E|FChw&W|E$84{LkVVRK2~l0U
zmaM|c{-~*~p$wG+&ir|@=3o0ZHtGkisySGR?p$Cu@B67{qUC4k{qmIHIz|%E#?Y=H
z8G)77opOPJ>vfNx{?RY3v`xFBIQTn^s`cl9>f~0M4UZB2yZ*vOX#<su#Oe9bE$gpu
zq)z=VoL$;8wajAZET@cjo=O@YH!1gN)$&z5+A%XSAj~PHXytYO<zg8KePA_$u4V}6
z4?3$fEoJ3bZC?8!SvK{@kEAwL_F)}5x(+h!YUIyyLP*Bw!Ii<zejnRiX~pZ33DF;?
zecyHO%EQp<NJZRq@1p}E?{6;*t|CrpcN{${89M4yODuN4(2ah@ZLivJn#`t`52d{0
zaB%l`7TLMcn;)d8cr*w5_D;bcAwAP4yp2^H(dmC5PrL&4#cLT_>ljgyCq>xlqTVSf
zo0%b-dpd1%nvdLsN>9aj`$eA7<G7B`zUj93LtU-hlGoZPP~foZs$A5^i#&K*0$(P9
z?`?J53imIkf~5TmL0Lzi%Esrk(V+*jQ6e?eoavo-x7z)c`{&!XARgNfd2T2#@F0*6
zT*0JXDvTbzbnT2uj!rqxXXVOnL;;8@(ri-}t_vj5H&rSMF9;uw5<Ro6*##oR9>UmH
z{fBllg>TL@^1SofuG7o!Jf>uVUjUQ}r1PPHa>jg(-kJ5HSV@<F98>EF)C|;Zr}9wT
zTobF?4wr~qg<iws9_+~2ho)oK0BI7H40&B%a_Gvn9BC4x#W6(N?~;Tq!U5hkAz8^%
z*+NE*ysl67y}kZneyd*=hb{CG4+-hcKEKvWOd5ASA~Dt$Huc}r&0GlpMC~WlW+;BR
z=AUp_@-)3EE6I#=SL4+YzzPmwik=W{%Rg%fnbU{m3g2HKvaN)7GVM5!HDOX`;Yzd=
z;{lp#;F6?~_o%IxwjUg4O<*){<XJqg<NGar&NZSc<+I&+RZV>mMPeK&N%+7fWKq2z
zF=1B`NAF>ikl7S)OtB#L#p0G|*`dd1;tAQ=;t#QBa;4dY_37!?W>=41$KOxdr`Uv?
zV}#{D`PX3p+;NR2+_V<wyQxm}?Rjox%SIvuir)}hdTs7t?C{_&LevS+Ay`sB(ip`8
zT5;$VRBwGL${w}GJYX0g4eHk&Z#T1ptC&3w05b`F{;VE-Pu_v*k;%Mm;4Q8@0N`vA
zWCl&3XiTrms?!PJ42Cf9qov0dIza;*12mH9R`+x`fiPRaJ?!i%*R7aWUZ0V}E3)*R
z3QmC@2uX+TN<=*`A3VJpg{9{(E-U0$!!y&Sh;;l+$#v;UY9cdO6TH9Jq>#2SWxS0x
zUfMz;k{S?OjR30B^T*G~pqdCc15((z2vLLR%RKqm7SpQ$j&-~mV003NTfx7pDx<q<
z<=5<kXF;B{C)itmv_}u(C0xf?73Z83@@x13=@^~8_G#q%N<@HY?{cq7)uc+)oW30h
z;bN8e@yb#u*ltBypG2C-#QSg=tt3Fwpyba#MtQDOB00q7JFn-DR9K!@JoXiEk*IOi
zPiKR41F@!L#=~mlO-T0JPr`siq4<60tNYwjiEtANBwds^Ze5Q%D$0T`<K#}Ic<Eme
zA~J?hU5AIunaSsRX~MvaC$Fo<G@<BRB~pOBHfrZ`<irANR^yo)pyUAKO@rcW%mp_5
zf)e#saf4pHe70lo6~N#}`ids4Bqu^4(RsYelW8mWvCHQ>2W^D6VICCijWF>^(<RgX
zE{=bmcC>$dJ@R?998^LdNw06oi%H5<eb2Y+?>c?Vw$tc{jT|pV<-n_O)t1IL*bm)%
z2mAlnP5p?B#zsZ6BLV?e4X@qI@YBVYq{L4v%H6n9?h{T#!;M)xBo3+^zFqSP^b+lz
zlC$%^XKbz=aRf4F_t6L&*WF(Gb<h7&bfhQ6ch0rSSeu4U)z(4y5aj}U0^E`vd3MUa
z8dx=wB+mZ0v3mP<)t_;O&SF=`MJ*WpQ&Q06mA3DZPx?j_4$OX9l2mu2KgXsPdQY2p
zlnbhz8`mrUHxQvDp%GL{b^4i}AKgD#?((`Rti8rgUl=Loj6IyNlUIJ1u^;zA?L&%C
zS#My<s&mPmj%JhHH#z+>Ln2}lH=B^nAK5>L`nRgz=~+xq?<l3QhaWhGaxmfN36K`C
z^LL4K|7>M&=85d5D-y{J7>zgye;JhZUCdT&_ePp|3M3Wc<FHV*^(ZVpsttC*TH5jr
z=>(oceYI4^I>9}Ei7wI9`9}12e&JH`zUCbY^33s2>2>KRHat??mfwZ-o{lqOc`0Ff
zskk?oKW~Ztl&tvUalzs%Rc{qBcHvC((1`29fCD_ldHo{$s7Agyw!dNIT!UDUkw`CD
zy}V(RDE(();9Y_Hr3+-&RqyrMJDq!R!8b;#KfQGX1aJ~_^Y^by5eA%mF4M-ChlQWM
zb~}}QvnEQ9hPjMe44GYCUC`cqK523+-nZ)S<!~3(6ZZ;Wg=mPC?>&yl>6}1%GojD(
zuzaVB-l3`QAF;jND$OZRvKdcq`~EJs_vAA6OS~4s&1grsfFn+&Cag?oR8doLS6sJL
z;3s{(#Ir?bf(dmU%GY}<H$!t?QhQ9(wrLu&`0V6uXhaAQVX50wxK@p?#dmyTSq;(Y
z7pp6GceQ?{Mw}h-IXV0^$U4?c)1}iaW9Pn$ELtayIHCJNH7l^@fAZ2g^tM-bpmFwQ
zV!dlm#+2#HXl(D$WU`F7uW4v#s*0NT@BQNfPlxl^!>^5igFt7yJ-2U#(S&1;{rn)m
z&T!`K%nsS%jiqoqErR<M)7G^i!?Smv)u$eH=#O2O^bDkT&gu$`usw8!`CA|>7}UH_
zka)Pv($Pd^&g#I?VF4xi*K!A)R9W!hP3e~nJ5%C!JQ{6lN_c2o=t}wP>)Lr>OYh#s
z5FrCp9Ipc?f#?~jS@EJVHFKKh;BV8J={rrfi*pMb@Al#^=w%+Bwqw08j^1w!&wQ94
z_RGpe_?Fn7V*|CPdb`%@yi-Zp7}cg72S&jmaGxuWW2nYm|M8`B#aV3IFE2fBZwrz?
z&13Y)mDrU(=WyND*7nznlQAOK;onq==koM;c6K&*gKtZh(t8(&hSz(8>m6gPYI%8I
zk)DYkDfK?>8|m%8tij87A_&~T>tHA-dghnL{G*Z=8IAe;pX*Z3pXu_`e(Mp$pGg;W
zB}8pO1F^G_Z;MO>kRAll{rc5pXqTXm=B42;_m5(G>n3<zvoW2DbQXYP1*a){ufO`T
zJNxft$3Mqo418CH=O1*twd@m`0?fmF<AjQXl7oOFqA!Q+>1FXbW<yhOV{&V}+M&Xn
zl@gGRv3TC02sTr8BGhZM@->}<$L=|E9<h^9je9aGo4VN%l>eaH*v$-__j8<Q(IJDN
zRw0Ip&uN#?{94cAn&Ky^KhAw0TYqj4BA)oC##`#^Rz@P*-8mi+Ryg#m5aVa+pqowp
zv+k=QMi!lJGf6gj&3)Q}=CSWab=usenm8)N3^nS*mkE@o?^wxrtzOYa0XGLnXU*U9
zhn7ViwAE<)TDf+<zHu(s(~Y%MQP!F5-Tj}QfgNNz2JmCF`lVXFGATSA--+ih>0jAw
z^mo7IZ0@6cYwewU@=|1}wQYwu9!;MbUJ}@+z(l-Y(80Gs*o|j+`)56|o%#Oqfc%>y
znw76MJPlsG{(L{Gn}2D#o1wJ9nfY#!^@t-(#>H@xRk;)CAuq7RqUyJ@u9E59aq;TK
zHtOSe&xR3A&td;>ySL@6V?8)%y+|JWyN|4S4$O!PH(8lG@%Gum-Nl#}Z<U>H9(+wM
zuy)bDX<`&T;2N<~Irl1P^?LA9heE87rQ3aXx7%Dv{Drx4cbdhSu;_;>(~fjlJ{t#*
zR5iCH@2;tN|GsHg(yio;6$jno>r;xBmp*p6O?9>Pwzi(_^l)vR&+aO&*`2&i%rj7^
zL`6Bg{8vY=%AMxD_ys1+Z)Hw)Z3ui+)og#wU~n}^@h9`AV3jrFtRHyvqiWzj4|EsS
zPxSUEg6yjmRsK~jZmu0q*(aM?5kByOZH0R#SxoxzLO<Aw^+*(yZhOOSIR=Q#@Fp5>
zaC*%i6&S^njr}$+DFHx90QQ8u&KJAzV|VV=S+7KNWyyG&zQmG%B^%k#{6fZOVIrdv
zk<6rs5bOaeisV7&xCv3Nbg*&GYVmL87l8|-KpW_AL!LMj^(v880ysxanwWHOA=qP3
z5<*fG`SFheHRi2rL|}-ppT4l8JkLQS#vXl#?LO!Cou7mNMLc60@lcOQKeW2;O5|d;
zlBX#@Vk3G2v(x_*_21C??(=@J{OG;2!lZ3-TbOG-BqU5dW49ata<M|lPl`nz<d!rJ
z3|W>gJXXz#2V22+R`B_V_-Q!pA$&H=Ia=4G!+YFCgmxTd6RvemfODKBTny-Y=@r*G
zn8}uhP(nZyF~5q*up>0Mw(F5u2f?;99h7ax`LpcfK<o=*Ga-|5u5-|g3%&PE7=-&i
zrZNZ9&l|F2)(I?!0=Xm+gb-1|oEbew8<=#EV#@=RNHmUiWQ8AYBoNE4!JAI@?AFB?
z@}0mu({OA&RM<Ias>t}VKhNTsoM*Q!>^P12pe(<|b_OkWSv@T;f9u9KnZ<qx6Jm`5
z%PC-oRt(xhJ3{VyQHT|Jw~M;{z$FiR`t}WhFJ~XB>IcG&FR=0jMRuRM|De4C$r9tY
zdLTS(GsC2>6F7K`nVI0w3WCA&_b&86nbGDV>}6#t1)q(<OS?ilx``X||HQC4%^!70
z-d(Khge@M8?J1PWul>9ordK<WU=0g<=XduA7iWZu^Uhh|8G{RFKQ+_~92`dlfavx-
zOnF<(^XKx;Xcj$lBKe6D?OP$cB{NYO<1!32?+qEVfwj->;po|dtCy9iVaIsM=o=UU
z&@_P!hkiszdn1z7t(RigHs?*3%Mgotij@X7T(dh;2aWbCd#4m&{hNvt$CUMomytWK
z2Gu|BP;?6VtOW4r7KCMmF)78yO>0I9r$_w1-(1n3WlzWSaZsmVL7N3*HSpu3vX(gB
zvN(CYT)WEK&v^r1s7M92cnYZF$=jo_rPgK$<^CAsHz3!&*ZC5Qj3Z28s@dGb`^J<V
zzm0|{Q$yEVe9dosIJ$CSV>CTl(Ig3i4MI9i-`c^a7Y|km9fLmPi?6IUk+h2Tz{bu2
zVSWY<W)KvMS+&mb`4{~5m8!r^{ud|IjY%)Wkzl_Cl|X7|x7vm7JB^y+O&6jlkK&(4
zV~Lq`))4}%Do7wJZys&79ND8t4Xw3Hd#Nn%0LZG#LI0?uFwiEc`M*rVwFshdM-Dh!
zog{nW>0+~-bFx}Gim-a{5QnNJJU?=zi%c!e-d8y&mVZeZsB5H>%``r-9>UW&5Ahh{
z5B}RX`{Vr;oC?|3m=+W--mqI}5G?Gwj-l(W7&+$Go>ZnwpIq{qUDCTpNOw%f>`zbz
z-a3z=y~ON176f(^#-1Ejk5#&*CW|N1|1yr9%KxOp#Qt*_ild&1Uif)}=!v-t*J|`(
zeBuB1&Efz0*}-YdpL?}J2WzWsM$o&V{@6Xbm6ym2fj`#zYsYY&_zplj3GP>W?s*=E
zEjoYLIG(@7c}aYY0Mx&o9=;pUs|*9#6BzpZ@>{+sVxGeX8H{1e;P0$4C2EutZ(SEs
zr<Vw3cP^dK3%4RjXV2J6uAd(&Y7l5BK9ZV=H5>F@5jywyd9M<9e1pfHD7OW&F^1+S
zv&>?rJNS0Q#>5Xy-_5fdmG&S+K}Y^?7<g!*|Ebz$9HmVfd0WSwRSLbOd?MMidxXaz
zX@U1JzTlt7$ABvs0rV4t&Uc!hYsZdQr_BA{rXDpBqdXo@Sc=qcl7|)ITw7xA*^3d#
z<YRByEysa4FlK{r6^6meyHXx46jm&b4tAFbs>r3@!%}(ECEYr7@if2hY@(Qm3coI8
z%G%^?CJRsWdN49aNEpv#w;Tm>Q3}ZOy>G&jev=HH@C7M?dHI#Mh`%S>?J5cM)RTj?
zSziQ}>k%803q~KBIGxg?#CXo2E+0Tn*~|!!qrVxi10Z(i5~&C(1F?HVpGr&N=jx7g
zuqa<oepXyf<Z|GV+wTl<A5L=~j4^TFtp+#o6S-2cH*H6Ow+8w5q=_a0_52<bhPPpW
zy+DqQuaKj>o*k<Hp0C`VzsiIuECw<s$)smB{mVUX?v-LEL9;M}&umhGMTSIQzjUoX
zraK;I(^zs1L$L3ng&Q<br<lOPO~u7<J;!=iAQcrAH8(=0%h@jPEpegW3h4=6`fbPG
zyp^d5cJWSrW&J3F!QfcVy?>@Mhhv6lD7;vFTj|Sp#2Ym4rwPby!Ead$#rg;A6$|VB
zNO&2~VKjsOZVf&8c<~7nY|^*evzM35`}vg(!g;Q4?NWL7@S|m>3;pzka_iLtt^_*t
zAQY0$14UlGF<k;HfzaF8|K}>L$RbS%UodW5*7~^~0pJu4#XehvvkWu2Sv{(fBz{9V
z@pUC~c)BS1EuSLT_R0X*aS%8b6!AFxous#Qs+i9oN5oy}``pT}dadt;#fpG&9<KXM
z)`~oQV*$*Cq)tX?r%Y&GC+N)0uJ>5?1GxkQp&tMFhLY-xCf)Iu4GxVXQ=`+4o%+Vd
zv_2PTeT_2DBbDfLr)LZ5s)9e*Uk)(E%Qen+Jn|ab=7NXL@HAbrnNQ-Vw^=YDFE&V4
z)yu}(swZv~y*9fx8ai|*{`<+F%!(C{Jst{9<^byT)$sR81M4q?mu0S#sR&tKQPehR
z$o5`hEWCU|C7EhtNu?PmlgMOpe$BU|8oedSDMV>jy~B!Ro8}dhvtLAm4mk5SWB<d3
z!8(e$8)Y^#H^noP&CpbL)Z`<KAs9$QFa3*i#?dN#x)N;{2*riV_2;&RTBbGq>VOKc
zZ+>})hmvKIvunv-JSvt~-@eaK@%$F#IDa!9oW@Hy+Hfp+<1gw*T1)9HF7T<pn!Ni#
z97Ew<>FO1d)*jd`>#*kpo(c?wL3cXd&u0LQii#?pS0M<Bbr?yUq+oMu0?V{24t_Pj
z95Qcq0-=@~AmN+)KIvw2A{RGzYjfAoo1{q3hrioHP~z+w_{FO>Wl9LYbnFWv`Vc{$
zLTA5HM^SgAxa+vzx)fUbcz=fVULq^lE^>or(tS7nL<R9Off6mj3g$0KJ|K=?Ah5Er
zjjLQ7I)lB-zjY71G2>mqsY`JkNpHJRv^iC7<OuH|CU7N~&qsKlYp=y&?b3qY)@Q03
zkaRr-T6F0W8@`Ia?5)P$8CiR5ed&#egYRq|plo}@bC}Za+qdtr(SV8pzoJv_iwZ5^
zE}i43A|Kzsa*A|^kX)*<7Y?Qyn5S)g8H*(3Whc+iS?UQ*CdmB>;8X)oGjo%_ZhK%p
zG3%R^_HDl<9#uf7e65PlQ<dnKcf4rWeInuK6F+sbh;9;bv$%?q7)umW)l>z|2dHv7
z4_3Qv7EJJgfq}dFbmA+3drXp~iz}Z#x3&#`oLN7N2)OfLFt<0tXA+H?ot-?H5fVBQ
z{qkgrKxAF;Eq~*$TNe;Y9BAe<wU%4^h^?%ulD#~z14v)-@S)qTcy_;VuwuocA_(n>
zdw$E<3}n98lYIzd|8glp7*+zeecQfgbc+Lo4hY&Jdm@Nrl8VYkR`xrU$E+{(l3b`|
zvIrxY;k?H>7-5D?5q<aHXzdpyuyS(VAt$B^ttXQ9-DnS$Pv%2>@l`K=v?T1qAT(_{
zp_$Kas0N8QvUnWF!>hV|=cfZ#F8O5TyxcV7o+Q}#KC0x{j)yS9Xy$8-#!94pa-6ss
zwVXBA<Mvq@L{N{>Pr(V~9EU+eX3@Fn!ypY`s@sd$;Pzs2`Y+6N*bIF^;^XFpza}=R
zuYRFv4Dq8{dHaBHZMMQ5MQ8MS&#enhbjOfMhZ%l|(<}%B9n*UrZGgYnzHvyFr_Jln
zx~%Zq+EQi(dJR{?UM*Ebw;5`OQ+5^^D`N5clk#iX$Y3*S8`RU5Dc$`|1U?13i>{%q
zP3ni99kdF}#x`?ya?OhEf+wTsM)!J|`ggLN5NiKb;2;Am9Mc-Ox6%v1_A|`4065~7
zh>HCYUdpuN{iEdzE($vpv|3?ND}f7&{6Pcs6BqEt{;z5AGRr@;*o<zKJ_`^f)7imR
zCNN!nuFu+Bj~tyXJ~EZqw?VRKO%dLeaX|iXd-<QUor5?c6^p7NS}?@0m7ALav&Wr_
z(o9NZvmDRg{<gb>&2qe=`1V`47Z?M0W6E%8z1n+MT|s(?(i@)reeUZ^Q!7cCT@O#j
zylo!}cS}{(uSB3;9t4)cf4<bc$Mz0bvwkW{5M(HNCIw=f*Rxqctyxoq!rUavVc4Gm
zciRsZ)Wk7KdjeKn==e*d(z7m0WHvl)`O@}TzVb0!E!FMxZbY1t8Vr3VHz5zu@1eWC
zMpSewQ8|62E}yfGgz-Kv5W%5C317;O&P~F=svWw{g9Fela<K9dpzjR)lVXiWU!nT%
zI|q*wA$|s7X9=|`7NWI;74}@reA(GVRsCwnw=@YXd=l6?+=0;8yPqm~Cf$csHktw5
zs+o_tr#=@;;l23k-&Yt&pQbk`ZM>BVzBl&^#{8LZCj+ox)`d%|mGb=AZ0N(!Fk~To
zYemSwna!Pra6czLS#2hmaB;$r<>ok8P_@FT;36uX773#f*rZI#Hh#3MHXLnn-*2gD
zBl;0CCW!fHert)m4^NwUvme;`-(ekYXY%y|auAM{0C_?*jNF!B$6x5>G%>?t(92Md
z!}?yO?y+NcT`1x{g14FC9fV@AV+9cv;+pU?{cwnwp)9@wp=v^}=)+r|g{`OXrvIDK
z15haxQJn`T;~=AM1Ta6W+-4QY<4BQ$a&*6!dS8OGO%{>k=XzkR7ruJxA8QK;9Yrxv
zI`tV?B@JFt2gle9=-kJ6n(v#hO&jVng>Z_C&XmGCHut;Skl%ZA<4|6wQUt8WV7_pR
zsiN;MJoQqd@t^m5h?91L$v`X{liy*h$n``h@`T}Q{y14Y8BiWE6GtiIWn8lZU1USj
zGO&PzMq`s;^h(!_B7T#Ti`B&k4jMUS1s5g>RaGOK$p~!%sMxuLJBU7F=FBmPikfyr
z)TjO-s?f}*60405oWZf(oEABG!~v`w(#1^t4pUch7L6nnU^6Kn^Q$jH6OP@7NE!Hj
zVmv)|*BPW^E)=AS)G}|RI=0*IR@lNh+=7revfHavG}d56g&qzoDk{twU`|Nqir|OV
z#S6j1=I88F6(y=fHs+X|D_Ap##{~{-<^@#+JB^`wQP0FJG9|9#X@4zGfw7<t>7-+L
z@&&&xCE)$&5Onpg?vjHE<gh+J)wd$LMlN7Y(uf)Gk2myhDAM$wv43wx#)>7_+}V2l
z_2Ls%rws@ocqrde|54f)Oj9}7Iv$w+33;S;0_?`4M|SVd(tPI%O~wkBaMdDja^bGJ
zBT!=_Ur(3}WV=boL+IgX?(a{G6Ia!=0D`x}?T_KL3~zRXMI0-f1PqI>b}Is7zrs^z
zt>6V49-PO$fKjgWG!cAyF?l9d_INE)3i9^Ry)fm-&#FpyC!iBx_Eh3V=sl<y9b8~!
zf6v|BpWwl2ACIrhKC%bChM{Vpg*)W7Fo8@E{~|!l@J1Jr1<wF^B#6h8p2J}{_hC>X
zE_1zfphRO1-ULaL7`tskVxgW&5$tm??_B{7MUc-ct}Ehw!jw|%w7;12aTeqSKLbF}
zqFUJVSu?|(ZRaxb1Nj-O|3z#qdD3M>d#>`eQ!a&7mdq6L7UlyyXXfW9kxNV~wT2NH
z*c%WW{CgP8vXIq9FM2X7t4uvKl2Z2WH6Wtun1eYNlGO~Fk+Z<?08rQxyef@|5u1UG
zUt3xek26@4x4=}+Za-;JRaxK&^=Ceyl!PW=n{zMm0D_hs>tH<+({1brD@~hE<YDcH
z94?Mea=gHDa}b`L9n%t|8n3D_MSkE)g%T6%Ug1mw;4!EuQun1}{^ufyEk>>OPUXq`
zTpn5-!bW4?s58O9`s5~h1i1<|=#1-Hi8`5z@fjbU_%?b{33kXMf9ZPzwl<a-pkDYL
z0k2jfS-BXc5Ll!|Xj{s+`L0I^;++pet7+EuU@rRsH&pqF!MW-Hi#Emn3(T}bf=ycR
z)14}o!tr?@2B=bj^%;ZIgX2IM_P{Kw7Qe=V%n_w|rdha!=*qB=M~{M{b7C?hNQO03
z4Gj-_2rrXNeB!lI-$%Iz?Y%(9drjpG9zqLLL=Ed~sG)ssaLoW#ZblH)p@i*dqV#ZF
z9~YwqX{u0erjb<10MPFPS@)eDHY1;q$O=gv!zfAkjEZ_3qMSnFT?hKjS}{XBv%JQJ
zSV0bY?M7;l2>o+30uibR4-<qk9$A?Y(X^48Tu%1Z0Ej9O4TWtudL`gF|KQJ4GlO>4
zjp#FdgmA5%-1;sghd(O7-1RIM3&xmC<yt%7glV+$GIQ(=#wt3XVPb|x_~RU!<(39?
zDue`kk{}_$-+VEaM)HQoau$oBziS-v!>-zcy3^hQJ6>?&F9NDQh2M@tpe~pRdlsy%
z!Psng8bE+6S>mW?_YZ!<K=Vb9w(<EuCafGmq!q1bg50Ej=<;@EK*3Lf1(PLQf`-Lx
zqaU`=p6=DW?G{Z36~fc{Zc^wCJ0{J9If!*Z*i-g^u$w~(Lf-2wxZ@A1?tJ<Ihl38}
z@ipnOYGiEvGM6E;C*X@I^Nh9x=o8VhToz=PhDBaCJPTI}cQ$4lle%mtj#z7e=RdkG
zj?j@6npf;CCOr&Hc%(7HwWdr1Z6I7^(XVE5HwBaLMy6U6TKzphYeK#d&e1duG6Cla
zR0>&rs1#DlP|dTpZ7F3&8@8C)k%a0CfAlC#PgJnQL$zB1%!n|dF~Mk|5z)Z`n+d1@
zOA<7Hmws6G>fi>qYe%C4Hv5na?sGH&B1}<?Fm&5Dwy>t;-H8mZ@ES<-Eiip_JTq1(
z()lYwe`{(ClYD?j`4KC7igP|w)n2nuc*)<OqH;o@$=eU)w#-Pct0D;H?mWkq9x}kt
z9{?3ixA41peLP@bPGB!bkpuKujjSMGK6TrYC&sn^M=_n+906-q)DwW!uv@ib2AXkm
z%`xUk9uUq7cmfV;uPGy0voBbkZ`X14km36m5!`YAkcyzaTh@;vJtP_T@T<%Y3Wgcl
ze4>6|;ruH?Q`m0$dTrtE90As(SP-cufU#1Wx5k`W4hZum(pV5lB8d$~eRLy|=IPo-
zA6@!ycl(UrUl3%?0X|$=U~~7~jRU-9OGbFhRQrO~ZqU{_xP!>RfGx1NVQ=1Cw#`ai
znD&nTTgff6Ng#~@E&#)WjI;)B{@Z%j`hU0l(V{;j)J6*4`f!J9q8gDzXftS-{_>W?
zMH{WDtYkN#mT~T_M=z^+Z9)|{f6dDGJ5t0NWB4uXf{!MJUKqEYoGbO_UG53WE&`>z
zH5?UG(~Bno-qSu-OIS>NPgZ<Ukx{Q@<Trb;7Uzm9DYpy%uBvH4m|1eb6zRqY=W_5*
zFNt_2-Gk^UCrp|fyEwic*p+kX6h`m>?e2BIu!hS$Q|Fe*+n^~mhojqPj_xWdI463&
zFX%#<4n1)2R*oc_>Ten51lhnwn|?o7*|b;ExL~dFN7)H_plxBBq*U6P-AA|1L1P#e
zQ;y*`o(mLSvRJy(%Miy&Tsk7#^5tc?@&pWhcwr3HJgrErUYBC;*@trPJt*aw;f6`M
zo%^$YNz8E5BR9V`gACo{Hn#iShJGs9Z`O0B{ut)sylgv%z8?{gq@~AFnA6Y%ZS^UZ
zL-)7J*A0qY^q#5^FWo*n+%m}jS-^K8Htbh1n`NXCw6!+`R=y(x!$Yz<pSt?oCn~p;
za@prN4>#UaRClT2mSJ*?`eb7<5}QcVhlmq%=TC1AH3{C-r5A3E{AFwTry$~|Hhi2X
zkTw9_iU*10SbcxnPxj%Svkm#KS10NlILoXIC~ot^S28~9EZywZm+(w_0Hrh*fYxpQ
zTW~&L$Lpa_VYN~!D^J)EgUFQJtUIU9%ncrxR^CIAWDd0hV}WR$&U}z}h|c(_8(kON
zrZnf@7>ePDwq^FOb9`#~YShnH)HeeE&cRq1gHr^XkapQ)wIA9@F5)j=IV@(_?uwu4
z<(iO3%u`H0Y;Fw36rR2-<{R(*vS%hj=!vR+Eez1d?xWjB@Z!7n<(|K$VRUn||CXCs
ztiY8eM*ltQ6gE~bkK1nZqr1#Z6H9DeYN}6Il&sGuiWrbmRP{f@s032$%(KqRJW{@y
zdH(7dQxg-D+wjlZ+j}#lDws1jCpWk6QDS1^_x2AKrj>mDzU>89v@@VS?t@P*Rkw5P
zRupP2nH(SwIoS>jT3zlObY`W4=3Pj;%cP_C(;2Uo5ZQxLs|xQY9ZtcADPs|6#Rt6q
zAnzfy+3`r_Gaii#w?g6OSpgVpM$U7k-0F*ek~YZcTU*m=@jbux&~|_{A3{cS@>hog
zY_n_^mODq~bG(lDom?Uxzz{)m7S=;XTgvWd_Fne0A}QoPmC#H7dXVO$$Vf%>h+k9u
z73FRPt#3_b_9G$6+U1rotqB1O%Be#1_QSUY$g{)KTWbyEM5O<Y)k>;3c&#fQehZgH
zeMZA@3pv)DW_G%^78M#-O}u+no0@8D;#Bp+AbFn%Jzn+C;&hYL9p%TDk3BV$=y)?z
zJ+$jft=7#X=8&yG?KI_1DsA;xey5k+@~G5<AIaGrXQIZwr1`vh^?G3FgYvF;RpRy4
zI_(LPXVOk&Oxx!edi`;g#NXAI*L7DqtMJ-VrfOxkeoTBRl>PbX@F~~MGI@oo-48x=
zdoKn{-B$Klt$f>4`{z~Fq{C$#O>lJ=^TnZ*`MsqDyvonK{tkG0f@<!~8;puVC(b6-
zp1iA7j~;ji_!Tt@q@4h3(GaSYkDCSEyZ7M3ovq~_!^)k5?^t0jxeHN)niU2;lRxl*
zPL;w%e+^5etQdC}3Mc%g4-1|s2{nMx2#J-!y!`VA0{kczHkx7eQ3LoAP&m4PnYH-C
z7by%@I2z_E%+U?-A`W&rqBz)<LL{-kuKn=38+O$qt;{ZH)>0ba2Z8eU04t*l88h$)
zIsE7!;s4#BB9Nmu&<<HKD=_YlAfdL<nL|>TL;P!81Y9`#$^WnXgSF@XmQ`o}x9q>h
z|KqY_P5<po;@{5xHU5vC!TT@`@R5+mlxrI_b5;!51;&N`Kn+$Jq1bd`6%n3^Ga$gm
zF+2b`WJ3`!CHWOT=zu*=U@hz)ljZ-(=3nFg#^fLMGijV2-AO$x0REjkp?^F_lj{FJ
E0E8NoSO5S3

literal 0
HcmV?d00001


From ed8c8bedcd3063249e9c90a47ef682fcb5ec51ca Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:46:11 -0700
Subject: [PATCH 181/314] Add picker

---
 .../[orgId]/settings/logs/streaming/page.tsx  | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index a89c961b4..84b201260 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -31,6 +31,8 @@ import { Checkbox } from "@app/components/ui/checkbox";
 import { Globe, Plus, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
+import Image from "next/image";
+import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
 
 // ── Types ──────────────────────────────────────────────────────────────────────
 
@@ -263,6 +265,97 @@ function AddDestinationCard({
     );
 }
 
+// ── Destination type picker ────────────────────────────────────────────────────
+
+type DestinationType = "http" | "s3" | "datadog";
+
+const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
+    {
+        id: "http",
+        title: "HTTP Webhook",
+        description:
+            "Send events to any HTTP endpoint with flexible authentication and templating.",
+        icon: <Globe className="h-6 w-6" />
+    },
+    {
+        id: "s3",
+        title: "Amazon S3",
+        description: "Stream events to an S3-compatible object storage bucket. Coming soon.",
+        disabled: true,
+        icon: (
+            <Image
+                src="/third-party/s3.png"
+                alt="Amazon S3"
+                width={24}
+                height={24}
+                className="rounded-sm"
+            />
+        )
+    },
+    {
+        id: "datadog",
+        title: "Datadog",
+        description: "Forward events directly to your Datadog account. Coming soon.",
+        disabled: true,
+        icon: (
+            <Image
+                src="/third-party/dd.png"
+                alt="Datadog"
+                width={24}
+                height={24}
+                className="rounded-sm"
+            />
+        )
+    }
+];
+
+interface DestinationTypePickerProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    onSelect: (type: DestinationType) => void;
+}
+
+function DestinationTypePicker({
+    open,
+    onOpenChange,
+    onSelect
+}: DestinationTypePickerProps) {
+    const [selected, setSelected] = useState<DestinationType>("http");
+
+    useEffect(() => {
+        if (open) setSelected("http");
+    }, [open]);
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-lg">
+                <CredenzaHeader>
+                    <CredenzaTitle>Add Destination</CredenzaTitle>
+                    <CredenzaDescription>
+                        Choose a destination type to get started.
+                    </CredenzaDescription>
+                </CredenzaHeader>
+                <CredenzaBody>
+                    <StrategySelect
+                        options={destinationTypeOptions}
+                        value={selected}
+                        onChange={setSelected}
+                        cols={1}
+                    />
+                </CredenzaBody>
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button variant="outline">Cancel</Button>
+                    </CredenzaClose>
+                    <Button onClick={() => onSelect(selected)}>
+                        Continue
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
+
 // ── Destination modal ──────────────────────────────────────────────────────────
 
 interface DestinationModalProps {
@@ -898,6 +991,7 @@ export default function StreamingDestinationsPage() {
     const [destinations, setDestinations] = useState<Destination[]>([]);
     const [loading, setLoading] = useState(true);
     const [modalOpen, setModalOpen] = useState(false);
+    const [typePickerOpen, setTypePickerOpen] = useState(false);
     const [editingDestination, setEditingDestination] =
         useState<Destination | null>(null);
     const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
@@ -972,6 +1066,11 @@ export default function StreamingDestinationsPage() {
     };
 
     const openCreate = () => {
+        setTypePickerOpen(true);
+    };
+
+    const handleTypePicked = (_type: DestinationType) => {
+        setTypePickerOpen(false);
         setEditingDestination(null);
         setModalOpen(true);
     };
@@ -1018,6 +1117,12 @@ export default function StreamingDestinationsPage() {
                 </div>
             )}
 
+            <DestinationTypePicker
+                open={typePickerOpen}
+                onOpenChange={setTypePickerOpen}
+                onSelect={handleTypePicked}
+            />
+
             <DestinationModal
                 open={modalOpen}
                 onOpenChange={setModalOpen}

From e06f2f47b18da9be2eac3b50ba14a4220a4a9c5d Mon Sep 17 00:00:00 2001
From: jaydeep-pipaliya <71074587+jaydeep-pipaliya@users.noreply.github.com>
Date: Tue, 31 Mar 2026 11:48:56 +0530
Subject: [PATCH 182/314] fix: show contextual toast when saving with no
 targets

Instead of always showing "Settings updated" when saving, show
"Targets cleared" when the target list is empty. This gives the user
accurate feedback without blocking the save action.

Fixes #586
---
 messages/en-US.json                                       | 2 ++
 .../settings/resources/proxy/[niceId]/proxy/page.tsx      | 8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..478b64d44 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -568,6 +568,8 @@
     "targetErrorInvalidPortDescription": "Please enter a valid port number",
     "targetErrorNoSite": "No site selected",
     "targetErrorNoSiteDescription": "Please select a site for the target",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Target created",
     "targetCreatedDescription": "Target has been created successfully",
     "targetErrorCreate": "Failed to create target",
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 51f11a2c3..795c9adf2 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -774,8 +774,12 @@ function ProxyResourceTargetsForm({
             }
 
             toast({
-                title: t("settingsUpdated"),
-                description: t("settingsUpdatedDescription")
+                title: targets.length === 0
+                    ? t("targetTargetsCleared")
+                    : t("settingsUpdated"),
+                description: targets.length === 0
+                    ? t("targetTargetsClearedDescription")
+                    : t("settingsUpdatedDescription")
             });
 
             setTargetsToRemove([]);

From b50886179ab388433951b34f07269551ab888da4 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:43:52 -0700
Subject: [PATCH 183/314] Implement fixes to ui

---
 .../streaming/HttpDestinationCredenza.tsx     | 731 ++++++++++++++
 .../[orgId]/settings/logs/streaming/page.tsx  | 935 +++---------------
 2 files changed, 873 insertions(+), 793 deletions(-)
 create mode 100644 src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx

diff --git a/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx b/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
new file mode 100644
index 000000000..653b766b0
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
@@ -0,0 +1,731 @@
+"use client";
+
+import { useState, useEffect } from "react";
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Label } from "@app/components/ui/label";
+import { Switch } from "@app/components/ui/switch";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Textarea } from "@app/components/ui/textarea";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Plus, X } from "lucide-react";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { build } from "@server/build";
+
+// ── Types ──────────────────────────────────────────────────────────────────────
+
+export type AuthType = "none" | "bearer" | "basic" | "custom";
+
+export interface HttpConfig {
+    name: string;
+    url: string;
+    authType: AuthType;
+    bearerToken?: string;
+    basicCredentials?: string;
+    customHeaderName?: string;
+    customHeaderValue?: string;
+    headers: Array<{ key: string; value: string }>;
+    useBodyTemplate: boolean;
+    bodyTemplate?: string;
+}
+
+export interface Destination {
+    destinationId: number;
+    orgId: string;
+    type: string;
+    config: string;
+    enabled: boolean;
+    sendAccessLogs: boolean;
+    sendActionLogs: boolean;
+    sendConnectionLogs: boolean;
+    sendRequestLogs: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+export const defaultHttpConfig = (): HttpConfig => ({
+    name: "",
+    url: "",
+    authType: "none",
+    bearerToken: "",
+    basicCredentials: "",
+    customHeaderName: "",
+    customHeaderValue: "",
+    headers: [],
+    useBodyTemplate: false,
+    bodyTemplate: ""
+});
+
+export function parseHttpConfig(raw: string): HttpConfig {
+    try {
+        return { ...defaultHttpConfig(), ...JSON.parse(raw) };
+    } catch {
+        return defaultHttpConfig();
+    }
+}
+
+// ── Headers editor ─────────────────────────────────────────────────────────────
+
+interface HeadersEditorProps {
+    headers: Array<{ key: string; value: string }>;
+    onChange: (headers: Array<{ key: string; value: string }>) => void;
+}
+
+function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const addRow = () => onChange([...headers, { key: "", value: "" }]);
+
+    const removeRow = (i: number) =>
+        onChange(headers.filter((_, idx) => idx !== i));
+
+    const updateRow = (i: number, field: "key" | "value", val: string) => {
+        const next = [...headers];
+        next[i] = { ...next[i], [field]: val };
+        onChange(next);
+    };
+
+    return (
+        <div className="space-y-3">
+            {headers.length === 0 && (
+                <p className="text-xs text-muted-foreground">
+                    No custom headers configured. Click "Add Header" to add
+                    one.
+                </p>
+            )}
+            {headers.map((h, i) => (
+                <div key={i} className="flex gap-2 items-center">
+                    <Input
+                        value={h.key}
+                        onChange={(e) => updateRow(i, "key", e.target.value)}
+                        placeholder="Header name"
+                        className="flex-1"
+                    />
+                    <Input
+                        value={h.value}
+                        onChange={(e) =>
+                            updateRow(i, "value", e.target.value)
+                        }
+                        placeholder="Value"
+                        className="flex-1"
+                    />
+                    <Button
+                        type="button"
+                        variant="ghost"
+                        size="icon"
+                        onClick={() => removeRow(i)}
+                        className="shrink-0 h-9 w-9"
+                    >
+                        <X className="h-4 w-4" />
+                    </Button>
+                </div>
+            ))}
+            <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                onClick={addRow}
+                className="gap-1.5"
+            >
+                <Plus className="h-3.5 w-3.5" />
+                Add Header
+            </Button>
+        </div>
+    );
+}
+
+// ── Component ──────────────────────────────────────────────────────────────────
+
+export interface HttpDestinationCredenzaProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    editing: Destination | null;
+    orgId: string;
+    onSaved: () => void;
+}
+
+export function HttpDestinationCredenza({
+    open,
+    onOpenChange,
+    editing,
+    orgId,
+    onSaved
+}: HttpDestinationCredenzaProps) {
+    const api = createApiClient(useEnvContext());
+
+    const [saving, setSaving] = useState(false);
+    const [cfg, setCfg] = useState<HttpConfig>(defaultHttpConfig());
+    const [sendAccessLogs, setSendAccessLogs] = useState(false);
+    const [sendActionLogs, setSendActionLogs] = useState(false);
+    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
+    const [sendRequestLogs, setSendRequestLogs] = useState(false);
+
+    useEffect(() => {
+        if (open) {
+            setCfg(
+                editing ? parseHttpConfig(editing.config) : defaultHttpConfig()
+            );
+            setSendAccessLogs(editing?.sendAccessLogs ?? false);
+            setSendActionLogs(editing?.sendActionLogs ?? false);
+            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
+            setSendRequestLogs(editing?.sendRequestLogs ?? false);
+        }
+    }, [open, editing]);
+
+    const update = (patch: Partial<HttpConfig>) =>
+        setCfg((prev) => ({ ...prev, ...patch }));
+
+    const urlError: string | null = (() => {
+        const raw = cfg.url.trim();
+        if (!raw) return null;
+        try {
+            const parsed = new URL(raw);
+            if (
+                parsed.protocol !== "http:" &&
+                parsed.protocol !== "https:"
+            ) {
+                return "URL must use http or https";
+            }
+            if (build === "saas" && parsed.protocol !== "https:") {
+                return "HTTPS is required on cloud deployments";
+            }
+            return null;
+        } catch {
+            return "Enter a valid URL (e.g. https://example.com/webhook)";
+        }
+    })();
+
+    const isValid =
+        cfg.name.trim() !== "" &&
+        cfg.url.trim() !== "" &&
+        urlError === null;
+
+    async function handleSave() {
+        if (!isValid) return;
+        setSaving(true);
+        try {
+            const payload = {
+                type: "http",
+                config: JSON.stringify(cfg),
+                sendAccessLogs,
+                sendActionLogs,
+                sendConnectionLogs,
+                sendRequestLogs
+            };
+            if (editing) {
+                await api.post(
+                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
+                    payload
+                );
+                toast({ title: "Destination updated successfully" });
+            } else {
+                await api.put(
+                    `/org/${orgId}/event-streaming-destination`,
+                    payload
+                );
+                toast({ title: "Destination created successfully" });
+            }
+            onSaved();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: editing
+                    ? "Failed to update destination"
+                    : "Failed to create destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setSaving(false);
+        }
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-2xl">
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {editing
+                            ? "Edit Destination"
+                            : "Add HTTP Destination"}
+                    </CredenzaTitle>
+                    <CredenzaDescription>
+                        {editing
+                            ? "Update the configuration for this HTTP event streaming destination."
+                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+
+                <CredenzaBody>
+                    <HorizontalTabs
+                        clientSide
+                        items={[
+                            { title: "Settings", href: "" },
+                            { title: "Headers", href: "" },
+                            { title: "Body Template", href: "" },
+                            { title: "Logs", href: "" }
+                        ]}
+                    >
+                        {/* ── Settings tab ────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            {/* Name */}
+                            <div className="space-y-2">
+                                <Label htmlFor="dest-name">Name</Label>
+                                <Input
+                                    id="dest-name"
+                                    placeholder="My HTTP destination"
+                                    value={cfg.name}
+                                    onChange={(e) =>
+                                        update({ name: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            {/* URL */}
+                            <div className="space-y-2">
+                                <Label htmlFor="dest-url">
+                                    Destination URL
+                                </Label>
+                                <Input
+                                    id="dest-url"
+                                    placeholder="https://example.com/webhook"
+                                    value={cfg.url}
+                                    onChange={(e) =>
+                                        update({ url: e.target.value })
+                                    }
+                                />
+                                {urlError && (
+                                    <p className="text-xs text-destructive">
+                                        {urlError}
+                                    </p>
+                                )}
+                            </div>
+
+                            {/* Authentication */}
+                            <div className="space-y-3">
+                                <div>
+                                    <label className="font-medium block">
+                                        Authentication
+                                    </label>
+                                    <p className="text-sm text-muted-foreground mt-0.5">
+                                        Choose how requests to your endpoint
+                                        are authenticated.
+                                    </p>
+                                </div>
+
+                                <RadioGroup
+                                    value={cfg.authType}
+                                    onValueChange={(v) =>
+                                        update({ authType: v as AuthType })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* None */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="none"
+                                            id="auth-none"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="auth-none"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                No Authentication
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends requests without an{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    Authorization
+                                                </code>{" "}
+                                                header.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Bearer */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="bearer"
+                                            id="auth-bearer"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-bearer"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Bearer Token
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Bearer
+                                                        &lt;token&gt;
+                                                    </code>{" "}
+                                                    header to each request.
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "bearer" && (
+                                                <Input
+                                                    placeholder="Your API key or token"
+                                                    value={
+                                                        cfg.bearerToken ?? ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            bearerToken:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Basic */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="basic"
+                                            id="auth-basic"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-basic"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Basic Auth
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Basic
+                                                        &lt;credentials&gt;
+                                                    </code>{" "}
+                                                    header. Provide credentials
+                                                    as{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        username:password
+                                                    </code>
+                                                    .
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "basic" && (
+                                                <Input
+                                                    placeholder="username:password"
+                                                    value={
+                                                        cfg.basicCredentials ??
+                                                        ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            basicCredentials:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Custom */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="custom"
+                                            id="auth-custom"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-custom"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Custom Header
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Specify a custom HTTP
+                                                    header name and value for
+                                                    authentication (e.g.{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        X-API-Key
+                                                    </code>
+                                                    ).
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "custom" && (
+                                                <div className="flex gap-2">
+                                                    <Input
+                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        value={
+                                                            cfg.customHeaderName ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderName:
+                                                                    e.target
+                                                                        .value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                    <Input
+                                                        placeholder="Header value"
+                                                        value={
+                                                            cfg.customHeaderValue ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderValue:
+                                                                    e.target
+                                                                        .value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                </div>
+                                            )}
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
+                        </div>
+
+                        {/* ── Headers tab ──────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Custom HTTP Headers
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Add custom headers to every outgoing
+                                    request. Useful for static tokens or
+                                    custom{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>
+                                    . By default,{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type: application/json
+                                    </code>{" "}
+                                    is sent.
+                                </p>
+                            </div>
+                            <HeadersEditor
+                                headers={cfg.headers}
+                                onChange={(headers) => update({ headers })}
+                            />
+                        </div>
+
+                        {/* ── Body Template tab ─────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Custom Body Template
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Control the JSON payload structure sent to
+                                    your endpoint. If disabled, a default JSON
+                                    object is sent for each event.
+                                </p>
+                            </div>
+
+                            <div className="flex items-center gap-3">
+                                <Switch
+                                    id="use-body-template"
+                                    checked={cfg.useBodyTemplate}
+                                    onCheckedChange={(v) =>
+                                        update({ useBodyTemplate: v })
+                                    }
+                                />
+                                <Label
+                                    htmlFor="use-body-template"
+                                    className="cursor-pointer"
+                                >
+                                    Enable custom body template
+                                </Label>
+                            </div>
+
+                            {cfg.useBodyTemplate && (
+                                <div className="space-y-2">
+                                    <Label htmlFor="body-template">
+                                        Body Template (JSON)
+                                    </Label>
+                                    <Textarea
+                                        id="body-template"
+                                        placeholder={
+                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
+                                        }
+                                        value={cfg.bodyTemplate ?? ""}
+                                        onChange={(e) =>
+                                            update({
+                                                bodyTemplate: e.target.value
+                                            })
+                                        }
+                                        className="font-mono text-xs min-h-45 resize-y"
+                                    />
+                                    <p className="text-xs text-muted-foreground">
+                                        Use template variables to reference
+                                        event fields in your payload.
+                                    </p>
+                                </div>
+                            )}
+                        </div>
+
+                        {/* ── Logs tab ──────────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Log Types
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Choose which log types are forwarded to
+                                    this destination. Only enabled log types
+                                    will be streamed.
+                                </p>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-access"
+                                        checked={sendAccessLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendAccessLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-access"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Access Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Resource access attempts, including
+                                            authenticated and denied requests.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-action"
+                                        checked={sendActionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendActionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-action"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Action Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Administrative actions performed by
+                                            users within the organization.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-connection"
+                                        checked={sendConnectionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendConnectionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-connection"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Connection Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Site and tunnel connection events,
+                                            including connects and
+                                            disconnects.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-request"
+                                        checked={sendRequestLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendRequestLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-request"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Request Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            HTTP request logs for proxied
+                                            resources, including method, path,
+                                            and response code.
+                                        </p>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </HorizontalTabs>
+                </CredenzaBody>
+
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button
+                            type="button"
+                            variant="outline"
+                            disabled={saving}
+                        >
+                            Cancel
+                        </Button>
+                    </CredenzaClose>
+                    <Button
+                        type="button"
+                        onClick={handleSave}
+                        loading={saving}
+                        disabled={!isValid || saving}
+                    >
+                        {editing ? "Save Changes" : "Create Destination"}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 84b201260..035ad98f8 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -21,49 +21,25 @@ import {
     CredenzaTitle
 } from "@app/components/Credenza";
 import { Button } from "@app/components/ui/button";
-import { Input } from "@app/components/ui/input";
-import { Label } from "@app/components/ui/label";
 import { Switch } from "@app/components/ui/switch";
-import { HorizontalTabs } from "@app/components/HorizontalTabs";
-import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import { Textarea } from "@app/components/ui/textarea";
-import { Checkbox } from "@app/components/ui/checkbox";
-import { Globe, Plus, X } from "lucide-react";
+import { Globe, MoreHorizontal, Plus } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 import Image from "next/image";
 import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
+import {
+    Destination,
+    HttpDestinationCredenza,
+    parseHttpConfig
+} from "./HttpDestinationCredenza";
 
-// ── Types ──────────────────────────────────────────────────────────────────────
-
-type AuthType = "none" | "bearer" | "basic" | "custom";
-
-interface HttpConfig {
-    name: string;
-    url: string;
-    authType: AuthType;
-    bearerToken?: string;
-    basicCredentials?: string;
-    customHeaderName?: string;
-    customHeaderValue?: string;
-    headers: Array<{ key: string; value: string }>;
-    useBodyTemplate: boolean;
-    bodyTemplate?: string;
-}
-
-interface Destination {
-    destinationId: number;
-    orgId: string;
-    type: string;
-    config: string;
-    enabled: boolean;
-    sendAccessLogs: boolean;
-    sendActionLogs: boolean;
-    sendConnectionLogs: boolean;
-    sendRequestLogs: boolean;
-    createdAt: number;
-    updatedAt: number;
-}
+// ── Re-export Destination so the rest of the file can use it ──────────────────
 
 interface ListDestinationsResponse {
     destinations: Destination[];
@@ -74,104 +50,13 @@ interface ListDestinationsResponse {
     };
 }
 
-// ── Helpers ────────────────────────────────────────────────────────────────────
-
-const defaultConfig = (): HttpConfig => ({
-    name: "",
-    url: "",
-    authType: "none",
-    bearerToken: "",
-    basicCredentials: "",
-    customHeaderName: "",
-    customHeaderValue: "",
-    headers: [],
-    useBodyTemplate: false,
-    bodyTemplate: ""
-});
-
-function parseConfig(raw: string): HttpConfig {
-    try {
-        return { ...defaultConfig(), ...JSON.parse(raw) };
-    } catch {
-        return defaultConfig();
-    }
-}
-
-// ── Headers editor ─────────────────────────────────────────────────────────────
-
-interface HeadersEditorProps {
-    headers: Array<{ key: string; value: string }>;
-    onChange: (headers: Array<{ key: string; value: string }>) => void;
-}
-
-function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
-    const addRow = () => onChange([...headers, { key: "", value: "" }]);
-
-    const removeRow = (i: number) =>
-        onChange(headers.filter((_, idx) => idx !== i));
-
-    const updateRow = (
-        i: number,
-        field: "key" | "value",
-        val: string
-    ) => {
-        const next = [...headers];
-        next[i] = { ...next[i], [field]: val };
-        onChange(next);
-    };
-
-    return (
-        <div className="space-y-3">
-            {headers.length === 0 && (
-                <p className="text-xs text-muted-foreground">
-                    No custom headers configured. Click "Add Header" to add one.
-                </p>
-            )}
-            {headers.map((h, i) => (
-                <div key={i} className="flex gap-2 items-center">
-                    <Input
-                        value={h.key}
-                        onChange={(e) => updateRow(i, "key", e.target.value)}
-                        placeholder="Header name"
-                        className="flex-1"
-                    />
-                    <Input
-                        value={h.value}
-                        onChange={(e) => updateRow(i, "value", e.target.value)}
-                        placeholder="Value"
-                        className="flex-1"
-                    />
-                    <Button
-                        type="button"
-                        variant="ghost"
-                        size="icon"
-                        onClick={() => removeRow(i)}
-                        className="shrink-0 h-9 w-9"
-                    >
-                        <X className="h-4 w-4" />
-                    </Button>
-                </div>
-            ))}
-            <Button
-                type="button"
-                variant="outline"
-                size="sm"
-                onClick={addRow}
-                className="gap-1.5"
-            >
-                <Plus className="h-3.5 w-3.5" />
-                Add Header
-            </Button>
-        </div>
-    );
-}
-
 // ── Destination card ───────────────────────────────────────────────────────────
 
 interface DestinationCardProps {
     destination: Destination;
     onToggle: (id: number, enabled: boolean) => void;
     onEdit: (destination: Destination) => void;
+    onDelete: (destination: Destination) => void;
     isToggling: boolean;
     disabled?: boolean;
 }
@@ -180,18 +65,22 @@ function DestinationCard({
     destination,
     onToggle,
     onEdit,
+    onDelete,
     isToggling,
     disabled = false
 }: DestinationCardProps) {
-    const cfg = parseConfig(destination.config);
+    const cfg = parseHttpConfig(destination.config);
 
     return (
         <div className="relative flex flex-col rounded-lg border bg-card text-card-foreground p-5 gap-3">
             {/* Top row: icon + name/type + toggle */}
             <div className="flex items-start justify-between gap-3">
                 <div className="flex items-center gap-3 min-w-0">
-                    <div className="shrink-0 flex items-center justify-center w-9 h-9 rounded-md bg-muted">
-                        <Globe className="h-5 w-5 text-muted-foreground" />
+                    {/* Squirkle icon: gray outer → white inner → black globe */}
+                    <div className="shrink-0 flex items-center justify-center w-10 h-10 rounded-2xl bg-muted">
+                        <div className="flex items-center justify-center w-6 h-6 rounded-xl bg-white shadow-sm">
+                            <Globe className="h-3.5 w-3.5 text-black" />
+                        </div>
                     </div>
                     <div className="min-w-0">
                         <p className="font-semibold text-sm leading-tight truncate">
@@ -219,17 +108,37 @@ function DestinationCard({
                 )}
             </p>
 
-            {/* Footer: edit button */}
-            <div className="mt-auto pt-3">
+            {/* Footer: edit button + three-dots menu */}
+            <div className="mt-auto pt-5 flex gap-2">
                 <Button
                     variant="outline"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
-                    className="w-full"
+                    className="flex-1"
                 >
                     Edit
                 </Button>
+                <DropdownMenu>
+                    <DropdownMenuTrigger asChild>
+                        <Button
+                            variant="outline"
+                            size="icon"
+                            className="h-9 w-9 shrink-0"
+                            disabled={disabled}
+                        >
+                            <MoreHorizontal className="h-4 w-4" />
+                        </Button>
+                    </DropdownMenuTrigger>
+                    <DropdownMenuContent align="end">
+                        <DropdownMenuItem
+                            className="text-destructive focus:text-destructive"
+                            onClick={() => onDelete(destination)}
+                        >
+                            Delete
+                        </DropdownMenuItem>
+                    </DropdownMenuContent>
+                </DropdownMenu>
             </div>
         </div>
     );
@@ -237,23 +146,12 @@ function DestinationCard({
 
 // ── Add destination card ───────────────────────────────────────────────────────
 
-function AddDestinationCard({
-    onClick,
-    disabled = false
-}: {
-    onClick: () => void;
-    disabled?: boolean;
-}) {
+function AddDestinationCard({ onClick }: { onClick: () => void }) {
     return (
         <button
             type="button"
-            onClick={disabled ? undefined : onClick}
-            disabled={disabled}
-            className={`flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full ${
-                disabled
-                    ? "opacity-50 cursor-not-allowed text-muted-foreground"
-                    : "text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
-            }`}
+            onClick={onClick}
+            className="flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
         >
             <div className="flex flex-col items-center gap-2">
                 <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
@@ -280,7 +178,8 @@ const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
     {
         id: "s3",
         title: "Amazon S3",
-        description: "Stream events to an S3-compatible object storage bucket. Coming soon.",
+        description:
+            "Stream events to an S3-compatible object storage bucket. Coming soon.",
         disabled: true,
         icon: (
             <Image
@@ -295,7 +194,8 @@ const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
     {
         id: "datadog",
         title: "Datadog",
-        description: "Forward events directly to your Datadog account. Coming soon.",
+        description:
+            "Forward events directly to your Datadog account. Coming soon.",
         disabled: true,
         icon: (
             <Image
@@ -313,12 +213,14 @@ interface DestinationTypePickerProps {
     open: boolean;
     onOpenChange: (open: boolean) => void;
     onSelect: (type: DestinationType) => void;
+    isPaywalled?: boolean;
 }
 
 function DestinationTypePicker({
     open,
     onOpenChange,
-    onSelect
+    onSelect,
+    isPaywalled = false
 }: DestinationTypePickerProps) {
     const [selected, setSelected] = useState<DestinationType>("http");
 
@@ -336,18 +238,29 @@ function DestinationTypePicker({
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
-                    <StrategySelect
-                        options={destinationTypeOptions}
-                        value={selected}
-                        onChange={setSelected}
-                        cols={1}
-                    />
+                    {isPaywalled && (
+                        <div className="mb-4 rounded-md border border-amber-200 bg-amber-50 dark:border-amber-800 dark:bg-amber-950/30 px-4 py-3 text-sm text-amber-800 dark:text-amber-300">
+                            Upgrade to an enterprise plan to configure event
+                            streaming destinations.
+                        </div>
+                    )}
+                    <div className={isPaywalled ? "pointer-events-none opacity-50" : ""}>
+                        <StrategySelect
+                            options={destinationTypeOptions}
+                            value={selected}
+                            onChange={setSelected}
+                            cols={1}
+                        />
+                    </div>
                 </CredenzaBody>
                 <CredenzaFooter>
                     <CredenzaClose asChild>
                         <Button variant="outline">Cancel</Button>
                     </CredenzaClose>
-                    <Button onClick={() => onSelect(selected)}>
+                    <Button
+                        onClick={() => onSelect(selected)}
+                        disabled={isPaywalled}
+                    >
                         Continue
                     </Button>
                 </CredenzaFooter>
@@ -356,630 +269,6 @@ function DestinationTypePicker({
     );
 }
 
-// ── Destination modal ──────────────────────────────────────────────────────────
-
-interface DestinationModalProps {
-    open: boolean;
-    onOpenChange: (open: boolean) => void;
-    editing: Destination | null;
-    orgId: string;
-    onSaved: () => void;
-    onDeleted: () => void;
-}
-
-function DestinationModal({
-    open,
-    onOpenChange,
-    editing,
-    orgId,
-    onSaved,
-    onDeleted
-}: DestinationModalProps) {
-    const api = createApiClient(useEnvContext());
-
-    const [saving, setSaving] = useState(false);
-    const [deleting, setDeleting] = useState(false);
-    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
-    const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
-    const [sendAccessLogs, setSendAccessLogs] = useState(false);
-    const [sendActionLogs, setSendActionLogs] = useState(false);
-    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
-    const [sendRequestLogs, setSendRequestLogs] = useState(false);
-
-    useEffect(() => {
-        if (open) {
-            setCfg(editing ? parseConfig(editing.config) : defaultConfig());
-            setSendAccessLogs(editing?.sendAccessLogs ?? false);
-            setSendActionLogs(editing?.sendActionLogs ?? false);
-            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
-            setSendRequestLogs(editing?.sendRequestLogs ?? false);
-        }
-        if (!open) {
-            setDeleteDialogOpen(false);
-        }
-    }, [open, editing]);
-
-    const update = (patch: Partial<HttpConfig>) =>
-        setCfg((prev) => ({ ...prev, ...patch }));
-
-    const urlError: string | null = (() => {
-        const raw = cfg.url.trim();
-        if (!raw) return null;
-        try {
-            const parsed = new URL(raw);
-            if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-                return "URL must use http or https";
-            }
-            if (build === "saas" && parsed.protocol !== "https:") {
-                return "HTTPS is required on cloud deployments";
-            }
-            return null;
-        } catch {
-            return "Enter a valid URL (e.g. https://example.com/webhook)";
-        }
-    })();
-
-    const isValid =
-        cfg.name.trim() !== "" &&
-        cfg.url.trim() !== "" &&
-        urlError === null;
-
-    async function handleSave() {
-        if (!isValid) return;
-        setSaving(true);
-        try {
-            const payload = {
-                type: "http",
-                config: JSON.stringify(cfg),
-                sendAccessLogs,
-                sendActionLogs,
-                sendConnectionLogs,
-                sendRequestLogs
-            };
-            if (editing) {
-                await api.post(
-                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
-                    payload
-                );
-                toast({ title: "Destination updated successfully" });
-            } else {
-                await api.put(
-                    `/org/${orgId}/event-streaming-destination`,
-                    payload
-                );
-                toast({ title: "Destination created successfully" });
-            }
-            onSaved();
-            onOpenChange(false);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: editing
-                    ? "Failed to update destination"
-                    : "Failed to create destination",
-                description: formatAxiosError(
-                    e,
-                    "An unexpected error occurred."
-                )
-            });
-        } finally {
-            setSaving(false);
-        }
-    }
-
-    async function handleDelete() {
-        if (!editing) return;
-        setDeleting(true);
-        try {
-            await api.delete(
-                `/org/${orgId}/event-streaming-destination/${editing.destinationId}`
-            );
-            toast({ title: "Destination deleted successfully" });
-            onDeleted();
-            onOpenChange(false);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: "Failed to delete destination",
-                description: formatAxiosError(
-                    e,
-                    "An unexpected error occurred."
-                )
-            });
-        } finally {
-            setDeleting(false);
-        }
-    }
-
-    return (
-        <>
-        <Credenza open={open} onOpenChange={onOpenChange}>
-            <CredenzaContent className="sm:max-w-2xl">
-                <CredenzaHeader>
-                    <CredenzaTitle>
-                        {editing ? "Edit Destination" : "Add Destination"}
-                    </CredenzaTitle>
-                    <CredenzaDescription>
-                        {editing
-                            ? "Update the configuration for this HTTP event streaming destination."
-                            : "Configure a new HTTP endpoint to receive your organization's events."}
-                    </CredenzaDescription>
-                </CredenzaHeader>
-
-                <CredenzaBody>
-                    <HorizontalTabs
-                        clientSide
-                        items={[
-                            { title: "Settings", href: "" },
-                            { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" },
-                            { title: "Logs", href: "" }
-                        ]}
-                    >
-                        {/* ── Settings ─────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="space-y-1.5">
-                                <Label htmlFor="dest-name">Name</Label>
-                                <Input
-                                    id="dest-name"
-                                    placeholder="My HTTP destination"
-                                    value={cfg.name}
-                                    onChange={(e) =>
-                                        update({ name: e.target.value })
-                                    }
-                                />
-                            </div>
-
-                            <div className="space-y-1.5">
-                                <Label htmlFor="dest-url">Destination URL</Label>
-                                <Input
-                                    id="dest-url"
-                                    placeholder="https://example.com/webhook"
-                                    value={cfg.url}
-                                    onChange={(e) =>
-                                        update({ url: e.target.value })
-                                    }
-                                />
-                                {urlError && (
-                                    <p className="text-xs text-destructive mt-1">
-                                        {urlError}
-                                    </p>
-                                )}
-                            </div>
-
-                            <div>
-                                <div className="mb-4">
-                                    <label className="font-medium block">
-                                        Authentication
-                                    </label>
-                                    <div className="text-sm text-muted-foreground">
-                                        Choose how requests to your endpoint are authenticated.
-                                    </div>
-                                </div>
-                                <RadioGroup
-                                    value={cfg.authType}
-                                    onValueChange={(v) =>
-                                        update({ authType: v as AuthType })
-                                    }
-                                    className="gap-2"
-                                >
-                                    {/* None */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors data-[state=checked]:border-primary">
-                                        <RadioGroupItem
-                                            value="none"
-                                            id="auth-none"
-                                            className="mt-0.5"
-                                        />
-                                        <div>
-                                            <Label
-                                                htmlFor="auth-none"
-                                                className="cursor-pointer font-medium"
-                                            >
-                                                No Authentication
-                                            </Label>
-                                            <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends requests without an{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    Authorization
-                                                </code>{" "}
-                                                header.
-                                            </p>
-                                        </div>
-                                    </div>
-
-                                    {/* Bearer */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="bearer"
-                                            id="auth-bearer"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-bearer"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Bearer Token
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Bearer &lt;token&gt;
-                                                    </code>{" "}
-                                                    header to each request.
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "bearer" && (
-                                                <Input
-                                                    placeholder="Your API key or token"
-                                                    value={cfg.bearerToken ?? ""}
-                                                    onChange={(e) =>
-                                                        update({
-                                                            bearerToken:
-                                                                e.target.value
-                                                        })
-                                                    }
-                                                />
-                                            )}
-                                        </div>
-                                    </div>
-
-                                    {/* Basic */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="basic"
-                                            id="auth-basic"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-basic"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Basic Auth
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Basic &lt;credentials&gt;
-                                                    </code>{" "}
-                                                    header. Provide credentials as{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        username:password
-                                                    </code>
-                                                    .
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "basic" && (
-                                                <Input
-                                                    placeholder="username:password"
-                                                    value={
-                                                        cfg.basicCredentials ?? ""
-                                                    }
-                                                    onChange={(e) =>
-                                                        update({
-                                                            basicCredentials:
-                                                                e.target.value
-                                                        })
-                                                    }
-                                                />
-                                            )}
-                                        </div>
-                                    </div>
-
-                                    {/* Custom */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="custom"
-                                            id="auth-custom"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-custom"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Custom Header
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Specify a custom HTTP header name and value for
-                                                    authentication (e.g.{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        X-API-Key
-                                                    </code>
-                                                    ).
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "custom" && (
-                                                <div className="flex gap-2">
-                                                    <Input
-                                                        placeholder="Header name (e.g. X-API-Key)"
-                                                        value={
-                                                            cfg.customHeaderName ??
-                                                            ""
-                                                        }
-                                                        onChange={(e) =>
-                                                            update({
-                                                                customHeaderName:
-                                                                    e.target.value
-                                                            })
-                                                        }
-                                                        className="flex-1"
-                                                    />
-                                                    <Input
-                                                        placeholder="Header value"
-                                                        value={
-                                                            cfg.customHeaderValue ??
-                                                            ""
-                                                        }
-                                                        onChange={(e) =>
-                                                            update({
-                                                                customHeaderValue:
-                                                                    e.target.value
-                                                            })
-                                                        }
-                                                        className="flex-1"
-                                                    />
-                                                </div>
-                                            )}
-                                        </div>
-                                    </div>
-                                </RadioGroup>
-                            </div>
-                        </div>
-
-                        {/* ── Headers ───────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div>
-                                <div className="mb-4">
-                                    <label className="font-medium block">
-                                        Custom HTTP Headers
-                                    </label>
-                                    <div className="text-sm text-muted-foreground">
-                                        Add custom headers to every outgoing request.
-                                        Useful for static tokens or custom{" "}
-                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                            Content-Type
-                                        </code>
-                                        . By default,{" "}
-                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                            Content-Type: application/json
-                                        </code>{" "}
-                                        is sent.
-                                    </div>
-                                </div>
-                                <HeadersEditor
-                                    headers={cfg.headers}
-                                    onChange={(headers) => update({ headers })}
-                                />
-                            </div>
-                        </div>
-
-                        {/* ── Body Template ─────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="mb-4">
-                                <label className="font-medium block">
-                                    Custom Body Template
-                                </label>
-                                <div className="text-sm text-muted-foreground">
-                                    Control the JSON payload structure sent to your
-                                    endpoint. If disabled, a default JSON object is sent
-                                    for each event.
-                                </div>
-                            </div>
-
-                            <div className="flex items-center gap-3">
-                                <Switch
-                                    id="use-body-template"
-                                    checked={cfg.useBodyTemplate}
-                                    onCheckedChange={(v) =>
-                                        update({ useBodyTemplate: v })
-                                    }
-                                />
-                                <Label
-                                    htmlFor="use-body-template"
-                                    className="cursor-pointer"
-                                >
-                                    Enable custom body template
-                                </Label>
-                            </div>
-
-                            {cfg.useBodyTemplate && (
-                                <div className="space-y-1.5">
-                                    <Label htmlFor="body-template">
-                                        Body Template (JSON)
-                                    </Label>
-                                    <Textarea
-                                        id="body-template"
-                                        placeholder={
-                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
-                                        }
-                                        value={cfg.bodyTemplate ?? ""}
-                                        onChange={(e) =>
-                                            update({
-                                                bodyTemplate: e.target.value
-                                            })
-                                        }
-                                        className="font-mono text-xs min-h-45 resize-y"
-                                    />
-                                    <p className="text-xs text-muted-foreground">
-                                        Use template variables to reference event fields in
-                                        your payload.
-                                    </p>
-                                </div>
-                            )}
-                        </div>
-
-                        {/* ── Logs ──────────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="mb-4">
-                                <label className="font-medium block">
-                                    Log Types
-                                </label>
-                                <div className="text-sm text-muted-foreground">
-                                    Choose which log types are forwarded to this
-                                    destination. Only enabled log types will be
-                                    streamed.
-                                </div>
-                            </div>
-
-                            <div className="space-y-3">
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-access"
-                                        checked={sendAccessLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendAccessLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-access"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Access Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Resource access attempts, including
-                                            authenticated and denied requests.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-action"
-                                        checked={sendActionLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendActionLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-action"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Action Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Administrative actions performed by
-                                            users within the organization.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-connection"
-                                        checked={sendConnectionLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendConnectionLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-connection"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Connection Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Site and tunnel connection events,
-                                            including connects and disconnects.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-request"
-                                        checked={sendRequestLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendRequestLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-request"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Request Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            HTTP request logs for proxied
-                                            resources, including method, path,
-                                            and response code.
-                                        </p>
-                                    </div>
-                                </div>
-                            </div>
-                        </div>
-                    </HorizontalTabs>
-                </CredenzaBody>
-
-                <CredenzaFooter>
-                    {editing && (
-                        <Button
-                            type="button"
-                            variant="destructive"
-                            onClick={() => setDeleteDialogOpen(true)}
-                            disabled={saving || deleting}
-                            className="mr-auto"
-                        >
-                            Delete
-                        </Button>
-                    )}
-                    <CredenzaClose asChild>
-                        <Button
-                            type="button"
-                            variant="outline"
-                            disabled={saving || deleting}
-                        >
-                            Cancel
-                        </Button>
-                    </CredenzaClose>
-                    <Button
-                        type="button"
-                        onClick={handleSave}
-                        loading={saving}
-                        disabled={!isValid || deleting}
-                    >
-                        {editing ? "Save Changes" : "Create Destination"}
-                    </Button>
-                </CredenzaFooter>
-            </CredenzaContent>
-        </Credenza>
-
-        {editing && (
-            <ConfirmDeleteDialog
-                open={deleteDialogOpen}
-                setOpen={setDeleteDialogOpen}
-                string={parseConfig(editing.config).name || "delete"}
-                title="Delete Destination"
-                dialog={
-                    <p className="text-sm text-muted-foreground">
-                        Are you sure you want to delete the destination{" "}
-                        <span className="font-semibold text-foreground">
-                            {parseConfig(editing.config).name || "this destination"}
-                        </span>
-                        ? All configuration will be permanently removed.
-                    </p>
-                }
-                buttonText="Delete Destination"
-                onConfirm={handleDelete}
-            />
-        )}
-        </>
-    );
-}
-
 // ── Main page ──────────────────────────────────────────────────────────────────
 
 export default function StreamingDestinationsPage() {
@@ -996,6 +285,11 @@ export default function StreamingDestinationsPage() {
         useState<Destination | null>(null);
     const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
 
+    // Delete state
+    const [deleteTarget, setDeleteTarget] = useState<Destination | null>(null);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+    const [deleting, setDeleting] = useState(false);
+
     const loadDestinations = useCallback(async () => {
         if (build == "oss") {
             setDestinations([]);
@@ -1065,6 +359,36 @@ export default function StreamingDestinationsPage() {
         }
     };
 
+    const handleDeleteCard = (destination: Destination) => {
+        setDeleteTarget(destination);
+        setDeleteDialogOpen(true);
+    };
+
+    const handleDeleteConfirm = async () => {
+        if (!deleteTarget) return;
+        setDeleting(true);
+        try {
+            await api.delete(
+                `/org/${orgId}/event-streaming-destination/${deleteTarget.destinationId}`
+            );
+            toast({ title: "Destination deleted successfully" });
+            setDeleteDialogOpen(false);
+            setDeleteTarget(null);
+            loadDestinations();
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to delete destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setDeleting(false);
+        }
+    };
+
     const openCreate = () => {
         setTypePickerOpen(true);
     };
@@ -1090,8 +414,8 @@ export default function StreamingDestinationsPage() {
             <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
 
             {loading ? (
-                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-                    {Array.from({ length: 3 }).map((_, i) => (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
+                    {Array.from({ length: 4 }).map((_, i) => (
                         <div
                             key={i}
                             className="rounded-lg border bg-card p-5 min-h-36 animate-pulse"
@@ -1099,21 +423,20 @@ export default function StreamingDestinationsPage() {
                     ))}
                 </div>
             ) : (
-                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
                     {destinations.map((dest) => (
                         <DestinationCard
                             key={dest.destinationId}
                             destination={dest}
                             onToggle={handleToggle}
                             onEdit={openEdit}
+                            onDelete={handleDeleteCard}
                             isToggling={togglingIds.has(dest.destinationId)}
                             disabled={!isEnterprise}
                         />
                     ))}
-                    <AddDestinationCard
-                        onClick={openCreate}
-                        disabled={!isEnterprise}
-                    />
+                    {/* Add card is always clickable — paywall is enforced inside the picker */}
+                    <AddDestinationCard onClick={openCreate} />
                 </div>
             )}
 
@@ -1121,16 +444,42 @@ export default function StreamingDestinationsPage() {
                 open={typePickerOpen}
                 onOpenChange={setTypePickerOpen}
                 onSelect={handleTypePicked}
+                isPaywalled={!isEnterprise}
             />
 
-            <DestinationModal
+            <HttpDestinationCredenza
                 open={modalOpen}
                 onOpenChange={setModalOpen}
                 editing={editingDestination}
                 orgId={orgId}
                 onSaved={loadDestinations}
-                onDeleted={loadDestinations}
             />
+
+            {deleteTarget && (
+                <ConfirmDeleteDialog
+                    open={deleteDialogOpen}
+                    setOpen={(v) => {
+                        setDeleteDialogOpen(v);
+                        if (!v) setDeleteTarget(null);
+                    }}
+                    string={
+                        parseHttpConfig(deleteTarget.config).name || "delete"
+                    }
+                    title="Delete Destination"
+                    dialog={
+                        <p className="text-sm text-muted-foreground">
+                            Are you sure you want to delete{" "}
+                            <span className="font-semibold text-foreground">
+                                {parseHttpConfig(deleteTarget.config).name ||
+                                    "this destination"}
+                            </span>
+                            ? All configuration will be permanently removed.
+                        </p>
+                    }
+                    buttonText="Delete Destination"
+                    onConfirm={handleDeleteConfirm}
+                />
+            )}
         </>
     );
-}
+}
\ No newline at end of file

From 6ea719c50f81153c332af52642be29da058f9995 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:44:18 -0700
Subject: [PATCH 184/314] Pin

---
 package.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 66c61c0e6..7d7b3df69 100644
--- a/package.json
+++ b/package.json
@@ -112,13 +112,13 @@
         "reodotdev": "1.1.0",
         "resend": "6.9.2",
         "semver": "7.7.4",
-        "sshpk": "^1.18.0",
+        "sshpk": "1.18.0",
         "stripe": "20.4.1",
         "swagger-ui-express": "5.0.1",
         "tailwind-merge": "3.5.0",
         "topojson-client": "3.1.0",
         "tw-animate-css": "1.4.0",
-        "use-debounce": "^10.1.0",
+        "use-debounce": "10.1.0",
         "uuid": "13.0.0",
         "vaul": "1.1.2",
         "visionscarto-world-atlas": "1.0.0",
@@ -153,7 +153,7 @@
         "@types/react": "19.2.14",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
-        "@types/sshpk": "^1.17.4",
+        "@types/sshpk": "1.17.4",
         "@types/swagger-ui-express": "4.1.8",
         "@types/topojson-client": "3.1.5",
         "@types/ws": "8.18.1",

From 954b492aa9f239d28c7e3e22bc461d0bc55525c4 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:52:08 -0700
Subject: [PATCH 185/314] Fix imports

---
 src/app/[orgId]/settings/access/invitations/page.tsx          | 3 +--
 src/app/[orgId]/settings/access/users/page.tsx                | 3 +--
 src/app/[orgId]/settings/api-keys/page.tsx                    | 2 +-
 src/app/[orgId]/settings/domains/page.tsx                     | 2 +-
 src/app/[orgId]/settings/logs/streaming/page.tsx              | 4 ++--
 src/app/[orgId]/settings/provisioning/keys/page.tsx           | 2 +-
 src/app/[orgId]/settings/share-links/page.tsx                 | 2 +-
 src/app/[orgId]/settings/sites/[niceId]/layout.tsx            | 4 ++--
 src/app/admin/api-keys/page.tsx                               | 2 +-
 src/app/admin/idp/[idpId]/policies/page.tsx                   | 2 +-
 src/app/admin/idp/page.tsx                                    | 2 +-
 src/app/admin/license/page.tsx                                | 4 ++--
 src/app/admin/users/page.tsx                                  | 2 +-
 .../logs/streaming => components}/HttpDestinationCredenza.tsx | 0
 14 files changed, 16 insertions(+), 18 deletions(-)
 rename src/{app/[orgId]/settings/logs/streaming => components}/HttpDestinationCredenza.tsx (100%)

diff --git a/src/app/[orgId]/settings/access/invitations/page.tsx b/src/app/[orgId]/settings/access/invitations/page.tsx
index 00cb0ffc8..ae37c3752 100644
--- a/src/app/[orgId]/settings/access/invitations/page.tsx
+++ b/src/app/[orgId]/settings/access/invitations/page.tsx
@@ -3,13 +3,12 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import InvitationsTable, {
     InvitationRow
-} from "../../../../../components/InvitationsTable";
+} from "@app/components/InvitationsTable";
 import { GetOrgResponse } from "@server/routers/org";
 import { cache } from "react";
 import OrgProvider from "@app/providers/OrgProvider";
 import UserProvider from "@app/providers/UserProvider";
 import { verifySession } from "@app/lib/auth/verifySession";
-import AccessPageHeaderAndNav from "../../../../../components/AccessPageHeaderAndNav";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index 812ac2b64..84685cc04 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -3,13 +3,12 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { ListUsersResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
-import UsersTable, { UserRow } from "../../../../../components/UsersTable";
+import UsersTable, { UserRow } from "@app/components/UsersTable";
 import { GetOrgResponse } from "@server/routers/org";
 import { cache } from "react";
 import OrgProvider from "@app/providers/OrgProvider";
 import UserProvider from "@app/providers/UserProvider";
 import { verifySession } from "@app/lib/auth/verifySession";
-import AccessPageHeaderAndNav from "../../../../../components/AccessPageHeaderAndNav";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/api-keys/page.tsx b/src/app/[orgId]/settings/api-keys/page.tsx
index 2973bb542..0ed9553af 100644
--- a/src/app/[orgId]/settings/api-keys/page.tsx
+++ b/src/app/[orgId]/settings/api-keys/page.tsx
@@ -4,7 +4,7 @@ import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import OrgApiKeysTable, {
     OrgApiKeyRow
-} from "../../../../components/OrgApiKeysTable";
+} from "@app/components/OrgApiKeysTable";
 import { ListOrgApiKeysResponse } from "@server/routers/apiKeys";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/domains/page.tsx b/src/app/[orgId]/settings/domains/page.tsx
index 04db84b38..d1325d32b 100644
--- a/src/app/[orgId]/settings/domains/page.tsx
+++ b/src/app/[orgId]/settings/domains/page.tsx
@@ -2,7 +2,7 @@ import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import DomainsTable, { DomainRow } from "../../../../components/DomainsTable";
+import DomainsTable, { DomainRow } from "@app/components/DomainsTable";
 import { getTranslations } from "next-intl/server";
 import { cache } from "react";
 import { GetOrgResponse } from "@server/routers/org";
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 035ad98f8..449f17edb 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -37,7 +37,7 @@ import {
     Destination,
     HttpDestinationCredenza,
     parseHttpConfig
-} from "./HttpDestinationCredenza";
+} from "@app/components/HttpDestinationCredenza";
 
 // ── Re-export Destination so the rest of the file can use it ──────────────────
 
@@ -482,4 +482,4 @@ export default function StreamingDestinationsPage() {
             )}
         </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 9637b03b3..32a06706d 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -4,7 +4,7 @@ import { AxiosResponse } from "axios";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import SiteProvisioningKeysTable, {
     SiteProvisioningKeyRow
-} from "../../../../../components/SiteProvisioningKeysTable";
+} from "@app/components/SiteProvisioningKeysTable";
 import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
 import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
diff --git a/src/app/[orgId]/settings/share-links/page.tsx b/src/app/[orgId]/settings/share-links/page.tsx
index 3b52393cf..b41a3d1ce 100644
--- a/src/app/[orgId]/settings/share-links/page.tsx
+++ b/src/app/[orgId]/settings/share-links/page.tsx
@@ -9,7 +9,7 @@ import OrgProvider from "@app/providers/OrgProvider";
 import { ListAccessTokensResponse } from "@server/routers/accessToken";
 import ShareLinksTable, {
     ShareLinkRow
-} from "../../../../components/ShareLinksTable";
+} from "@app/components/ShareLinksTable";
 import { getTranslations } from "next-intl/server";
 
 type ShareLinksPageProps = {
diff --git a/src/app/[orgId]/settings/sites/[niceId]/layout.tsx b/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
index 2554403ea..aa02bb667 100644
--- a/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
+++ b/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
@@ -6,9 +6,9 @@ import { redirect } from "next/navigation";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import SiteInfoCard from "../../../../../components/SiteInfoCard";
+import SiteInfoCard from "@app/components/SiteInfoCard";
 import { getTranslations } from "next-intl/server";
-import { build } from "@server/build";
+
 
 interface SettingsLayoutProps {
     children: React.ReactNode;
diff --git a/src/app/admin/api-keys/page.tsx b/src/app/admin/api-keys/page.tsx
index 60195c4aa..ce468dd39 100644
--- a/src/app/admin/api-keys/page.tsx
+++ b/src/app/admin/api-keys/page.tsx
@@ -3,7 +3,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { ListRootApiKeysResponse } from "@server/routers/apiKeys";
-import ApiKeysTable, { ApiKeyRow } from "../../../components/ApiKeysTable";
+import ApiKeysTable, { ApiKeyRow } from "@app/components/ApiKeysTable";
 import { getTranslations } from "next-intl/server";
 
 type ApiKeyPageProps = {};
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index 57ee3cf7b..60e8a094a 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -31,7 +31,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon, ExternalLink, CheckIcon } from "lucide-react";
-import PolicyTable, { PolicyRow } from "../../../../../components/PolicyTable";
+import PolicyTable, { PolicyRow } from "@app/components/PolicyTable";
 import { AxiosResponse } from "axios";
 import { ListOrgsResponse } from "@server/routers/org";
 import { ListRolesResponse } from "@server/routers/role";
diff --git a/src/app/admin/idp/page.tsx b/src/app/admin/idp/page.tsx
index a341c0469..01aac2a1e 100644
--- a/src/app/admin/idp/page.tsx
+++ b/src/app/admin/idp/page.tsx
@@ -2,7 +2,7 @@ import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import IdpTable, { IdpRow } from "../../../components/AdminIdpTable";
+import IdpTable, { IdpRow } from "@app/components/AdminIdpTable";
 import { getTranslations } from "next-intl/server";
 
 export default async function IdpPage() {
diff --git a/src/app/admin/license/page.tsx b/src/app/admin/license/page.tsx
index 3c444debb..b2322ec3b 100644
--- a/src/app/admin/license/page.tsx
+++ b/src/app/admin/license/page.tsx
@@ -6,7 +6,7 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { formatAxiosError } from "@app/lib/api";
-import { LicenseKeysDataTable } from "../../../components/LicenseKeysDataTable";
+import { LicenseKeysDataTable } from "@app/components/LicenseKeysDataTable";
 import { AxiosResponse } from "axios";
 import { Button } from "@app/components/ui/button";
 import {
@@ -45,7 +45,7 @@ import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { Check, Heart, InfoIcon } from "lucide-react";
 import CopyTextBox from "@app/components/CopyTextBox";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
-import { SitePriceCalculator } from "../../../components/SitePriceCalculator";
+import { SitePriceCalculator } from "@app/components/SitePriceCalculator";
 import { Checkbox } from "@app/components/ui/checkbox";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useSupporterStatusContext } from "@app/hooks/useSupporterStatusContext";
diff --git a/src/app/admin/users/page.tsx b/src/app/admin/users/page.tsx
index 7368cb253..2a000b34b 100644
--- a/src/app/admin/users/page.tsx
+++ b/src/app/admin/users/page.tsx
@@ -3,7 +3,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { AdminListUsersResponse } from "@server/routers/user/adminListUsers";
-import UsersTable, { GlobalUserRow } from "../../../components/AdminUsersTable";
+import UsersTable, { GlobalUserRow } from "@app/components/AdminUsersTable";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon } from "lucide-react";
 import { getTranslations } from "next-intl/server";
diff --git a/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
similarity index 100%
rename from src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
rename to src/components/HttpDestinationCredenza.tsx

From 0254fb16952556c3e959ad5f6335c0eda5e11de0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:56:19 -0700
Subject: [PATCH 186/314] Small ui tweaks

---
 src/app/[orgId]/settings/logs/streaming/page.tsx | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 449f17edb..843f1ddb7 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -112,7 +112,6 @@ function DestinationCard({
             <div className="mt-auto pt-5 flex gap-2">
                 <Button
                     variant="outline"
-                    size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
                     className="flex-1"
@@ -238,12 +237,6 @@ function DestinationTypePicker({
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
-                    {isPaywalled && (
-                        <div className="mb-4 rounded-md border border-amber-200 bg-amber-50 dark:border-amber-800 dark:bg-amber-950/30 px-4 py-3 text-sm text-amber-800 dark:text-amber-300">
-                            Upgrade to an enterprise plan to configure event
-                            streaming destinations.
-                        </div>
-                    )}
                     <div className={isPaywalled ? "pointer-events-none opacity-50" : ""}>
                         <StrategySelect
                             options={destinationTypeOptions}

From 0db1397f2fca2d17a14a7773500d101ec903e1c6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:02:02 -0700
Subject: [PATCH 187/314] Add log connection audit dedicated file

---
 server/private/lib/logConnectionAudit.ts      | 234 ++++++++++++++++++
 .../newt/handleConnectionLogMessage.ts        | 232 +++--------------
 2 files changed, 266 insertions(+), 200 deletions(-)
 create mode 100644 server/private/lib/logConnectionAudit.ts

diff --git a/server/private/lib/logConnectionAudit.ts b/server/private/lib/logConnectionAudit.ts
new file mode 100644
index 000000000..c7e786280
--- /dev/null
+++ b/server/private/lib/logConnectionAudit.ts
@@ -0,0 +1,234 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { logsDb, connectionAuditLog } from "@server/db";
+import logger from "@server/logger";
+import { and, eq, lt } from "drizzle-orm";
+import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+
+// ---------------------------------------------------------------------------
+// Retry configuration for deadlock handling
+// ---------------------------------------------------------------------------
+
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// ---------------------------------------------------------------------------
+// Buffer / flush configuration
+// ---------------------------------------------------------------------------
+
+/** How often to flush accumulated connection log data to the database. */
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+/** Maximum number of records to buffer before forcing a flush. */
+const MAX_BUFFERED_RECORDS = 500;
+
+/** Maximum number of records to insert in a single database batch. */
+const INSERT_BATCH_SIZE = 100;
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    clientId: number | null;
+    userId: string | null;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory buffer
+// ---------------------------------------------------------------------------
+
+let buffer: ConnectionLogRecord[] = [];
+
+// ---------------------------------------------------------------------------
+// Deadlock helpers
+// ---------------------------------------------------------------------------
+
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Flush
+// ---------------------------------------------------------------------------
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await logsDb.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if the DB is unreachable
+            const hardLimit = MAX_BUFFERED_RECORDS * 5;
+            if (buffer.length > hardLimit) {
+                const dropped = buffer.length - hardLimit;
+                buffer = buffer.slice(0, hardLimit);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop processing further batches from this snapshot — they will
+            // be picked up via the re-queued records on the next flush.
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Periodic flush timer
+// ---------------------------------------------------------------------------
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left. The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+// ---------------------------------------------------------------------------
+// Cleanup
+// ---------------------------------------------------------------------------
+
+export async function cleanUpOldLogs(
+    orgId: string,
+    retentionDays: number
+): Promise<void> {
+    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
+
+    try {
+        await logsDb
+            .delete(connectionAuditLog)
+            .where(
+                and(
+                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
+                    eq(connectionAuditLog.orgId, orgId)
+                )
+            );
+    } catch (error) {
+        logger.error("Error cleaning up old connection audit logs:", error);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Public logging entry-point
+// ---------------------------------------------------------------------------
+
+/**
+ * Buffer a single connection log record for eventual persistence.
+ *
+ * Records are written to the database in batches either when the buffer
+ * reaches MAX_BUFFERED_RECORDS or when the periodic flush timer fires.
+ */
+export function logConnectionAudit(record: ConnectionLogRecord): void {
+    buffer.push(record);
+
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 2ac7153b5..00fb5dada 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,27 +1,20 @@
-import { db, logsDb } from "@server/db";
+import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt, clients, orgs } from "@server/db";
-import { and, eq, lt, inArray } from "drizzle-orm";
+import { sites, Newt, clients, orgs } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { inflate } from "zlib";
 import { promisify } from "util";
-import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import {
+    logConnectionAudit,
+    flushConnectionLogToDb,
+    cleanUpOldLogs
+} from "#private/lib/logConnectionAudit";
+
+export { flushConnectionLogToDb, cleanUpOldLogs };
 
 const zlibInflate = promisify(inflate);
 
-// Retry configuration for deadlock handling
-const MAX_RETRIES = 3;
-const BASE_DELAY_MS = 50;
-
-// How often to flush accumulated connection log data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
-
-// Maximum number of records to buffer before forcing a flush
-const MAX_BUFFERED_RECORDS = 500;
-
-// Maximum number of records to insert in a single batch
-const INSERT_BATCH_SIZE = 100;
-
 interface ConnectionSessionData {
     sessionId: string;
     resourceId: number;
@@ -34,64 +27,6 @@ interface ConnectionSessionData {
     bytesRx?: number;
 }
 
-interface ConnectionLogRecord {
-    sessionId: string;
-    siteResourceId: number;
-    orgId: string;
-    siteId: number;
-    clientId: number | null;
-    userId: string | null;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: number; // epoch seconds
-    endedAt: number | null;
-    bytesTx: number | null;
-    bytesRx: number | null;
-}
-
-// In-memory buffer of records waiting to be flushed
-let buffer: ConnectionLogRecord[] = [];
-
-/**
- * Check if an error is a deadlock error
- */
-function isDeadlockError(error: any): boolean {
-    return (
-        error?.code === "40P01" ||
-        error?.cause?.code === "40P01" ||
-        (error?.message && error.message.includes("deadlock"))
-    );
-}
-
-/**
- * Execute a function with retry logic for deadlock handling
- */
-async function withDeadlockRetry<T>(
-    operation: () => Promise<T>,
-    context: string
-): Promise<T> {
-    let attempt = 0;
-    while (true) {
-        try {
-            return await operation();
-        } catch (error: any) {
-            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
-                attempt++;
-                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
-                const jitter = Math.random() * baseDelay;
-                const delay = baseDelay + jitter;
-                logger.warn(
-                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
-                );
-                await new Promise((resolve) => setTimeout(resolve, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-}
-
 /**
  * Decompress a base64-encoded zlib-compressed string into parsed JSON.
  */
@@ -125,105 +60,6 @@ function toEpochSeconds(isoString: string | undefined | null): number | null {
     return Math.floor(ms / 1000);
 }
 
-/**
- * Flush all buffered connection log records to the database.
- *
- * Swaps out the buffer before writing so that any records added during the
- * flush are captured in the new buffer rather than being lost. Entries that
- * fail to write are re-queued back into the buffer so they will be retried
- * on the next flush.
- *
- * This function is exported so that the application's graceful-shutdown
- * cleanup handler can call it before the process exits.
- */
-export async function flushConnectionLogToDb(): Promise<void> {
-    if (buffer.length === 0) {
-        return;
-    }
-
-    // Atomically swap out the buffer so new data keeps flowing in
-    const snapshot = buffer;
-    buffer = [];
-
-    logger.debug(
-        `Flushing ${snapshot.length} connection log record(s) to the database`
-    );
-
-    // Insert in batches to avoid overly large SQL statements
-    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
-        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
-
-        try {
-            await withDeadlockRetry(async () => {
-                await logsDb.insert(connectionAuditLog).values(batch);
-            }, `flush connection log batch (${batch.length} records)`);
-        } catch (error) {
-            logger.error(
-                `Failed to flush connection log batch of ${batch.length} records:`,
-                error
-            );
-
-            // Re-queue the failed batch so it is retried on the next flush
-            buffer = [...batch, ...buffer];
-
-            // Cap buffer to prevent unbounded growth if DB is unreachable
-            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
-                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
-                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
-                logger.warn(
-                    `Connection log buffer overflow, dropped ${dropped} oldest records`
-                );
-            }
-
-            // Stop trying further batches from this snapshot — they'll be
-            // picked up by the next flush via the re-queued records above
-            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
-            if (remaining.length > 0) {
-                buffer = [...remaining, ...buffer];
-            }
-            break;
-        }
-    }
-}
-
-const flushTimer = setInterval(async () => {
-    try {
-        await flushConnectionLogToDb();
-    } catch (error) {
-        logger.error(
-            "Unexpected error during periodic connection log flush:",
-            error
-        );
-    }
-}, FLUSH_INTERVAL_MS);
-
-// Calling unref() means this timer will not keep the Node.js event loop alive
-// on its own — the process can still exit normally when there is no other work
-// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
-// before process.exit(), so no data is lost.
-flushTimer.unref();
-
-export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
-    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
-
-    try {
-        await logsDb
-            .delete(connectionAuditLog)
-            .where(
-                and(
-                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
-                    eq(connectionAuditLog.orgId, orgId)
-                )
-            );
-
-        // logger.debug(
-        //     `Cleaned up connection audit logs older than ${retentionDays} days`
-        // );
-    } catch (error) {
-        logger.error("Error cleaning up old connection audit logs:", error);
-    }
-}
-
 export const handleConnectionLogMessage: MessageHandler = async (context) => {
     const { message, client } = context;
     const newt = client as Newt;
@@ -277,13 +113,16 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
-    logger.debug(`Sessions: ${JSON.stringify(sessions)}`)
+    logger.debug(`Sessions: ${JSON.stringify(sessions)}`);
 
     // Build a map from sourceAddr → { clientId, userId } by querying clients
     // whose subnet field matches exactly. Client subnets are stored with the
     // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
     // each unique sourceAddr + the org's CIDR suffix and do a targeted IN query.
-    const ipToClient = new Map<string, { clientId: number; userId: string | null }>();
+    const ipToClient = new Map<
+        string,
+        { clientId: number; userId: string | null }
+    >();
 
     if (cidrSuffix) {
         // Collect unique source addresses so we only query for what we need
@@ -296,13 +135,11 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
         if (uniqueSourceAddrs.size > 0) {
             // Construct the exact subnet strings as stored in the DB
-            const subnetQueries = Array.from(uniqueSourceAddrs).map(
-                (addr) => {
-                    // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
-                    const ip = addr.includes(":") ? addr.split(":")[0] : addr;
-                    return `${ip}${cidrSuffix}`;
-                }
-            );
+            const subnetQueries = Array.from(uniqueSourceAddrs).map((addr) => {
+                // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+                const ip = addr.includes(":") ? addr.split(":")[0] : addr;
+                return `${ip}${cidrSuffix}`;
+            });
 
             logger.debug(`Subnet queries: ${JSON.stringify(subnetQueries)}`);
 
@@ -322,13 +159,18 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
             for (const c of matchedClients) {
                 const ip = c.subnet.split("/")[0];
-                logger.debug(`Client ${c.clientId} subnet ${c.subnet} matches ${ip}`);
-                ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
+                logger.debug(
+                    `Client ${c.clientId} subnet ${c.subnet} matches ${ip}`
+                );
+                ipToClient.set(ip, {
+                    clientId: c.clientId,
+                    userId: c.userId
+                });
             }
         }
     }
 
-    // Convert to DB records and add to the buffer
+    // Convert to DB records and hand off to the audit logger
     for (const session of sessions) {
         // Validate required fields
         if (
@@ -356,11 +198,12 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         // client's IP on the WireGuard network, which corresponds to the IP
         // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
         // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
-        const sourceIp = session.sourceAddr.includes(":") ? session.sourceAddr.split(":")[0] : session.sourceAddr;
+        const sourceIp = session.sourceAddr.includes(":")
+            ? session.sourceAddr.split(":")[0]
+            : session.sourceAddr;
         const clientInfo = ipToClient.get(sourceIp) ?? null;
 
-
-        buffer.push({
+        logConnectionAudit({
             sessionId: session.sessionId,
             siteResourceId: session.resourceId,
             orgId,
@@ -380,15 +223,4 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
     logger.debug(
         `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
     );
-
-    // If the buffer has grown large enough, trigger an immediate flush
-    if (buffer.length >= MAX_BUFFERED_RECORDS) {
-        // Fire and forget — errors are handled inside flushConnectionLogToDb
-        flushConnectionLogToDb().catch((error) => {
-            logger.error(
-                "Unexpected error during size-triggered connection log flush:",
-                error
-            );
-        });
-    }
 };

From 3dc258da16c0dd05e2f0f53d5495769400b4f17b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:22:37 -0700
Subject: [PATCH 188/314] Log streaming manager pass 1

---
 server/db/pg/schema/privateSchema.ts          |  28 +-
 server/db/sqlite/schema/privateSchema.ts      |  27 +-
 server/private/cleanup.ts                     |   2 +
 .../lib/logStreaming/LogStreamingManager.ts   | 626 ++++++++++++++++++
 server/private/lib/logStreaming/index.ts      |  31 +
 .../providers/HttpLogDestination.ts           | 260 ++++++++
 .../providers/LogDestinationProvider.ts       |  44 ++
 server/private/lib/logStreaming/types.ts      | 115 ++++
 8 files changed, 1131 insertions(+), 2 deletions(-)
 create mode 100644 server/private/lib/logStreaming/LogStreamingManager.ts
 create mode 100644 server/private/lib/logStreaming/index.ts
 create mode 100644 server/private/lib/logStreaming/providers/HttpLogDestination.ts
 create mode 100644 server/private/lib/logStreaming/providers/LogDestinationProvider.ts
 create mode 100644 server/private/lib/logStreaming/types.ts

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 1b031636f..ed6301437 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -8,7 +8,8 @@ import {
     real,
     text,
     index,
-    primaryKey
+    primaryKey,
+    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -470,3 +471,28 @@ export type SiteProvisioningKeyOrg = InferSelectModel<
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
+
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 9bb994266..c1aa084a2 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -5,7 +5,8 @@ import {
     primaryKey,
     real,
     sqliteTable,
-    text
+    text,
+    uniqueIndex
 } from "drizzle-orm/sqlite-core";
 import {
     clients,
@@ -433,6 +434,27 @@ export const eventStreamingDestinations = sqliteTable(
     }
 );
 
+export const eventStreamingCursors = sqliteTable(
+    "eventStreamingCursors",
+    {
+        cursorId: integer("cursorId").primaryKey({ autoIncrement: true }),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: text("logType").notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: integer("lastSentId").notNull().default(0),
+        lastSentAt: integer("lastSentAt") // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -461,3 +483,6 @@ export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index f8032eb3b..af4238721 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -12,6 +12,7 @@
  */
 
 import { rateLimitService } from "#private/lib/rateLimit";
+import { logStreamingManager } from "#private/lib/logStreaming";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#private/routers/newt";
@@ -25,6 +26,7 @@ async function cleanup() {
     await flushSiteBandwidthToDb();
     await rateLimitService.cleanup();
     await wsCleanup();
+    await logStreamingManager.shutdown();
 
     process.exit(0);
 }
diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
new file mode 100644
index 000000000..131cc8de0
--- /dev/null
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -0,0 +1,626 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    db,
+    logsDb,
+    eventStreamingDestinations,
+    eventStreamingCursors,
+    requestAuditLog,
+    actionAuditLog,
+    accessAuditLog,
+    connectionAuditLog
+} from "@server/db";
+import logger from "@server/logger";
+import { and, eq, gt, desc, max, sql } from "drizzle-orm";
+import {
+    LogType,
+    LOG_TYPES,
+    LogEvent,
+    DestinationFailureState,
+    HttpConfig
+} from "./types";
+import { LogDestinationProvider } from "./providers/LogDestinationProvider";
+import { HttpLogDestination } from "./providers/HttpLogDestination";
+import type { EventStreamingDestination } from "@server/db";
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+/**
+ * How often (ms) the manager polls all destinations for new log records.
+ * Destinations that were behind (full batch returned) will be re-polled
+ * immediately without waiting for this interval.
+ */
+const POLL_INTERVAL_MS = 30_000;
+
+/**
+ * Maximum number of log records fetched from the DB in a single query.
+ * This also controls the maximum size of one HTTP POST body.
+ */
+const BATCH_SIZE = 250;
+
+/**
+ * Minimum delay (ms) between consecutive HTTP requests to the same destination
+ * during a catch-up run.  Prevents bursting thousands of requests back-to-back
+ * when a destination has fallen behind.
+ */
+const INTER_BATCH_DELAY_MS = 100;
+
+/**
+ * Maximum number of consecutive back-to-back batches to process for a single
+ * destination per poll cycle.  After this limit the destination will wait for
+ * the next scheduled poll before continuing, giving other destinations a turn.
+ */
+const MAX_CATCHUP_BATCHES = 20;
+
+/**
+ * Back-off schedule (ms) indexed by consecutive failure count.
+ * After the last entry the max value is re-used.
+ */
+const BACKOFF_SCHEDULE_MS = [
+    60_000,       // 1 min   (failure 1)
+    2 * 60_000,   // 2 min   (failure 2)
+    5 * 60_000,   // 5 min   (failure 3)
+    10 * 60_000,  // 10 min  (failure 4)
+    30 * 60_000   // 30 min  (failure 5+)
+];
+
+// ---------------------------------------------------------------------------
+// LogStreamingManager
+// ---------------------------------------------------------------------------
+
+/**
+ * Orchestrates periodic polling of the four audit-log tables and forwards new
+ * records to every enabled event-streaming destination.
+ *
+ * ### Design
+ * - **Interval-based**: a timer fires every `POLL_INTERVAL_MS`.  On each tick
+ *   every enabled destination is processed in sequence.
+ * - **Cursor-based**: the last successfully forwarded row `id` is persisted in
+ *   the `eventStreamingCursors` table so state survives restarts.
+ * - **Catch-up**: if a full batch is returned the destination is immediately
+ *   re-queried (up to `MAX_CATCHUP_BATCHES` times) before yielding.
+ * - **Smoothing**: `INTER_BATCH_DELAY_MS` is inserted between consecutive
+ *   catch-up batches to avoid hammering the remote endpoint.
+ * - **Back-off**: consecutive send failures trigger exponential back-off
+ *   (tracked in-memory per destination).  Successful sends reset the counter.
+ */
+export class LogStreamingManager {
+    private pollTimer: ReturnType<typeof setTimeout> | null = null;
+    private isRunning = false;
+    private isPolling = false;
+
+    /** In-memory back-off state keyed by destinationId. */
+    private readonly failures = new Map<number, DestinationFailureState>();
+
+    // -------------------------------------------------------------------------
+    // Lifecycle
+    // -------------------------------------------------------------------------
+
+    start(): void {
+        if (this.isRunning) return;
+        this.isRunning = true;
+        logger.info("LogStreamingManager: started");
+        this.schedulePoll(POLL_INTERVAL_MS);
+    }
+
+    async shutdown(): Promise<void> {
+        this.isRunning = false;
+        if (this.pollTimer !== null) {
+            clearTimeout(this.pollTimer);
+            this.pollTimer = null;
+        }
+        // Wait for any in-progress poll to finish before returning so that
+        // callers (graceful-shutdown handlers) can safely exit afterward.
+        const deadline = Date.now() + 15_000;
+        while (this.isPolling && Date.now() < deadline) {
+            await sleep(100);
+        }
+        logger.info("LogStreamingManager: stopped");
+    }
+
+    // -------------------------------------------------------------------------
+    // Scheduling
+    // -------------------------------------------------------------------------
+
+    private schedulePoll(delayMs: number): void {
+        this.pollTimer = setTimeout(() => {
+            this.pollTimer = null;
+            this.runPoll()
+                .catch((err) =>
+                    logger.error("LogStreamingManager: unexpected poll error", err)
+                )
+                .finally(() => {
+                    if (this.isRunning) {
+                        this.schedulePoll(POLL_INTERVAL_MS);
+                    }
+                });
+        }, delayMs);
+
+        // Do not keep the event loop alive just for the poll timer – the
+        // graceful-shutdown path calls shutdown() explicitly.
+        this.pollTimer.unref?.();
+    }
+
+    // -------------------------------------------------------------------------
+    // Poll cycle
+    // -------------------------------------------------------------------------
+
+    private async runPoll(): Promise<void> {
+        if (this.isPolling) return; // previous poll still running – skip
+        this.isPolling = true;
+
+        try {
+            const destinations = await this.loadEnabledDestinations();
+            if (destinations.length === 0) return;
+
+            for (const dest of destinations) {
+                if (!this.isRunning) break;
+                await this.processDestination(dest).catch((err) => {
+                    // Individual destination errors must never abort the whole cycle
+                    logger.error(
+                        `LogStreamingManager: unhandled error for destination ${dest.destinationId}`,
+                        err
+                    );
+                });
+            }
+        } finally {
+            this.isPolling = false;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Per-destination processing
+    // -------------------------------------------------------------------------
+
+    private async processDestination(
+        dest: EventStreamingDestination
+    ): Promise<void> {
+        // Check back-off
+        const failState = this.failures.get(dest.destinationId);
+        if (failState && Date.now() < failState.nextRetryAt) {
+            logger.debug(
+                `LogStreamingManager: destination ${dest.destinationId} in back-off, skipping`
+            );
+            return;
+        }
+
+        // Parse config – skip destination if config is unparseable
+        let config: HttpConfig;
+        try {
+            config = JSON.parse(dest.config) as HttpConfig;
+        } catch (err) {
+            logger.error(
+                `LogStreamingManager: destination ${dest.destinationId} has invalid JSON config`,
+                err
+            );
+            return;
+        }
+
+        const provider = this.createProvider(dest.type, config);
+        if (!provider) {
+            logger.warn(
+                `LogStreamingManager: unsupported destination type "${dest.type}" ` +
+                    `for destination ${dest.destinationId} – skipping`
+            );
+            return;
+        }
+
+        const enabledTypes: LogType[] = [];
+        if (dest.sendRequestLogs) enabledTypes.push("request");
+        if (dest.sendActionLogs) enabledTypes.push("action");
+        if (dest.sendAccessLogs) enabledTypes.push("access");
+        if (dest.sendConnectionLogs) enabledTypes.push("connection");
+
+        if (enabledTypes.length === 0) return;
+
+        let anyFailure = false;
+
+        for (const logType of enabledTypes) {
+            if (!this.isRunning) break;
+            try {
+                await this.processLogType(dest, provider, logType);
+            } catch (err) {
+                anyFailure = true;
+                logger.error(
+                    `LogStreamingManager: failed to process "${logType}" logs ` +
+                        `for destination ${dest.destinationId}`,
+                    err
+                );
+            }
+        }
+
+        if (anyFailure) {
+            this.recordFailure(dest.destinationId);
+        } else {
+            // Any success resets the failure/back-off state
+            if (this.failures.has(dest.destinationId)) {
+                this.failures.delete(dest.destinationId);
+                logger.info(
+                    `LogStreamingManager: destination ${dest.destinationId} recovered`
+                );
+            }
+        }
+    }
+
+    /**
+     * Forward all pending log records of a specific type for a destination.
+     *
+     * Fetches up to `BATCH_SIZE` records at a time.  If the batch is full
+     * (indicating more records may exist) it loops immediately, inserting a
+     * short delay between consecutive requests to the remote endpoint.
+     * The loop is capped at `MAX_CATCHUP_BATCHES` to keep the poll cycle
+     * bounded.
+     */
+    private async processLogType(
+        dest: EventStreamingDestination,
+        provider: LogDestinationProvider,
+        logType: LogType
+    ): Promise<void> {
+        // Ensure a cursor row exists (creates one pointing at the current max
+        // id so we do not replay historical logs on first run)
+        const cursor = await this.getOrCreateCursor(
+            dest.destinationId,
+            logType,
+            dest.orgId
+        );
+
+        let lastSentId = cursor.lastSentId;
+        let batchCount = 0;
+
+        while (batchCount < MAX_CATCHUP_BATCHES) {
+            const rows = await this.fetchLogs(
+                logType,
+                dest.orgId,
+                lastSentId,
+                BATCH_SIZE
+            );
+
+            if (rows.length === 0) break;
+
+            const events = rows.map((row) =>
+                this.rowToLogEvent(logType, row)
+            );
+
+            // Throws on failure – caught by the caller which applies back-off
+            await provider.send(events);
+
+            lastSentId = rows[rows.length - 1].id;
+            await this.updateCursor(dest.destinationId, logType, lastSentId);
+
+            batchCount++;
+
+            if (rows.length < BATCH_SIZE) {
+                // Partial batch means we have caught up
+                break;
+            }
+
+            // Full batch – there are likely more records; pause briefly before
+            // fetching the next batch to smooth out the HTTP request rate
+            if (batchCount < MAX_CATCHUP_BATCHES) {
+                await sleep(INTER_BATCH_DELAY_MS);
+            }
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Cursor management
+    // -------------------------------------------------------------------------
+
+    private async getOrCreateCursor(
+        destinationId: number,
+        logType: LogType,
+        orgId: string
+    ): Promise<{ lastSentId: number }> {
+        // Try to read an existing cursor
+        const existing = await db
+            .select({
+                lastSentId: eventStreamingCursors.lastSentId
+            })
+            .from(eventStreamingCursors)
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            )
+            .limit(1);
+
+        if (existing.length > 0) {
+            return { lastSentId: existing[0].lastSentId };
+        }
+
+        // No cursor yet – initialise at the current maximum id of the log
+        // table for this org so we only forward *new* events going forward.
+        const initialId = await this.getCurrentMaxId(logType, orgId);
+
+        await db.insert(eventStreamingCursors).values({
+            destinationId,
+            logType,
+            lastSentId: initialId,
+            lastSentAt: null
+        });
+
+        logger.debug(
+            `LogStreamingManager: initialised cursor for destination ${destinationId} ` +
+                `logType="${logType}" at id=${initialId}`
+        );
+
+        return { lastSentId: initialId };
+    }
+
+    private async updateCursor(
+        destinationId: number,
+        logType: LogType,
+        lastSentId: number
+    ): Promise<void> {
+        await db
+            .update(eventStreamingCursors)
+            .set({
+                lastSentId,
+                lastSentAt: Date.now()
+            })
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            );
+    }
+
+    /**
+     * Returns the current maximum `id` in the given log table for the org.
+     * Returns 0 when the table is empty.
+     */
+    private async getCurrentMaxId(
+        logType: LogType,
+        orgId: string
+    ): Promise<number> {
+        try {
+            switch (logType) {
+                case "request": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(requestAuditLog.id) })
+                        .from(requestAuditLog)
+                        .where(eq(requestAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "action": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(actionAuditLog.id) })
+                        .from(actionAuditLog)
+                        .where(eq(actionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "access": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(accessAuditLog.id) })
+                        .from(accessAuditLog)
+                        .where(eq(accessAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "connection": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(connectionAuditLog.id) })
+                        .from(connectionAuditLog)
+                        .where(eq(connectionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+            }
+        } catch (err) {
+            logger.warn(
+                `LogStreamingManager: could not determine current max id for ` +
+                    `logType="${logType}", defaulting to 0`,
+                err
+            );
+            return 0;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Log fetching
+    // -------------------------------------------------------------------------
+
+    /**
+     * Fetch up to `limit` log rows with `id > afterId`, ordered by id ASC,
+     * filtered to the given organisation.
+     */
+    private async fetchLogs(
+        logType: LogType,
+        orgId: string,
+        afterId: number,
+        limit: number
+    ): Promise<Array<Record<string, unknown> & { id: number }>> {
+        switch (logType) {
+            case "request":
+                return (await logsDb
+                    .select()
+                    .from(requestAuditLog)
+                    .where(
+                        and(
+                            eq(requestAuditLog.orgId, orgId),
+                            gt(requestAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(requestAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "action":
+                return (await logsDb
+                    .select()
+                    .from(actionAuditLog)
+                    .where(
+                        and(
+                            eq(actionAuditLog.orgId, orgId),
+                            gt(actionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(actionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "access":
+                return (await logsDb
+                    .select()
+                    .from(accessAuditLog)
+                    .where(
+                        and(
+                            eq(accessAuditLog.orgId, orgId),
+                            gt(accessAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(accessAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "connection":
+                return (await logsDb
+                    .select()
+                    .from(connectionAuditLog)
+                    .where(
+                        and(
+                            eq(connectionAuditLog.orgId, orgId),
+                            gt(connectionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(connectionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Row → LogEvent conversion
+    // -------------------------------------------------------------------------
+
+    private rowToLogEvent(
+        logType: LogType,
+        row: Record<string, unknown> & { id: number }
+    ): LogEvent {
+        // Determine the epoch-seconds timestamp for this row type
+        let timestamp: number;
+        switch (logType) {
+            case "request":
+            case "action":
+            case "access":
+                timestamp =
+                    typeof row.timestamp === "number" ? row.timestamp : 0;
+                break;
+            case "connection":
+                timestamp =
+                    typeof row.startedAt === "number" ? row.startedAt : 0;
+                break;
+        }
+
+        const orgId =
+            typeof row.orgId === "string" ? row.orgId : "";
+
+        return {
+            id: row.id,
+            logType,
+            orgId,
+            timestamp,
+            data: row as Record<string, unknown>
+        };
+    }
+
+    // -------------------------------------------------------------------------
+    // Provider factory
+    // -------------------------------------------------------------------------
+
+    /**
+     * Instantiate the correct LogDestinationProvider for the given destination
+     * type string.  Returns `null` for unknown types.
+     *
+     * To add a new provider:
+     *  1. Implement `LogDestinationProvider` in a new file under `providers/`
+     *  2. Add a `case` here
+     */
+    private createProvider(
+        type: string,
+        config: unknown
+    ): LogDestinationProvider | null {
+        switch (type) {
+            case "http":
+                return new HttpLogDestination(config as HttpConfig);
+            // Future providers:
+            // case "datadog": return new DatadogLogDestination(config as DatadogConfig);
+            default:
+                return null;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Back-off tracking
+    // -------------------------------------------------------------------------
+
+    private recordFailure(destinationId: number): void {
+        const current = this.failures.get(destinationId) ?? {
+            consecutiveFailures: 0,
+            nextRetryAt: 0
+        };
+
+        current.consecutiveFailures += 1;
+
+        const scheduleIdx = Math.min(
+            current.consecutiveFailures - 1,
+            BACKOFF_SCHEDULE_MS.length - 1
+        );
+        const backoffMs = BACKOFF_SCHEDULE_MS[scheduleIdx];
+        current.nextRetryAt = Date.now() + backoffMs;
+
+        this.failures.set(destinationId, current);
+
+        logger.warn(
+            `LogStreamingManager: destination ${destinationId} failed ` +
+                `(consecutive #${current.consecutiveFailures}), ` +
+                `backing off for ${backoffMs / 1000}s`
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // DB helpers
+    // -------------------------------------------------------------------------
+
+    private async loadEnabledDestinations(): Promise<
+        EventStreamingDestination[]
+    > {
+        try {
+            return await db
+                .select()
+                .from(eventStreamingDestinations)
+                .where(eq(eventStreamingDestinations.enabled, true));
+        } catch (err) {
+            logger.error(
+                "LogStreamingManager: failed to load destinations",
+                err
+            );
+            return [];
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/index.ts b/server/private/lib/logStreaming/index.ts
new file mode 100644
index 000000000..a4b8c569a
--- /dev/null
+++ b/server/private/lib/logStreaming/index.ts
@@ -0,0 +1,31 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { LogStreamingManager } from "./LogStreamingManager";
+
+/**
+ * Module-level singleton.  Importing this module is sufficient to start the
+ * streaming manager – no explicit init call required by the caller.
+ *
+ * The manager registers a non-blocking timer (unref'd) so it will not keep
+ * the Node.js event loop alive on its own.  Call `logStreamingManager.shutdown()`
+ * during graceful shutdown to drain any in-progress poll and release resources.
+ */
+export const logStreamingManager = new LogStreamingManager();
+
+logStreamingManager.start();
+
+export { LogStreamingManager } from "./LogStreamingManager";
+export type { LogDestinationProvider } from "./providers/LogDestinationProvider";
+export { HttpLogDestination } from "./providers/HttpLogDestination";
+export * from "./types";
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/providers/HttpLogDestination.ts b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
new file mode 100644
index 000000000..eac3c42e2
--- /dev/null
+++ b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
@@ -0,0 +1,260 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import { LogEvent, HttpConfig } from "../types";
+import { LogDestinationProvider } from "./LogDestinationProvider";
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+/** Maximum time (ms) to wait for a single HTTP response. */
+const REQUEST_TIMEOUT_MS = 30_000;
+
+// ---------------------------------------------------------------------------
+// HttpLogDestination
+// ---------------------------------------------------------------------------
+
+/**
+ * Forwards a batch of log events to an arbitrary HTTP endpoint via a single
+ * POST request per batch.
+ *
+ * **Payload format**
+ *
+ * Without a body template the payload is a JSON array, one object per event:
+ * ```json
+ * [
+ *   { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
+ *   …
+ * ]
+ * ```
+ *
+ * With a body template each event is rendered through the template and the
+ * resulting objects are wrapped in the same outer array.  Template placeholders:
+ *   - `{{event}}`     → the LogType string ("request", "action", etc.)
+ *   - `{{timestamp}}` → ISO-8601 UTC datetime string
+ *   - `{{data}}`      → raw inline JSON object  (**no surrounding quotes**)
+ *
+ * Example template:
+ * ```
+ * { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+ * ```
+ */
+export class HttpLogDestination implements LogDestinationProvider {
+    readonly type = "http";
+
+    private readonly config: HttpConfig;
+
+    constructor(config: HttpConfig) {
+        this.config = config;
+    }
+
+    // -----------------------------------------------------------------------
+    // LogDestinationProvider implementation
+    // -----------------------------------------------------------------------
+
+    async send(events: LogEvent[]): Promise<void> {
+        if (events.length === 0) return;
+
+        const headers = this.buildHeaders();
+        const payload = this.buildPayload(events);
+        const body = JSON.stringify(payload);
+
+        const controller = new AbortController();
+        const timeoutHandle = setTimeout(
+            () => controller.abort(),
+            REQUEST_TIMEOUT_MS
+        );
+
+        let response: Response;
+        try {
+            response = await fetch(this.config.url, {
+                method: "POST",
+                headers,
+                body,
+                signal: controller.signal
+            });
+        } catch (err: unknown) {
+            const isAbort =
+                err instanceof Error && err.name === "AbortError";
+            if (isAbort) {
+                throw new Error(
+                    `HttpLogDestination: request to "${this.config.url}" timed out after ${REQUEST_TIMEOUT_MS} ms`
+                );
+            }
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(
+                `HttpLogDestination: request to "${this.config.url}" failed – ${msg}`
+            );
+        } finally {
+            clearTimeout(timeoutHandle);
+        }
+
+        if (!response.ok) {
+            // Try to include a snippet of the response body in the error so
+            // operators can diagnose auth or schema rejections.
+            let responseSnippet = "";
+            try {
+                const text = await response.text();
+                responseSnippet = text.slice(0, 300);
+            } catch {
+                // ignore – best effort
+            }
+
+            throw new Error(
+                `HttpLogDestination: server at "${this.config.url}" returned ` +
+                    `HTTP ${response.status} ${response.statusText}` +
+                    (responseSnippet ? ` – ${responseSnippet}` : "")
+            );
+        }
+    }
+
+    // -----------------------------------------------------------------------
+    // Header construction
+    // -----------------------------------------------------------------------
+
+    private buildHeaders(): Record<string, string> {
+        const headers: Record<string, string> = {
+            "Content-Type": "application/json"
+        };
+
+        // Authentication
+        switch (this.config.authType) {
+            case "bearer": {
+                const token = this.config.bearerToken?.trim();
+                if (token) {
+                    headers["Authorization"] = `Bearer ${token}`;
+                }
+                break;
+            }
+            case "basic": {
+                const creds = this.config.basicCredentials?.trim();
+                if (creds) {
+                    const encoded = Buffer.from(creds).toString("base64");
+                    headers["Authorization"] = `Basic ${encoded}`;
+                }
+                break;
+            }
+            case "custom": {
+                const name = this.config.customHeaderName?.trim();
+                const value = this.config.customHeaderValue ?? "";
+                if (name) {
+                    headers[name] = value;
+                }
+                break;
+            }
+            case "none":
+            default:
+                // No Authorization header
+                break;
+        }
+
+        // Additional static headers (user-defined; may override Content-Type
+        // if the operator explicitly sets it, which is intentional).
+        for (const { key, value } of this.config.headers ?? []) {
+            const trimmedKey = key?.trim();
+            if (trimmedKey) {
+                headers[trimmedKey] = value ?? "";
+            }
+        }
+
+        return headers;
+    }
+
+    // -----------------------------------------------------------------------
+    // Payload construction
+    // -----------------------------------------------------------------------
+
+    /**
+     * Build the JSON-serialisable value that will be sent as the request body.
+     *
+     * - No template  → `Array<{ event, timestamp, data }>`
+     * - With template → `Array<parsed-template-result>`
+     */
+    private buildPayload(events: LogEvent[]): unknown {
+        if (this.config.useBodyTemplate && this.config.bodyTemplate?.trim()) {
+            return events.map((event) =>
+                this.renderTemplate(this.config.bodyTemplate!, event)
+            );
+        }
+
+        return events.map((event) => ({
+            event: event.logType,
+            timestamp: epochSecondsToIso(event.timestamp),
+            data: event.data
+        }));
+    }
+
+    /**
+     * Render a single event through the body template.
+     *
+     * The three placeholder tokens are replaced in a specific order to avoid
+     * accidental double-replacement:
+     *
+     *  1. `{{data}}`      → raw JSON (may contain `{{` characters in values)
+     *  2. `{{event}}`     → safe string
+     *  3. `{{timestamp}}` → safe ISO string
+     *
+     * If the rendered string is not valid JSON we fall back to returning it as
+     * a plain string so the batch still makes it out and the operator can
+     * inspect the template.
+     */
+    private renderTemplate(template: string, event: LogEvent): unknown {
+        const isoTimestamp = epochSecondsToIso(event.timestamp);
+        const dataJson = JSON.stringify(event.data);
+
+        // Replace {{data}} first because its JSON value might legitimately
+        // contain the substrings "{{event}}" or "{{timestamp}}" inside string
+        // fields – those should NOT be re-expanded.
+        const rendered = template
+            .replace(/\{\{data\}\}/g, dataJson)
+            .replace(/\{\{event\}\}/g, escapeJsonString(event.logType))
+            .replace(
+                /\{\{timestamp\}\}/g,
+                escapeJsonString(isoTimestamp)
+            );
+
+        try {
+            return JSON.parse(rendered);
+        } catch {
+            logger.warn(
+                `HttpLogDestination: body template produced invalid JSON for ` +
+                    `event type "${event.logType}" destined for "${this.config.url}". ` +
+                    `Sending rendered template as a raw string. ` +
+                    `Check your template syntax – specifically that {{data}} is ` +
+                    `NOT wrapped in quotes.`
+            );
+            return rendered;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function epochSecondsToIso(epochSeconds: number): string {
+    return new Date(epochSeconds * 1000).toISOString();
+}
+
+/**
+ * Escape a string value so it can be safely substituted into the interior of
+ * a JSON string literal (i.e. between existing `"` quotes in the template).
+ * This prevents a crafted logType or timestamp from breaking out of its
+ * string context in the rendered template.
+ */
+function escapeJsonString(value: string): string {
+    // JSON.stringify produces `"<escaped>"` – strip the outer quotes.
+    return JSON.stringify(value).slice(1, -1);
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/providers/LogDestinationProvider.ts b/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
new file mode 100644
index 000000000..d09be320b
--- /dev/null
+++ b/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
@@ -0,0 +1,44 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { LogEvent } from "../types";
+
+/**
+ * Common interface that every log-forwarding backend must implement.
+ *
+ * Adding a new destination type (e.g. Datadog, Splunk, Kafka) is as simple as
+ * creating a class that satisfies this interface and registering it inside
+ * LogStreamingManager.createProvider().
+ */
+export interface LogDestinationProvider {
+    /**
+     * The string identifier that matches the `type` column in the
+     * `eventStreamingDestinations` table (e.g. "http", "datadog").
+     */
+    readonly type: string;
+
+    /**
+     * Forward a batch of log events to the destination.
+     *
+     * Implementations should:
+     *  - Treat the call as atomic: either all events are accepted or an error
+     *    is thrown so the caller can retry / back off.
+     *  - Respect the timeout contract expected by the manager (default 30 s).
+     *  - NOT swallow errors – the manager relies on thrown exceptions to track
+     *    failure state and apply exponential back-off.
+     *
+     * @param events  A non-empty array of normalised log events to forward.
+     * @throws        Any network, authentication, or serialisation error.
+     */
+    send(events: LogEvent[]): Promise<void>;
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
new file mode 100644
index 000000000..2bd25418d
--- /dev/null
+++ b/server/private/lib/logStreaming/types.ts
@@ -0,0 +1,115 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+// ---------------------------------------------------------------------------
+// Log type identifiers
+// ---------------------------------------------------------------------------
+
+export type LogType = "request" | "action" | "access" | "connection";
+
+export const LOG_TYPES: LogType[] = [
+    "request",
+    "action",
+    "access",
+    "connection"
+];
+
+// ---------------------------------------------------------------------------
+// A normalised event ready to be forwarded to a destination
+// ---------------------------------------------------------------------------
+
+export interface LogEvent {
+    /** The auto-increment primary key from the source table */
+    id: number;
+    /** Which log table this event came from */
+    logType: LogType;
+    /** The organisation that owns this event */
+    orgId: string;
+    /** Unix epoch seconds – taken from the record's own timestamp field */
+    timestamp: number;
+    /** Full row data from the source table, serialised as a plain object */
+    data: Record<string, unknown>;
+}
+
+// ---------------------------------------------------------------------------
+// A batch of events destined for a single streaming target
+// ---------------------------------------------------------------------------
+
+export interface LogBatch {
+    destinationId: number;
+    logType: LogType;
+    events: LogEvent[];
+}
+
+// ---------------------------------------------------------------------------
+// HTTP destination configuration (mirrors HttpConfig in the UI component)
+// ---------------------------------------------------------------------------
+
+export type AuthType = "none" | "bearer" | "basic" | "custom";
+
+export interface HttpConfig {
+    /** Human-readable label for the destination */
+    name: string;
+    /** Target URL that will receive POST requests */
+    url: string;
+    /** Authentication strategy to use */
+    authType: AuthType;
+    /** Used when authType === "bearer" */
+    bearerToken?: string;
+    /** Used when authType === "basic" – must be "username:password" */
+    basicCredentials?: string;
+    /** Used when authType === "custom" – header name */
+    customHeaderName?: string;
+    /** Used when authType === "custom" – header value */
+    customHeaderValue?: string;
+    /** Additional static headers appended to every request */
+    headers: Array<{ key: string; value: string }>;
+    /** Whether to render a custom body template instead of the default shape */
+    useBodyTemplate: boolean;
+    /**
+     * Handlebars-style template for the JSON body of each event.
+     *
+     * Supported placeholders:
+     *   {{event}}     – the LogType string ("request", "action", etc.)
+     *   {{timestamp}} – ISO-8601 UTC string derived from the event's timestamp
+     *   {{data}}      – raw JSON object (no surrounding quotes) of the full row
+     *
+     * Example:
+     *   { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+     */
+    bodyTemplate?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Per-destination per-log-type cursor (reflects the DB table)
+// ---------------------------------------------------------------------------
+
+export interface StreamingCursor {
+    destinationId: number;
+    logType: LogType;
+    /** The `id` of the last row that was successfully forwarded */
+    lastSentId: number;
+    /** Epoch milliseconds of the last successful send (or null if never sent) */
+    lastSentAt: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory failure / back-off state tracked per destination
+// ---------------------------------------------------------------------------
+
+export interface DestinationFailureState {
+    /** How many consecutive send failures have occurred */
+    consecutiveFailures: number;
+    /** Date.now() value after which the destination may be retried */
+    nextRetryAt: number;
+}
\ No newline at end of file

From d155d7e31b84c06c8b6391095fe5da0bcd1dc742 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:26:31 -0700
Subject: [PATCH 189/314] Update formatting

---
 server/db/pg/schema/privateSchema.ts | 43 ++++++++++++++--------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index ed6301437..4122fb5b5 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -437,6 +437,27 @@ export const eventStreamingDestinations = pgTable(
     }
 );
 
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -471,28 +492,6 @@ export type SiteProvisioningKeyOrg = InferSelectModel<
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
-
-export const eventStreamingCursors = pgTable(
-    "eventStreamingCursors",
-    {
-        cursorId: serial("cursorId").primaryKey(),
-        destinationId: integer("destinationId")
-            .notNull()
-            .references(() => eventStreamingDestinations.destinationId, {
-                onDelete: "cascade"
-            }),
-        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
-        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
-        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
-    },
-    (table) => [
-        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
-            table.destinationId,
-            table.logType
-        )
-    ]
-);
-
 export type EventStreamingCursor = InferSelectModel<
     typeof eventStreamingCursors
 >;

From 2a1c290dffdaa213d37fd5a027658e3ad54202d1 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 31 Mar 2026 12:32:03 -0700
Subject: [PATCH 190/314] dont show identifier on create private resource

---
 src/components/InternalResourceForm.tsx | 28 +++++++++++++------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 2de907079..50847a489 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -566,19 +566,21 @@ export function InternalResourceForm({
                             </FormItem>
                         )}
                     />
-                    <FormField
-                        control={form.control}
-                        name="niceId"
-                        render={({ field }) => (
-                            <FormItem>
-                                <FormLabel>{t("identifier")}</FormLabel>
-                                <FormControl>
-                                    <Input {...field} />
-                                </FormControl>
-                                <FormMessage />
-                            </FormItem>
-                        )}
-                    />
+                    {variant === "edit" && (
+                        <FormField
+                            control={form.control}
+                            name="niceId"
+                            render={({ field }) => (
+                                <FormItem>
+                                    <FormLabel>{t("identifier")}</FormLabel>
+                                    <FormControl>
+                                        <Input {...field} />
+                                    </FormControl>
+                                    <FormMessage />
+                                </FormItem>
+                            )}
+                        />
+                    )}
                     <FormField
                         control={form.control}
                         name="siteId"

From a1e9396999657856c22a972e6fcd18ffc7ec9aa7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 13:47:32 -0700
Subject: [PATCH 191/314] Handle backlog better

---
 .../lib/logStreaming/LogStreamingManager.ts   | 171 ++++++++++++++++--
 server/private/lib/logStreaming/types.ts      |   2 +
 .../createEventStreamingDestination.ts        |  14 ++
 3 files changed, 175 insertions(+), 12 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index 131cc8de0..04e35ad00 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -77,6 +77,17 @@ const BACKOFF_SCHEDULE_MS = [
     30 * 60_000   // 30 min  (failure 5+)
 ];
 
+/**
+ * If a destination has been continuously unreachable for this long, its
+ * cursors are advanced to the current max row id and the backlog is silently
+ * discarded.  This prevents unbounded queue growth when a webhook endpoint is
+ * down for an extended period.  A prominent warning is logged so operators are
+ * aware logs were dropped.
+ *
+ * Default: 24 hours.
+ */
+const MAX_BACKLOG_DURATION_MS = 24 * 60 * 60_000;
+
 // ---------------------------------------------------------------------------
 // LogStreamingManager
 // ---------------------------------------------------------------------------
@@ -96,6 +107,10 @@ const BACKOFF_SCHEDULE_MS = [
  *   catch-up batches to avoid hammering the remote endpoint.
  * - **Back-off**: consecutive send failures trigger exponential back-off
  *   (tracked in-memory per destination).  Successful sends reset the counter.
+ * - **Backlog abandonment**: if a destination remains unreachable for longer
+ *   than `MAX_BACKLOG_DURATION_MS`, all cursors for that destination are
+ *   advanced to the current max id so the backlog is discarded and streaming
+ *   resumes from the present moment on recovery.
  */
 export class LogStreamingManager {
     private pollTimer: ReturnType<typeof setTimeout> | null = null;
@@ -116,6 +131,53 @@ export class LogStreamingManager {
         this.schedulePoll(POLL_INTERVAL_MS);
     }
 
+    // -------------------------------------------------------------------------
+    // Cursor initialisation (call this when a destination is first created)
+    // -------------------------------------------------------------------------
+
+    /**
+     * Eagerly seed cursors for every log type at the **current** max row id of
+     * each table, scoped to the destination's org.
+     *
+     * Call this immediately after inserting a new row into
+     * `eventStreamingDestinations` so the destination only receives events
+     * that were written *after* it was created.  If a cursor row already exists
+     * (e.g. the method is called twice) it is left untouched.
+     *
+     * The manager also has a lazy fallback inside `getOrCreateCursor` for
+     * destinations that existed before this method was introduced.
+     */
+    async initializeCursorsForDestination(
+        destinationId: number,
+        orgId: string
+    ): Promise<void> {
+        for (const logType of LOG_TYPES) {
+            const currentMaxId = await this.getCurrentMaxId(logType, orgId);
+            try {
+                await db
+                    .insert(eventStreamingCursors)
+                    .values({
+                        destinationId,
+                        logType,
+                        lastSentId: currentMaxId,
+                        lastSentAt: null
+                    })
+                    .onConflictDoNothing();
+            } catch (err) {
+                logger.warn(
+                    `LogStreamingManager: could not initialise cursor for ` +
+                        `destination ${destinationId} logType="${logType}"`,
+                    err
+                );
+            }
+        }
+
+        logger.debug(
+            `LogStreamingManager: cursors initialised for destination ${destinationId} ` +
+                `(org=${orgId})`
+        );
+    }
+
     async shutdown(): Promise<void> {
         this.isRunning = false;
         if (this.pollTimer !== null) {
@@ -188,8 +250,21 @@ export class LogStreamingManager {
     private async processDestination(
         dest: EventStreamingDestination
     ): Promise<void> {
-        // Check back-off
         const failState = this.failures.get(dest.destinationId);
+
+        // Check whether this destination has been unreachable long enough that
+        // we should give up on the accumulated backlog.
+        if (failState) {
+            const failingForMs = Date.now() - failState.firstFailedAt;
+            if (failingForMs >= MAX_BACKLOG_DURATION_MS) {
+                await this.abandonBacklog(dest, failState);
+                this.failures.delete(dest.destinationId);
+                // Cursors now point to the current head – retry on next poll.
+                return;
+            }
+        }
+
+        // Check regular exponential back-off window
         if (failState && Date.now() < failState.nextRetryAt) {
             logger.debug(
                 `LogStreamingManager: destination ${dest.destinationId} in back-off, skipping`
@@ -255,6 +330,69 @@ export class LogStreamingManager {
         }
     }
 
+    /**
+     * Advance every cursor for the destination to the current max row id,
+     * effectively discarding the accumulated backlog.  Called when the
+     * destination has been unreachable for longer than MAX_BACKLOG_DURATION_MS.
+     */
+    private async abandonBacklog(
+        dest: EventStreamingDestination,
+        failState: DestinationFailureState
+    ): Promise<void> {
+        const failingForHours = (
+            (Date.now() - failState.firstFailedAt) /
+            3_600_000
+        ).toFixed(1);
+
+        let totalDropped = 0;
+
+        for (const logType of LOG_TYPES) {
+            try {
+                const currentMaxId = await this.getCurrentMaxId(
+                    logType,
+                    dest.orgId
+                );
+
+                // Find out how many rows are being skipped for this type
+                const cursor = await db
+                    .select({ lastSentId: eventStreamingCursors.lastSentId })
+                    .from(eventStreamingCursors)
+                    .where(
+                        and(
+                            eq(eventStreamingCursors.destinationId, dest.destinationId),
+                            eq(eventStreamingCursors.logType, logType)
+                        )
+                    )
+                    .limit(1);
+
+                const prevId = cursor[0]?.lastSentId ?? currentMaxId;
+                totalDropped += Math.max(0, currentMaxId - prevId);
+
+                await this.updateCursor(
+                    dest.destinationId,
+                    logType,
+                    currentMaxId
+                );
+            } catch (err) {
+                logger.error(
+                    `LogStreamingManager: failed to advance cursor for ` +
+                        `destination ${dest.destinationId} logType="${logType}" ` +
+                        `during backlog abandonment`,
+                    err
+                );
+            }
+        }
+
+        logger.warn(
+            `LogStreamingManager: destination ${dest.destinationId} has been ` +
+                `unreachable for ${failingForHours}h ` +
+                `(${failState.consecutiveFailures} consecutive failures). ` +
+                `Discarding backlog of ~${totalDropped} log event(s) and ` +
+                `resuming from the current position. ` +
+                `Verify the destination URL and credentials.`
+        );
+    }
+
     /**
      * Forward all pending log records of a specific type for a destination.
      *
@@ -342,20 +480,27 @@ export class LogStreamingManager {
             return { lastSentId: existing[0].lastSentId };
         }
 
-        // No cursor yet – initialise at the current maximum id of the log
-        // table for this org so we only forward *new* events going forward.
+        // No cursor yet – this destination pre-dates the eager initialisation
+        // path (initializeCursorsForDestination).  Seed at the current max id
+        // so we do not replay historical logs.
         const initialId = await this.getCurrentMaxId(logType, orgId);
 
-        await db.insert(eventStreamingCursors).values({
-            destinationId,
-            logType,
-            lastSentId: initialId,
-            lastSentAt: null
-        });
+        // Use onConflictDoNothing in case of a rare race between two poll
+        // cycles both hitting this branch simultaneously.
+        await db
+            .insert(eventStreamingCursors)
+            .values({
+                destinationId,
+                logType,
+                lastSentId: initialId,
+                lastSentAt: null
+            })
+            .onConflictDoNothing();
 
         logger.debug(
-            `LogStreamingManager: initialised cursor for destination ${destinationId} ` +
-                `logType="${logType}" at id=${initialId}`
+            `LogStreamingManager: lazily initialised cursor for destination ${destinationId} ` +
+                `logType="${logType}" at id=${initialId} ` +
+                `(prefer initializeCursorsForDestination at creation time)`
         );
 
         return { lastSentId: initialId };
@@ -574,7 +719,9 @@ export class LogStreamingManager {
     private recordFailure(destinationId: number): void {
         const current = this.failures.get(destinationId) ?? {
             consecutiveFailures: 0,
-            nextRetryAt: 0
+            nextRetryAt: 0,
+            // Stamp the very first failure so we can measure total outage duration
+            firstFailedAt: Date.now()
         };
 
         current.consecutiveFailures += 1;
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
index 2bd25418d..585adb2a2 100644
--- a/server/private/lib/logStreaming/types.ts
+++ b/server/private/lib/logStreaming/types.ts
@@ -112,4 +112,6 @@ export interface DestinationFailureState {
     consecutiveFailures: number;
     /** Date.now() value after which the destination may be retried */
     nextRetryAt: number;
+    /** Date.now() value of the very first failure in the current streak */
+    firstFailedAt: number;
 }
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
index 1c9de788a..623f2d9e0 100644
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -15,6 +15,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
+import { logStreamingManager } from "#private/lib/logStreaming";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -106,6 +107,19 @@ export async function createEventStreamingDestination(
             })
             .returning();
 
+        // Seed cursors at the current max row id for every log type so this
+        // destination only receives events written *after* it was created.
+        // Fire-and-forget: a failure here is non-fatal; the manager has a lazy
+        // fallback that will seed at the next poll if these rows are missing.
+        logStreamingManager
+            .initializeCursorsForDestination(destination.destinationId, orgId)
+            .catch((err) =>
+                logger.error(
+                    "createEventStreamingDestination: failed to initialise streaming cursors",
+                    err
+                )
+            );
+
         return response<CreateEventStreamingDestinationResponse>(res, {
             data: {
                 destinationId: destination.destinationId

From fe30bb280e5d80ca66f915b45a5a0c25b501df3a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:04:58 -0700
Subject: [PATCH 192/314] Add option for how to batch

---
 .../providers/HttpLogDestination.ts           | 118 +++++++++++++-----
 server/private/lib/logStreaming/types.ts      |  17 +++
 src/components/HttpDestinationCredenza.tsx    | 111 +++++++++++++++-
 3 files changed, 215 insertions(+), 31 deletions(-)

diff --git a/server/private/lib/logStreaming/providers/HttpLogDestination.ts b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
index eac3c42e2..5e149f814 100644
--- a/server/private/lib/logStreaming/providers/HttpLogDestination.ts
+++ b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
@@ -12,7 +12,7 @@
  */
 
 import logger from "@server/logger";
-import { LogEvent, HttpConfig } from "../types";
+import { LogEvent, HttpConfig, PayloadFormat } from "../types";
 import { LogDestinationProvider } from "./LogDestinationProvider";
 
 // ---------------------------------------------------------------------------
@@ -22,6 +22,9 @@ import { LogDestinationProvider } from "./LogDestinationProvider";
 /** Maximum time (ms) to wait for a single HTTP response. */
 const REQUEST_TIMEOUT_MS = 30_000;
 
+/** Default payload format when none is specified in the config. */
+const DEFAULT_FORMAT: PayloadFormat = "json_array";
+
 // ---------------------------------------------------------------------------
 // HttpLogDestination
 // ---------------------------------------------------------------------------
@@ -32,16 +35,31 @@ const REQUEST_TIMEOUT_MS = 30_000;
  *
  * **Payload format**
  *
- * Without a body template the payload is a JSON array, one object per event:
- * ```json
- * [
- *   { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
- *   …
- * ]
- * ```
+ * **Payload formats** (controlled by `config.format`):
  *
- * With a body template each event is rendered through the template and the
- * resulting objects are wrapped in the same outer array.  Template placeholders:
+ * - `json_array` (default) — one POST per batch, body is a JSON array:
+ *   ```json
+ *   [
+ *     { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
+ *     …
+ *   ]
+ *   ```
+ *   `Content-Type: application/json`
+ *
+ * - `ndjson` — one POST per batch, body is newline-delimited JSON (one object
+ *   per line, no outer array).  Required by Splunk HEC, Elastic/OpenSearch,
+ *   and Grafana Loki:
+ *   ```
+ *   {"event":"request","timestamp":"…","data":{…}}
+ *   {"event":"action","timestamp":"…","data":{…}}
+ *   ```
+ *   `Content-Type: application/x-ndjson`
+ *
+ * - `json_single` — one POST **per event**, body is a plain JSON object.
+ *   Use only for endpoints that cannot handle batches at all.
+ *
+ * With a body template each event is rendered through the template before
+ * serialisation.  Template placeholders:
  *   - `{{event}}`     → the LogType string ("request", "action", etc.)
  *   - `{{timestamp}}` → ISO-8601 UTC datetime string
  *   - `{{data}}`      → raw inline JSON object  (**no surrounding quotes**)
@@ -67,9 +85,41 @@ export class HttpLogDestination implements LogDestinationProvider {
     async send(events: LogEvent[]): Promise<void> {
         if (events.length === 0) return;
 
-        const headers = this.buildHeaders();
-        const payload = this.buildPayload(events);
-        const body = JSON.stringify(payload);
+        const format = this.config.format ?? DEFAULT_FORMAT;
+
+        if (format === "json_single") {
+            // One HTTP POST per event – send sequentially so a failure on one
+            // event throws and lets the manager retry the whole batch from the
+            // same cursor position.
+            for (const event of events) {
+                await this.postRequest(
+                    this.buildSingleBody(event),
+                    "application/json"
+                );
+            }
+            return;
+        }
+
+        if (format === "ndjson") {
+            const body = this.buildNdjsonBody(events);
+            await this.postRequest(body, "application/x-ndjson");
+            return;
+        }
+
+        // json_array (default)
+        const body = JSON.stringify(this.buildArrayPayload(events));
+        await this.postRequest(body, "application/json");
+    }
+
+    // -----------------------------------------------------------------------
+    // Internal HTTP sender
+    // -----------------------------------------------------------------------
+
+    private async postRequest(
+        body: string,
+        contentType: string
+    ): Promise<void> {
+        const headers = this.buildHeaders(contentType);
 
         const controller = new AbortController();
         const timeoutHandle = setTimeout(
@@ -124,9 +174,9 @@ export class HttpLogDestination implements LogDestinationProvider {
     // Header construction
     // -----------------------------------------------------------------------
 
-    private buildHeaders(): Record<string, string> {
+    private buildHeaders(contentType: string): Record<string, string> {
         const headers: Record<string, string> = {
-            "Content-Type": "application/json"
+            "Content-Type": contentType
         };
 
         // Authentication
@@ -176,24 +226,36 @@ export class HttpLogDestination implements LogDestinationProvider {
     // Payload construction
     // -----------------------------------------------------------------------
 
-    /**
-     * Build the JSON-serialisable value that will be sent as the request body.
-     *
-     * - No template  → `Array<{ event, timestamp, data }>`
-     * - With template → `Array<parsed-template-result>`
-     */
-    private buildPayload(events: LogEvent[]): unknown {
+    /** Single default event object (no surrounding array). */
+    private buildEventObject(event: LogEvent): unknown {
         if (this.config.useBodyTemplate && this.config.bodyTemplate?.trim()) {
-            return events.map((event) =>
-                this.renderTemplate(this.config.bodyTemplate!, event)
-            );
+            return this.renderTemplate(this.config.bodyTemplate!, event);
         }
-
-        return events.map((event) => ({
+        return {
             event: event.logType,
             timestamp: epochSecondsToIso(event.timestamp),
             data: event.data
-        }));
+        };
+    }
+
+    /** JSON array payload – used for `json_array` format. */
+    private buildArrayPayload(events: LogEvent[]): unknown[] {
+        return events.map((e) => this.buildEventObject(e));
+    }
+
+    /**
+     * NDJSON payload – one JSON object per line, no outer array.
+     * Each line must be a complete, valid JSON object.
+     */
+    private buildNdjsonBody(events: LogEvent[]): string {
+        return events
+            .map((e) => JSON.stringify(this.buildEventObject(e)))
+            .join("\n");
+    }
+
+    /** Single-event body – used for `json_single` format. */
+    private buildSingleBody(event: LogEvent): string {
+        return JSON.stringify(this.buildEventObject(event));
     }
 
     /**
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
index 585adb2a2..03fe88cad 100644
--- a/server/private/lib/logStreaming/types.ts
+++ b/server/private/lib/logStreaming/types.ts
@@ -57,6 +57,18 @@ export interface LogBatch {
 
 export type AuthType = "none" | "bearer" | "basic" | "custom";
 
+/**
+ * Controls how the batch of events is serialised into the HTTP request body.
+ *
+ * - `json_array`   – `[{…}, {…}]`  — default; one POST per batch wrapped in a
+ *                    JSON array.  Works with most generic webhooks and Datadog.
+ * - `ndjson`       – `{…}\n{…}`    — newline-delimited JSON, one object per
+ *                    line.  Required by Splunk HEC, Elastic/OpenSearch, Loki.
+ * - `json_single`  – one HTTP POST per event, body is a plain JSON object.
+ *                    Use only for endpoints that cannot handle batches at all.
+ */
+export type PayloadFormat = "json_array" | "ndjson" | "json_single";
+
 export interface HttpConfig {
     /** Human-readable label for the destination */
     name: string;
@@ -75,6 +87,11 @@ export interface HttpConfig {
     /** Additional static headers appended to every request */
     headers: Array<{ key: string; value: string }>;
     /** Whether to render a custom body template instead of the default shape */
+    /**
+     * How events are serialised into the request body.
+     * Defaults to `"json_array"` when absent.
+     */
+    format?: PayloadFormat;
     useBodyTemplate: boolean;
     /**
      * Handlebars-style template for the JSON body of each event.
diff --git a/src/components/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
index 653b766b0..205c17c84 100644
--- a/src/components/HttpDestinationCredenza.tsx
+++ b/src/components/HttpDestinationCredenza.tsx
@@ -29,6 +29,8 @@ import { build } from "@server/build";
 
 export type AuthType = "none" | "bearer" | "basic" | "custom";
 
+export type PayloadFormat = "json_array" | "ndjson" | "json_single";
+
 export interface HttpConfig {
     name: string;
     url: string;
@@ -38,6 +40,7 @@ export interface HttpConfig {
     customHeaderName?: string;
     customHeaderValue?: string;
     headers: Array<{ key: string; value: string }>;
+    format: PayloadFormat;
     useBodyTemplate: boolean;
     bodyTemplate?: string;
 }
@@ -67,6 +70,7 @@ export const defaultHttpConfig = (): HttpConfig => ({
     customHeaderName: "",
     customHeaderValue: "",
     headers: [],
+    format: "json_array",
     useBodyTemplate: false,
     bodyTemplate: ""
 });
@@ -278,7 +282,7 @@ export function HttpDestinationCredenza({
                         items={[
                             { title: "Settings", href: "" },
                             { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" },
+                            { title: "Body", href: "" },
                             { title: "Logs", href: "" }
                         ]}
                     >
@@ -539,7 +543,7 @@ export function HttpDestinationCredenza({
                             />
                         </div>
 
-                        {/* ── Body Template tab ─────────────────────────── */}
+                        {/* ── Body tab ─────────────────────────── */}
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
@@ -592,6 +596,107 @@ export function HttpDestinationCredenza({
                                     </p>
                                 </div>
                             )}
+
+                            {/* Payload Format */}
+                            <div className="space-y-3">
+                                <div>
+                                    <label className="font-medium block">
+                                        Payload Format
+                                    </label>
+                                    <p className="text-sm text-muted-foreground mt-0.5">
+                                        How events are serialised into each
+                                        request body.
+                                    </p>
+                                </div>
+
+                                <RadioGroup
+                                    value={cfg.format ?? "json_array"}
+                                    onValueChange={(v) =>
+                                        update({
+                                            format: v as PayloadFormat
+                                        })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* JSON Array */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="json_array"
+                                            id="fmt-json-array"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-json-array"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                JSON Array
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                One request per batch, body is
+                                                a JSON array{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    [{"{...}"}, {"{...}"}]
+                                                </code>
+                                                . Compatible with most generic
+                                                webhooks and Datadog.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* NDJSON */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="ndjson"
+                                            id="fmt-ndjson"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-ndjson"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                NDJSON
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                One request per batch, body is
+                                                newline-delimited JSON — one
+                                                object per line, no outer
+                                                array. Required by{" "}
+                                                <strong>Splunk HEC</strong>,{" "}
+                                                <strong>
+                                                    Elastic / OpenSearch
+                                                </strong>
+                                                , and{" "}
+                                                <strong>Grafana Loki</strong>.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Single event per request */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="json_single"
+                                            id="fmt-json-single"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-json-single"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                One Event Per Request
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends a separate HTTP POST for
+                                                each individual event. Use only
+                                                for endpoints that cannot
+                                                handle batches.
+                                            </p>
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
                         </div>
 
                         {/* ── Logs tab ──────────────────────────────────── */}
@@ -728,4 +833,4 @@ export function HttpDestinationCredenza({
             </CredenzaContent>
         </Credenza>
     );
-}
\ No newline at end of file
+}

From 9162ac6d910e164c9f4585862acbab470a9781e8 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:07:28 -0700
Subject: [PATCH 193/314] Add missing headers

---
 .../routers/newt/handleConnectionLogMessage.ts      | 13 +++++++++++++
 server/private/routers/newt/index.ts                | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 00fb5dada..e980f85c9 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { sites, Newt, clients, orgs } from "@server/db";
diff --git a/server/private/routers/newt/index.ts b/server/private/routers/newt/index.ts
index cc182cf7d..256d19cb7 100644
--- a/server/private/routers/newt/index.ts
+++ b/server/private/routers/newt/index.ts
@@ -1 +1,14 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 export * from "./handleConnectionLogMessage";

From 29b272f5d57f45700477beec8e2911573081db60 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:08:50 -0700
Subject: [PATCH 194/314] Restrict saas

---
 server/private/lib/logStreaming/index.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/server/private/lib/logStreaming/index.ts b/server/private/lib/logStreaming/index.ts
index a4b8c569a..619809771 100644
--- a/server/private/lib/logStreaming/index.ts
+++ b/server/private/lib/logStreaming/index.ts
@@ -11,6 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
+import { build } from "@server/build";
 import { LogStreamingManager } from "./LogStreamingManager";
 
 /**
@@ -23,9 +24,11 @@ import { LogStreamingManager } from "./LogStreamingManager";
  */
 export const logStreamingManager = new LogStreamingManager();
 
-logStreamingManager.start();
+if (build != "saas") { // this is handled separately in the saas build, so we don't want to start it here
+    logStreamingManager.start();
+}
 
 export { LogStreamingManager } from "./LogStreamingManager";
 export type { LogDestinationProvider } from "./providers/LogDestinationProvider";
 export { HttpLogDestination } from "./providers/HttpLogDestination";
-export * from "./types";
\ No newline at end of file
+export * from "./types";

From edfeec900dd23d2a6a27bef41815ea8e69829e8f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:25:47 -0700
Subject: [PATCH 195/314] Define db type

---
 server/db/pg/driver.ts                    | 6 +++---
 server/db/sqlite/driver.ts                | 3 ++-
 server/routers/gerbil/receiveBandwidth.ts | 8 ++------
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 9366e32e1..86a0c0352 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -60,8 +60,7 @@ function createDb() {
             })
         );
     } else {
-        const maxReplicaConnections =
-            poolConfig?.max_replica_connections || 20;
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
             const replicaPool = createPool(
                 conn.connection_string,
@@ -91,4 +90,5 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
\ No newline at end of file
+>[0];
+export const DB_TYPE: "pg" | "sqlite" = "pg";
diff --git a/server/db/sqlite/driver.ts b/server/db/sqlite/driver.ts
index 9cbc8d7be..832ff16f9 100644
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -23,7 +23,8 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+    >[0];
+export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 
 function checkFileExists(filePath: string): boolean {
     try {
diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 787b7b702..b4cce8c4e 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { sql } from "drizzle-orm";
-import { db } from "@server/db";
+import { db, DB_TYPE } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
@@ -96,12 +96,8 @@ async function dbQueryRows<T extends Record<string, unknown>>(
     return (await anyDb.all(query)) as T[];
 }
 
-/**
- * Returns true when the active database driver is SQLite (better-sqlite3).
- * Used to select the appropriate bulk-update strategy.
- */
 function isSQLite(): boolean {
-    return typeof (db as any).execute !== "function";
+    return DB_TYPE == "sqlite";
 }
 
 /**

From 2cee723f0ec0f896fcb1a189901d02bf3e494cb7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:41:02 -0700
Subject: [PATCH 196/314] Handle online and offline for wireguard sites

---
 server/routers/newt/handleNewtPingMessage.ts | 62 +++++++++++++++++++-
 1 file changed, 59 insertions(+), 3 deletions(-)

diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index da25852a0..c2c4e7762 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -1,8 +1,11 @@
 import { db, newts, sites } from "@server/db";
-import { hasActiveConnections, getClientConfigVersion } from "#dynamic/routers/ws";
+import {
+    hasActiveConnections,
+    getClientConfigVersion
+} from "#dynamic/routers/ws";
 import { MessageHandler } from "@server/routers/ws";
 import { Newt } from "@server/db";
-import { eq, lt, isNull, and, or } from "drizzle-orm";
+import { eq, lt, isNull, and, or, ne, not } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
 import { recordPing } from "./pingAccumulator";
@@ -11,6 +14,7 @@ import { recordPing } from "./pingAccumulator";
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
 const OFFLINE_CHECK_INTERVAL = 30 * 1000; // Check every 30 seconds
 const OFFLINE_THRESHOLD_MS = 2 * 60 * 1000; // 2 minutes
+const OFFLINE_THRESHOLD_BANDWIDTH_MS = 8 * 60 * 1000; // 8 minutes
 
 /**
  * Starts the background interval that checks for newt sites that haven't
@@ -56,7 +60,9 @@ export const startNewtOfflineChecker = (): void => {
                 // Backward-compatibility check: if the newt still has an
                 // active WebSocket connection (older clients that don't send
                 // pings), keep the site online.
-                const isConnected = await hasActiveConnections(staleSite.newtId);
+                const isConnected = await hasActiveConnections(
+                    staleSite.newtId
+                );
                 if (isConnected) {
                     logger.debug(
                         `Newt ${staleSite.newtId} has not pinged recently but is still connected via WebSocket — keeping site ${staleSite.siteId} online`
@@ -73,6 +79,56 @@ export const startNewtOfflineChecker = (): void => {
                     .set({ online: false })
                     .where(eq(sites.siteId, staleSite.siteId));
             }
+
+            // this part only effects self hosted. Its not efficient but we dont expect people to have very many wireguard sites
+            // select all of the wireguard sites to evaluate if they need to be offline due to the last bandwidth update
+            const allWireguardSites = await db
+                .select({
+                    siteId: sites.siteId,
+                    online: sites.online,
+                    lastBandwidthUpdate: sites.lastBandwidthUpdate
+                })
+                .from(sites)
+                .where(
+                    and(
+                        eq(sites.type, "wireguard"),
+                        not(isNull(sites.lastBandwidthUpdate))
+                    )
+                );
+
+            const wireguardOfflineThreshold = Math.floor(
+                (Date.now() - OFFLINE_THRESHOLD_BANDWIDTH_MS) / 1000
+            );
+
+            // loop over each one. If its offline and there is a new update then mark it online. If its online and there is no update then mark it offline
+            for (const site of allWireguardSites) {
+                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate!).getTime() / 1000;
+                if (
+                    lastBandwidthUpdate < wireguardOfflineThreshold &&
+                    site.online
+                ) {
+                    logger.info(
+                        `Marking wireguard site ${site.siteId} offline: no bandwidth update in over ${OFFLINE_THRESHOLD_BANDWIDTH_MS / 60000} minutes`
+                    );
+
+                    await db
+                        .update(sites)
+                        .set({ online: false })
+                        .where(eq(sites.siteId, site.siteId));
+                } else if (
+                    lastBandwidthUpdate >= wireguardOfflineThreshold &&
+                    !site.online
+                ) {
+                    logger.info(
+                        `Marking wireguard site ${site.siteId} online: recent bandwidth update`
+                    );
+
+                    await db
+                        .update(sites)
+                        .set({ online: true })
+                        .where(eq(sites.siteId, site.siteId));
+                }
+            }
         } catch (error) {
             logger.error("Error in newt offline checker interval", { error });
         }

From c1bd36231d79881e5ad6462e8872b97704ff52c7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:46:23 -0700
Subject: [PATCH 197/314] Default to approved

---
 server/db/pg/schema/schema.ts        | 2 +-
 server/db/sqlite/schema/schema.ts    | 2 +-
 server/setup/scriptsPg/1.17.0.ts     | 2 +-
 server/setup/scriptsSqlite/1.17.0.ts | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index b0c0d49a9..bde3e9aec 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -101,7 +101,7 @@ export const sites = pgTable("sites", {
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
     dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    status: varchar("status").$type<"pending" | "approved">()
+    status: varchar("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 65ff144a4..1fb04ef14 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -111,7 +111,7 @@ export const sites = sqliteTable("sites", {
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
         .default(true),
-    status: text("status").$type<"pending" | "approved">()
+    status: text("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 09d09261c..ea66948ab 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -178,7 +178,7 @@ export default async function migration() {
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
         await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
-        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar;`);
+        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`);
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index b6515510f..28877f16e 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -192,7 +192,7 @@ export default async function migration() {
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
             db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
-            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text;`).run();
+            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`).run();
         })();
 
         db.pragma("foreign_keys = ON");

From 3b8dd45a73cb2835ad2b5440ffcc3a166bf13aeb Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 15:09:14 -0700
Subject: [PATCH 198/314] Translate siem

---
 messages/en-US.json                           |  86 +++++++-
 .../[orgId]/settings/logs/streaming/page.tsx  | 137 ++++++------
 src/components/HttpDestinationCredenza.tsx    | 201 ++++++------------
 3 files changed, 224 insertions(+), 200 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index e8c7cb47d..412d50179 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2804,5 +2804,89 @@
     "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
     "approvalsEmptyStateButtonText": "Manage Roles",
     "domainErrorTitle": "We are having trouble verifying your domain",
-    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab."
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Stream events from your organization to external destinations in real time.",
+    "streamingUnnamedDestination": "Unnamed destination",
+    "streamingNoUrlConfigured": "No URL configured",
+    "streamingAddDestination": "Add Destination",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send events to any HTTP endpoint with flexible authentication and templating.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events to an S3-compatible object storage bucket. Coming soon.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Forward events directly to your Datadog account. Coming soon.",
+    "streamingTypePickerDescription": "Choose a destination type to get started.",
+    "streamingFailedToLoad": "Failed to load destinations",
+    "streamingUnexpectedError": "An unexpected error occurred.",
+    "streamingFailedToUpdate": "Failed to update destination",
+    "streamingDeletedSuccess": "Destination deleted successfully",
+    "streamingFailedToDelete": "Failed to delete destination",
+    "streamingDeleteTitle": "Delete Destination",
+    "streamingDeleteButtonText": "Delete Destination",
+    "streamingDeleteDialogAreYouSure": "Are you sure you want to delete",
+    "streamingDeleteDialogThisDestination": "this destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? All configuration will be permanently removed.",
+    "httpDestEditTitle": "Edit Destination",
+    "httpDestAddTitle": "Add HTTP Destination",
+    "httpDestEditDescription": "Update the configuration for this HTTP event streaming destination.",
+    "httpDestAddDescription": "Configure a new HTTP endpoint to receive your organization's events.",
+    "httpDestTabSettings": "Settings",
+    "httpDestTabHeaders": "Headers",
+    "httpDestTabBody": "Body",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "My HTTP destination",
+    "httpDestUrlLabel": "Destination URL",
+    "httpDestUrlErrorHttpRequired": "URL must use http or https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is required on cloud deployments",
+    "httpDestUrlErrorInvalid": "Enter a valid URL (e.g. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentication",
+    "httpDestAuthDescription": "Choose how requests to your endpoint are authenticated.",
+    "httpDestAuthNoneTitle": "No Authentication",
+    "httpDestAuthNoneDescription": "Sends requests without an Authorization header.",
+    "httpDestAuthBearerTitle": "Bearer Token",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer <token> header to each request.",
+    "httpDestAuthBearerPlaceholder": "Your API key or token",
+    "httpDestAuthBasicTitle": "Basic Auth",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic <credentials> header. Provide credentials as username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Custom Header",
+    "httpDestAuthCustomDescription": "Specify a custom HTTP header name and value for authentication (e.g. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header name (e.g. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header value",
+    "httpDestCustomHeadersTitle": "Custom HTTP Headers",
+    "httpDestCustomHeadersDescription": "Add custom headers to every outgoing request. Useful for static tokens or a custom Content-Type. By default, Content-Type: application/json is sent.",
+    "httpDestNoHeadersConfigured": "No custom headers configured. Click \"Add Header\" to add one.",
+    "httpDestHeaderNamePlaceholder": "Header name",
+    "httpDestHeaderValuePlaceholder": "Value",
+    "httpDestAddHeader": "Add Header",
+    "httpDestBodyTemplateTitle": "Custom Body Template",
+    "httpDestBodyTemplateDescription": "Control the JSON payload structure sent to your endpoint. If disabled, a default JSON object is sent for each event.",
+    "httpDestEnableBodyTemplate": "Enable custom body template",
+    "httpDestBodyTemplateLabel": "Body Template (JSON)",
+    "httpDestBodyTemplateHint": "Use template variables to reference event fields in your payload.",
+    "httpDestPayloadFormatTitle": "Payload Format",
+    "httpDestPayloadFormatDescription": "How events are serialised into each request body.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "One request per batch, body is a JSON array. Compatible with most generic webhooks and Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "One request per batch, body is newline-delimited JSON — one object per line, no outer array. Required by Splunk HEC, Elastic / OpenSearch, and Grafana Loki.",
+    "httpDestFormatSingleTitle": "One Event Per Request",
+    "httpDestFormatSingleDescription": "Sends a separate HTTP POST for each individual event. Use only for endpoints that cannot handle batches.",
+    "httpDestLogTypesTitle": "Log Types",
+    "httpDestLogTypesDescription": "Choose which log types are forwarded to this destination. Only enabled log types will be streamed.",
+    "httpDestAccessLogsTitle": "Access Logs",
+    "httpDestAccessLogsDescription": "Resource access attempts, including authenticated and denied requests.",
+    "httpDestActionLogsTitle": "Action Logs",
+    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
+    "httpDestConnectionLogsTitle": "Connection Logs",
+    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
+    "httpDestRequestLogsTitle": "Request Logs",
+    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
+    "httpDestSaveChanges": "Save Changes",
+    "httpDestCreateDestination": "Create Destination",
+    "httpDestUpdatedSuccess": "Destination updated successfully",
+    "httpDestCreatedSuccess": "Destination created successfully",
+    "httpDestUpdateFailed": "Failed to update destination",
+    "httpDestCreateFailed": "Failed to create destination"
 }
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 843f1ddb7..44ec39fcd 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -38,6 +38,7 @@ import {
     HttpDestinationCredenza,
     parseHttpConfig
 } from "@app/components/HttpDestinationCredenza";
+import { useTranslations } from "next-intl";
 
 // ── Re-export Destination so the rest of the file can use it ──────────────────
 
@@ -69,6 +70,7 @@ function DestinationCard({
     isToggling,
     disabled = false
 }: DestinationCardProps) {
+    const t = useTranslations();
     const cfg = parseHttpConfig(destination.config);
 
     return (
@@ -84,7 +86,7 @@ function DestinationCard({
                     </div>
                     <div className="min-w-0">
                         <p className="font-semibold text-sm leading-tight truncate">
-                            {cfg.name || "Unnamed destination"}
+                            {cfg.name || t("streamingUnnamedDestination")}
                         </p>
                         <p className="text-xs text-muted-foreground truncate mt-0.5">
                             HTTP
@@ -104,7 +106,7 @@ function DestinationCard({
             {/* URL preview */}
             <p className="text-xs text-muted-foreground truncate">
                 {cfg.url || (
-                    <span className="italic">No URL configured</span>
+                    <span className="italic">{t("streamingNoUrlConfigured")}</span>
                 )}
             </p>
 
@@ -116,7 +118,7 @@ function DestinationCard({
                     disabled={disabled}
                     className="flex-1"
                 >
-                    Edit
+                    {t("edit")}
                 </Button>
                 <DropdownMenu>
                     <DropdownMenuTrigger asChild>
@@ -134,7 +136,7 @@ function DestinationCard({
                             className="text-destructive focus:text-destructive"
                             onClick={() => onDelete(destination)}
                         >
-                            Delete
+                            {t("delete")}
                         </DropdownMenuItem>
                     </DropdownMenuContent>
                 </DropdownMenu>
@@ -146,6 +148,8 @@ function DestinationCard({
 // ── Add destination card ───────────────────────────────────────────────────────
 
 function AddDestinationCard({ onClick }: { onClick: () => void }) {
+    const t = useTranslations();
+
     return (
         <button
             type="button"
@@ -156,7 +160,7 @@ function AddDestinationCard({ onClick }: { onClick: () => void }) {
                 <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
                     <Plus className="h-4 w-4" />
                 </div>
-                <span className="text-sm font-medium">Add Destination</span>
+                <span className="text-sm font-medium">{t("streamingAddDestination")}</span>
             </div>
         </button>
     );
@@ -166,48 +170,6 @@ function AddDestinationCard({ onClick }: { onClick: () => void }) {
 
 type DestinationType = "http" | "s3" | "datadog";
 
-const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
-    {
-        id: "http",
-        title: "HTTP Webhook",
-        description:
-            "Send events to any HTTP endpoint with flexible authentication and templating.",
-        icon: <Globe className="h-6 w-6" />
-    },
-    {
-        id: "s3",
-        title: "Amazon S3",
-        description:
-            "Stream events to an S3-compatible object storage bucket. Coming soon.",
-        disabled: true,
-        icon: (
-            <Image
-                src="/third-party/s3.png"
-                alt="Amazon S3"
-                width={24}
-                height={24}
-                className="rounded-sm"
-            />
-        )
-    },
-    {
-        id: "datadog",
-        title: "Datadog",
-        description:
-            "Forward events directly to your Datadog account. Coming soon.",
-        disabled: true,
-        icon: (
-            <Image
-                src="/third-party/dd.png"
-                alt="Datadog"
-                width={24}
-                height={24}
-                className="rounded-sm"
-            />
-        )
-    }
-];
-
 interface DestinationTypePickerProps {
     open: boolean;
     onOpenChange: (open: boolean) => void;
@@ -221,8 +183,48 @@ function DestinationTypePicker({
     onSelect,
     isPaywalled = false
 }: DestinationTypePickerProps) {
+    const t = useTranslations();
     const [selected, setSelected] = useState<DestinationType>("http");
 
+    const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
+        {
+            id: "http",
+            title: t("streamingHttpWebhookTitle"),
+            description: t("streamingHttpWebhookDescription"),
+            icon: <Globe className="h-6 w-6" />
+        },
+        {
+            id: "s3",
+            title: t("streamingS3Title"),
+            description: t("streamingS3Description"),
+            disabled: true,
+            icon: (
+                <Image
+                    src="/third-party/s3.png"
+                    alt={t("streamingS3Title")}
+                    width={24}
+                    height={24}
+                    className="rounded-sm"
+                />
+            )
+        },
+        {
+            id: "datadog",
+            title: t("streamingDatadogTitle"),
+            description: t("streamingDatadogDescription"),
+            disabled: true,
+            icon: (
+                <Image
+                    src="/third-party/dd.png"
+                    alt={t("streamingDatadogTitle")}
+                    width={24}
+                    height={24}
+                    className="rounded-sm"
+                />
+            )
+        }
+    ];
+
     useEffect(() => {
         if (open) setSelected("http");
     }, [open]);
@@ -231,9 +233,9 @@ function DestinationTypePicker({
         <Credenza open={open} onOpenChange={onOpenChange}>
             <CredenzaContent className="sm:max-w-lg">
                 <CredenzaHeader>
-                    <CredenzaTitle>Add Destination</CredenzaTitle>
+                    <CredenzaTitle>{t("streamingAddDestination")}</CredenzaTitle>
                     <CredenzaDescription>
-                        Choose a destination type to get started.
+                        {t("streamingTypePickerDescription")}
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
@@ -248,13 +250,13 @@ function DestinationTypePicker({
                 </CredenzaBody>
                 <CredenzaFooter>
                     <CredenzaClose asChild>
-                        <Button variant="outline">Cancel</Button>
+                        <Button variant="outline">{t("cancel")}</Button>
                     </CredenzaClose>
                     <Button
                         onClick={() => onSelect(selected)}
                         disabled={isPaywalled}
                     >
-                        Continue
+                        {t("continue")}
                     </Button>
                 </CredenzaFooter>
             </CredenzaContent>
@@ -269,6 +271,7 @@ export default function StreamingDestinationsPage() {
     const api = createApiClient(useEnvContext());
     const { isPaidUser } = usePaidStatus();
     const isEnterprise = isPaidUser(tierMatrix[TierFeature.SIEM]);
+    const t = useTranslations();
 
     const [destinations, setDestinations] = useState<Destination[]>([]);
     const [loading, setLoading] = useState(true);
@@ -297,10 +300,10 @@ export default function StreamingDestinationsPage() {
         } catch (e) {
             toast({
                 variant: "destructive",
-                title: "Failed to load destinations",
+                title: t("streamingFailedToLoad"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -337,10 +340,10 @@ export default function StreamingDestinationsPage() {
             );
             toast({
                 variant: "destructive",
-                title: "Failed to update destination",
+                title: t("streamingFailedToUpdate"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -364,17 +367,17 @@ export default function StreamingDestinationsPage() {
             await api.delete(
                 `/org/${orgId}/event-streaming-destination/${deleteTarget.destinationId}`
             );
-            toast({ title: "Destination deleted successfully" });
+            toast({ title: t("streamingDeletedSuccess") });
             setDeleteDialogOpen(false);
             setDeleteTarget(null);
             loadDestinations();
         } catch (e) {
             toast({
                 variant: "destructive",
-                title: "Failed to delete destination",
+                title: t("streamingFailedToDelete"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -400,8 +403,8 @@ export default function StreamingDestinationsPage() {
     return (
         <>
             <SettingsSectionTitle
-                title="Event Streaming"
-                description="Stream events from your organization to external destinations in real time."
+                title={t("streamingTitle")}
+                description={t("streamingDescription")}
             />
 
             <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
@@ -456,23 +459,23 @@ export default function StreamingDestinationsPage() {
                         if (!v) setDeleteTarget(null);
                     }}
                     string={
-                        parseHttpConfig(deleteTarget.config).name || "delete"
+                        parseHttpConfig(deleteTarget.config).name || t("streamingDeleteDialogThisDestination")
                     }
-                    title="Delete Destination"
+                    title={t("streamingDeleteTitle")}
                     dialog={
                         <p className="text-sm text-muted-foreground">
-                            Are you sure you want to delete{" "}
+                            {t("streamingDeleteDialogAreYouSure")}{" "}
                             <span className="font-semibold text-foreground">
                                 {parseHttpConfig(deleteTarget.config).name ||
-                                    "this destination"}
+                                    t("streamingDeleteDialogThisDestination")}
                             </span>
-                            ? All configuration will be permanently removed.
+                            {t("streamingDeleteDialogPermanentlyRemoved")}
                         </p>
                     }
-                    buttonText="Delete Destination"
+                    buttonText={t("streamingDeleteButtonText")}
                     onConfirm={handleDeleteConfirm}
                 />
             )}
         </>
     );
-}
+}
\ No newline at end of file
diff --git a/src/components/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
index 205c17c84..e39567332 100644
--- a/src/components/HttpDestinationCredenza.tsx
+++ b/src/components/HttpDestinationCredenza.tsx
@@ -24,6 +24,7 @@ import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { build } from "@server/build";
+import { useTranslations } from "next-intl";
 
 // ── Types ──────────────────────────────────────────────────────────────────────
 
@@ -91,6 +92,8 @@ interface HeadersEditorProps {
 }
 
 function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const t = useTranslations();
+
     const addRow = () => onChange([...headers, { key: "", value: "" }]);
 
     const removeRow = (i: number) =>
@@ -106,8 +109,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
         <div className="space-y-3">
             {headers.length === 0 && (
                 <p className="text-xs text-muted-foreground">
-                    No custom headers configured. Click "Add Header" to add
-                    one.
+                    {t("httpDestNoHeadersConfigured")}
                 </p>
             )}
             {headers.map((h, i) => (
@@ -115,7 +117,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                     <Input
                         value={h.key}
                         onChange={(e) => updateRow(i, "key", e.target.value)}
-                        placeholder="Header name"
+                        placeholder={t("httpDestHeaderNamePlaceholder")}
                         className="flex-1"
                     />
                     <Input
@@ -123,7 +125,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                         onChange={(e) =>
                             updateRow(i, "value", e.target.value)
                         }
-                        placeholder="Value"
+                        placeholder={t("httpDestHeaderValuePlaceholder")}
                         className="flex-1"
                     />
                     <Button
@@ -145,7 +147,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                 className="gap-1.5"
             >
                 <Plus className="h-3.5 w-3.5" />
-                Add Header
+                {t("httpDestAddHeader")}
             </Button>
         </div>
     );
@@ -169,6 +171,7 @@ export function HttpDestinationCredenza({
     onSaved
 }: HttpDestinationCredenzaProps) {
     const api = createApiClient(useEnvContext());
+    const t = useTranslations();
 
     const [saving, setSaving] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultHttpConfig());
@@ -201,14 +204,14 @@ export function HttpDestinationCredenza({
                 parsed.protocol !== "http:" &&
                 parsed.protocol !== "https:"
             ) {
-                return "URL must use http or https";
+                return t("httpDestUrlErrorHttpRequired");
             }
             if (build === "saas" && parsed.protocol !== "https:") {
-                return "HTTPS is required on cloud deployments";
+                return t("httpDestUrlErrorHttpsRequired");
             }
             return null;
         } catch {
-            return "Enter a valid URL (e.g. https://example.com/webhook)";
+            return t("httpDestUrlErrorInvalid");
         }
     })();
 
@@ -234,13 +237,13 @@ export function HttpDestinationCredenza({
                     `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
                     payload
                 );
-                toast({ title: "Destination updated successfully" });
+                toast({ title: t("httpDestUpdatedSuccess") });
             } else {
                 await api.put(
                     `/org/${orgId}/event-streaming-destination`,
                     payload
                 );
-                toast({ title: "Destination created successfully" });
+                toast({ title: t("httpDestCreatedSuccess") });
             }
             onSaved();
             onOpenChange(false);
@@ -248,11 +251,11 @@ export function HttpDestinationCredenza({
             toast({
                 variant: "destructive",
                 title: editing
-                    ? "Failed to update destination"
-                    : "Failed to create destination",
+                    ? t("httpDestUpdateFailed")
+                    : t("httpDestCreateFailed"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -266,13 +269,13 @@ export function HttpDestinationCredenza({
                 <CredenzaHeader>
                     <CredenzaTitle>
                         {editing
-                            ? "Edit Destination"
-                            : "Add HTTP Destination"}
+                            ? t("httpDestEditTitle")
+                            : t("httpDestAddTitle")}
                     </CredenzaTitle>
                     <CredenzaDescription>
                         {editing
-                            ? "Update the configuration for this HTTP event streaming destination."
-                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                            ? t("httpDestEditDescription")
+                            : t("httpDestAddDescription")}
                     </CredenzaDescription>
                 </CredenzaHeader>
 
@@ -280,20 +283,20 @@ export function HttpDestinationCredenza({
                     <HorizontalTabs
                         clientSide
                         items={[
-                            { title: "Settings", href: "" },
-                            { title: "Headers", href: "" },
-                            { title: "Body", href: "" },
-                            { title: "Logs", href: "" }
+                            { title: t("httpDestTabSettings"), href: "" },
+                            { title: t("httpDestTabHeaders"), href: "" },
+                            { title: t("httpDestTabBody"), href: "" },
+                            { title: t("httpDestTabLogs"), href: "" }
                         ]}
                     >
                         {/* ── Settings tab ────────────────────────────── */}
                         <div className="space-y-6 mt-4 p-1">
                             {/* Name */}
                             <div className="space-y-2">
-                                <Label htmlFor="dest-name">Name</Label>
+                                <Label htmlFor="dest-name">{t("name")}</Label>
                                 <Input
                                     id="dest-name"
-                                    placeholder="My HTTP destination"
+                                    placeholder={t("httpDestNamePlaceholder")}
                                     value={cfg.name}
                                     onChange={(e) =>
                                         update({ name: e.target.value })
@@ -304,7 +307,7 @@ export function HttpDestinationCredenza({
                             {/* URL */}
                             <div className="space-y-2">
                                 <Label htmlFor="dest-url">
-                                    Destination URL
+                                    {t("httpDestUrlLabel")}
                                 </Label>
                                 <Input
                                     id="dest-url"
@@ -325,11 +328,10 @@ export function HttpDestinationCredenza({
                             <div className="space-y-3">
                                 <div>
                                     <label className="font-medium block">
-                                        Authentication
+                                        {t("httpDestAuthTitle")}
                                     </label>
                                     <p className="text-sm text-muted-foreground mt-0.5">
-                                        Choose how requests to your endpoint
-                                        are authenticated.
+                                        {t("httpDestAuthDescription")}
                                     </p>
                                 </div>
 
@@ -352,14 +354,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="auth-none"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                No Authentication
+                                                {t("httpDestAuthNoneTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends requests without an{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    Authorization
-                                                </code>{" "}
-                                                header.
+                                                {t("httpDestAuthNoneDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -377,20 +375,15 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-bearer"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Bearer Token
+                                                    {t("httpDestAuthBearerTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Bearer
-                                                        &lt;token&gt;
-                                                    </code>{" "}
-                                                    header to each request.
+                                                    {t("httpDestAuthBearerDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "bearer" && (
                                                 <Input
-                                                    placeholder="Your API key or token"
+                                                    placeholder={t("httpDestAuthBearerPlaceholder")}
                                                     value={
                                                         cfg.bearerToken ?? ""
                                                     }
@@ -418,25 +411,15 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-basic"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Basic Auth
+                                                    {t("httpDestAuthBasicTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Basic
-                                                        &lt;credentials&gt;
-                                                    </code>{" "}
-                                                    header. Provide credentials
-                                                    as{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        username:password
-                                                    </code>
-                                                    .
+                                                    {t("httpDestAuthBasicDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "basic" && (
                                                 <Input
-                                                    placeholder="username:password"
+                                                    placeholder={t("httpDestAuthBasicPlaceholder")}
                                                     value={
                                                         cfg.basicCredentials ??
                                                         ""
@@ -465,22 +448,16 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-custom"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Custom Header
+                                                    {t("httpDestAuthCustomTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Specify a custom HTTP
-                                                    header name and value for
-                                                    authentication (e.g.{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        X-API-Key
-                                                    </code>
-                                                    ).
+                                                    {t("httpDestAuthCustomDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "custom" && (
                                                 <div className="flex gap-2">
                                                     <Input
-                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        placeholder={t("httpDestAuthCustomHeaderNamePlaceholder")}
                                                         value={
                                                             cfg.customHeaderName ??
                                                             ""
@@ -495,7 +472,7 @@ export function HttpDestinationCredenza({
                                                         className="flex-1"
                                                     />
                                                     <Input
-                                                        placeholder="Header value"
+                                                        placeholder={t("httpDestAuthCustomHeaderValuePlaceholder")}
                                                         value={
                                                             cfg.customHeaderValue ??
                                                             ""
@@ -521,20 +498,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Custom HTTP Headers
+                                    {t("httpDestCustomHeadersTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Add custom headers to every outgoing
-                                    request. Useful for static tokens or
-                                    custom{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>
-                                    . By default,{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type: application/json
-                                    </code>{" "}
-                                    is sent.
+                                    {t("httpDestCustomHeadersDescription")}
                                 </p>
                             </div>
                             <HeadersEditor
@@ -547,12 +514,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Custom Body Template
+                                    {t("httpDestBodyTemplateTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Control the JSON payload structure sent to
-                                    your endpoint. If disabled, a default JSON
-                                    object is sent for each event.
+                                    {t("httpDestBodyTemplateDescription")}
                                 </p>
                             </div>
 
@@ -568,14 +533,14 @@ export function HttpDestinationCredenza({
                                     htmlFor="use-body-template"
                                     className="cursor-pointer"
                                 >
-                                    Enable custom body template
+                                    {t("httpDestEnableBodyTemplate")}
                                 </Label>
                             </div>
 
                             {cfg.useBodyTemplate && (
                                 <div className="space-y-2">
                                     <Label htmlFor="body-template">
-                                        Body Template (JSON)
+                                        {t("httpDestBodyTemplateLabel")}
                                     </Label>
                                     <Textarea
                                         id="body-template"
@@ -591,8 +556,7 @@ export function HttpDestinationCredenza({
                                         className="font-mono text-xs min-h-45 resize-y"
                                     />
                                     <p className="text-xs text-muted-foreground">
-                                        Use template variables to reference
-                                        event fields in your payload.
+                                        {t("httpDestBodyTemplateHint")}
                                     </p>
                                 </div>
                             )}
@@ -601,11 +565,10 @@ export function HttpDestinationCredenza({
                             <div className="space-y-3">
                                 <div>
                                     <label className="font-medium block">
-                                        Payload Format
+                                        {t("httpDestPayloadFormatTitle")}
                                     </label>
                                     <p className="text-sm text-muted-foreground mt-0.5">
-                                        How events are serialised into each
-                                        request body.
+                                        {t("httpDestPayloadFormatDescription")}
                                     </p>
                                 </div>
 
@@ -630,16 +593,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-json-array"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                JSON Array
+                                                {t("httpDestFormatJsonArrayTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                One request per batch, body is
-                                                a JSON array{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    [{"{...}"}, {"{...}"}]
-                                                </code>
-                                                . Compatible with most generic
-                                                webhooks and Datadog.
+                                                {t("httpDestFormatJsonArrayDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -656,19 +613,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-ndjson"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                NDJSON
+                                                {t("httpDestFormatNdjsonTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                One request per batch, body is
-                                                newline-delimited JSON — one
-                                                object per line, no outer
-                                                array. Required by{" "}
-                                                <strong>Splunk HEC</strong>,{" "}
-                                                <strong>
-                                                    Elastic / OpenSearch
-                                                </strong>
-                                                , and{" "}
-                                                <strong>Grafana Loki</strong>.
+                                                {t("httpDestFormatNdjsonDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -685,13 +633,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-json-single"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                One Event Per Request
+                                                {t("httpDestFormatSingleTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends a separate HTTP POST for
-                                                each individual event. Use only
-                                                for endpoints that cannot
-                                                handle batches.
+                                                {t("httpDestFormatSingleDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -703,12 +648,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Log Types
+                                    {t("httpDestLogTypesTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Choose which log types are forwarded to
-                                    this destination. Only enabled log types
-                                    will be streamed.
+                                    {t("httpDestLogTypesDescription")}
                                 </p>
                             </div>
 
@@ -727,11 +670,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-access"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Access Logs
+                                            {t("httpDestAccessLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Resource access attempts, including
-                                            authenticated and denied requests.
+                                            {t("httpDestAccessLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -750,11 +692,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-action"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Action Logs
+                                            {t("httpDestActionLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Administrative actions performed by
-                                            users within the organization.
+                                            {t("httpDestActionLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -773,12 +714,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-connection"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Connection Logs
+                                            {t("httpDestConnectionLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Site and tunnel connection events,
-                                            including connects and
-                                            disconnects.
+                                            {t("httpDestConnectionLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -797,12 +736,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-request"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Request Logs
+                                            {t("httpDestRequestLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            HTTP request logs for proxied
-                                            resources, including method, path,
-                                            and response code.
+                                            {t("httpDestRequestLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -818,7 +755,7 @@ export function HttpDestinationCredenza({
                             variant="outline"
                             disabled={saving}
                         >
-                            Cancel
+                            {t("cancel")}
                         </Button>
                     </CredenzaClose>
                     <Button
@@ -827,10 +764,10 @@ export function HttpDestinationCredenza({
                         loading={saving}
                         disabled={!isValid || saving}
                     >
-                        {editing ? "Save Changes" : "Create Destination"}
+                        {editing ? t("httpDestSaveChanges") : t("httpDestCreateDestination")}
                     </Button>
                 </CredenzaFooter>
             </CredenzaContent>
         </Credenza>
     );
-}
+}
\ No newline at end of file

From 44664faf3ce10d6f0707bf64c71974858b0246f1 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:45 -0700
Subject: [PATCH 199/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 2b3368a07..792775fdd 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -148,6 +148,11 @@
     "createLink": "Créer un lien",
     "resourcesNotFound": "Aucune ressource trouvée",
     "resourceSearch": "Rechercher des ressources",
+    "machineSearch": "Rechercher des machines",
+    "machinesSearch": "Rechercher des clients de la machine...",
+    "machineNotFound": "Aucune machine trouvée",
+    "userDeviceSearch": "Rechercher des périphériques utilisateur",
+    "userDevicesSearch": "Rechercher des appareils utilisateurs...",
     "openMenu": "Ouvrir le menu",
     "resource": "Ressource",
     "title": "Titre de la page",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Supprimer la clé d'API",
     "apiKeysManage": "Gérer les clés d'API",
     "apiKeysDescription": "Les clés d'API sont utilisées pour s'authentifier avec l'API d'intégration",
+    "provisioningKeysTitle": "Clé de provisioning",
+    "provisioningKeysManage": "Gérer les clés de provisioning",
+    "provisioningKeysDescription": "Les clés de provisioning sont utilisées pour authentifier la fourniture automatique de sites pour votre organisation.",
+    "provisioningManage": "Mise en place",
+    "provisioningDescription": "Gérer les clés de provisioning et examiner les sites en attente d'approbation.",
+    "pendingSites": "Sites en attente",
+    "siteApproveSuccess": "Site approuvé avec succès",
+    "siteApproveError": "Erreur lors de l'approbation du site",
+    "provisioningKeys": "Clés de provisionnement",
+    "searchProvisioningKeys": "Recherche des clés de provision...",
+    "provisioningKeysAdd": "Générer une clé de provisioning",
+    "provisioningKeysErrorDelete": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysErrorDeleteMessage": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysQuestionRemove": "Êtes-vous sûr de vouloir supprimer cette clé de provisioning de l'organisation ?",
+    "provisioningKeysMessageRemove": "Une fois supprimée, la clé ne peut plus être utilisée pour le provisionnement du site.",
+    "provisioningKeysDeleteConfirm": "Confirmer la suppression de la clé de provisioning",
+    "provisioningKeysDelete": "Supprimer la clé de provisioning",
+    "provisioningKeysCreate": "Générer une clé de provisioning",
+    "provisioningKeysCreateDescription": "Générer une nouvelle clé de provisioning pour l'organisation",
+    "provisioningKeysSeeAll": "Voir toutes les clés de provisioning",
+    "provisioningKeysSave": "Enregistrer la clé de provisioning",
+    "provisioningKeysSaveDescription": "Vous ne pourrez voir cela qu'une seule fois. Copiez-le dans un endroit sécurisé.",
+    "provisioningKeysErrorCreate": "Erreur lors de la création de la clé de provisioning",
+    "provisioningKeysList": "Nouvelle clé de provisioning",
+    "provisioningKeysMaxBatchSize": "Taille maximale du lot",
+    "provisioningKeysUnlimitedBatchSize": "Taille de lot illimitée (sans limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimité",
+    "provisioningKeysMaxBatchSizeInvalid": "Entrez une taille de lot maximale valide (1–1 000 000).",
+    "provisioningKeysValidUntil": "Valable jusqu'au",
+    "provisioningKeysValidUntilHint": "Laisser vide pour ne pas expirer.",
+    "provisioningKeysValidUntilInvalid": "Entrez une date et une heure valides.",
+    "provisioningKeysNumUsed": "Nombre de fois utilisées",
+    "provisioningKeysLastUsed": "Dernière utilisation",
+    "provisioningKeysNoExpiry": "Pas d'expiration",
+    "provisioningKeysNeverUsed": "Jamais",
+    "provisioningKeysEdit": "Modifier la clé de provisioning",
+    "provisioningKeysEditDescription": "Mettre à jour la taille maximale du lot et la durée d'expiration de cette clé.",
+    "provisioningKeysApproveNewSites": "Approuver les nouveaux sites",
+    "provisioningKeysApproveNewSitesDescription": "Approuver automatiquement les sites qui s'inscrivent avec cette clé.",
+    "provisioningKeysUpdateError": "Erreur lors de la mise à jour de la clé de provisioning",
+    "provisioningKeysUpdated": "Clé de provisioning mise à jour",
+    "provisioningKeysUpdatedDescription": "Vos modifications ont été enregistrées.",
+    "provisioningKeysBannerTitle": "Clés de provisioning du site",
+    "provisioningKeysBannerDescription": "Générez une clé de provisioning et utilisez-la avec le connecteur Newt pour créer automatiquement des sites au premier démarrage — pas besoin de configurer des identifiants distincts pour chaque site.",
+    "provisioningKeysBannerButtonText": "En savoir plus",
+    "pendingSitesBannerTitle": "Sites en attente",
+    "pendingSitesBannerDescription": "Les sites qui se connectent à l'aide d'une clé de provisioning apparaissent ici pour être revus. Approuver chaque site avant qu'il ne devienne actif et qu'il accède à vos ressources.",
+    "pendingSitesBannerButtonText": "En savoir plus",
     "apiKeysSettings": "Paramètres de {apiKeyName}",
     "userTitle": "Gérer tous les utilisateurs",
     "userDescription": "Voir et gérer tous les utilisateurs du système",
@@ -509,9 +562,12 @@
     "userSaved": "Utilisateur enregistré",
     "userSavedDescription": "L'utilisateur a été mis à jour.",
     "autoProvisioned": "Auto-provisionné",
+    "autoProvisionSettings": "Paramètres de la fourniture automatique",
     "autoProvisionedDescription": "Permettre à cet utilisateur d'être géré automatiquement par le fournisseur d'identité",
     "accessControlsDescription": "Gérer ce que cet utilisateur peut accéder et faire dans l'organisation",
     "accessControlsSubmit": "Enregistrer les contrôles d'accès",
+    "singleRolePerUserPlanNotice": "Votre plan ne prend en charge qu'un seul rôle par utilisateur.",
+    "singleRolePerUserEditionNotice": "Cette édition ne prend en charge qu'un rôle par utilisateur.",
     "roles": "Rôles",
     "accessUsersRoles": "Gérer les utilisateurs et les rôles",
     "accessUsersRolesDescription": "Invitez des utilisateurs et ajoutez-les aux rôles pour gérer l'accès à l'organisation",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Entrez le jeton de configuration depuis la console du serveur.",
     "setupTokenRequired": "Le jeton de configuration est requis.",
     "actionUpdateSite": "Mettre à jour un site",
+    "actionResetSiteBandwidth": "Réinitialiser la bande passante de l'organisation",
     "actionListSiteRoles": "Lister les rôles autorisés du site",
     "actionCreateResource": "Créer une ressource",
     "actionDeleteResource": "Supprimer une ressource",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Supprimer un utilisateur",
     "actionListUsers": "Lister les utilisateurs",
     "actionAddUserRole": "Ajouter un rôle utilisateur",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Définir les rôles de l'utilisateur",
     "actionGenerateAccessToken": "Générer un jeton d'accès",
     "actionDeleteAccessToken": "Supprimer un jeton d'accès",
     "actionListAccessTokens": "Lister les jetons d'accès",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rôles",
     "sidebarShareableLinks": "Liens",
     "sidebarApiKeys": "Clés API",
+    "sidebarProvisioning": "Mise en place",
     "sidebarSettings": "Réglages",
     "sidebarAllUsers": "Tous les utilisateurs",
     "sidebarIdentityProviders": "Fournisseurs d'identité",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nœud de sortie",
     "country": "Pays",
     "rulesMatchCountry": "Actuellement basé sur l'IP source",
+    "region": "Région",
+    "selectRegion": "Sélectionner une région",
+    "searchRegions": "Rechercher des régions...",
+    "noRegionFound": "Aucune région trouvée.",
+    "rulesMatchRegion": "Sélectionnez un groupement régional de pays",
+    "rulesErrorInvalidRegion": "Région invalide",
+    "rulesErrorInvalidRegionDescription": "Veuillez sélectionner une région valide.",
+    "regionAfrica": "L'Afrique",
+    "regionNorthernAfrica": "Afrique du Nord",
+    "regionEasternAfrica": "Afrique de l'Est",
+    "regionMiddleAfrica": "Afrique Moyenne",
+    "regionSouthernAfrica": "Afrique australe",
+    "regionWesternAfrica": "Afrique de l'Ouest",
+    "regionAmericas": "Amériques",
+    "regionCaribbean": "Caraïbes",
+    "regionCentralAmerica": "Amérique centrale",
+    "regionSouthAmerica": "Amérique du Sud",
+    "regionNorthernAmerica": "Amérique du Nord",
+    "regionAsia": "L'Asie",
+    "regionCentralAsia": "Asie centrale",
+    "regionEasternAsia": "Asie de l'Est",
+    "regionSouthEasternAsia": "Asie du Sud-Est",
+    "regionSouthernAsia": "Asie du Sud",
+    "regionWesternAsia": "Asie de l'Ouest",
+    "regionEurope": "L’Europe",
+    "regionEasternEurope": "Europe de l'Est",
+    "regionNorthernEurope": "Europe du Nord",
+    "regionSouthernEurope": "Europe du Sud",
+    "regionWesternEurope": "Europe occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australie et Nouvelle-Zélande",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gestion autonome",
         "description": "Serveur Pangolin auto-hébergé avec des cloches et des sifflets supplémentaires",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valeur non valide",
     "idpTypeLabel": "Type de fournisseur d'identité",
     "roleMappingExpressionPlaceholder": "ex: contenu(groupes) && 'admin' || 'membre'",
+    "roleMappingModeFixedRoles": "Rôles fixes",
+    "roleMappingModeMappingBuilder": "Constructeur de cartographie",
+    "roleMappingModeRawExpression": "Expression brute",
+    "roleMappingFixedRolesPlaceholderSelect": "Sélectionnez un ou plusieurs rôles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Tapez les noms des rôles (correspondance exacte par organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assigner le même jeu de rôles à chaque utilisateur auto-provisionné.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pour les politiques par défaut, les noms de rôles de type qui existent dans chaque organisation où les utilisateurs sont fournis. Les noms doivent correspondre exactement.",
+    "roleMappingClaimPath": "Chemin de revendication",
+    "roleMappingClaimPathPlaceholder": "Groupes",
+    "roleMappingClaimPathDescription": "Chemin dans le bloc de jeton qui contient les valeurs source (par exemple, les groupes).",
+    "roleMappingMatchValue": "Valeur de la correspondance",
+    "roleMappingAssignRoles": "Assigner des rôles",
+    "roleMappingAddMappingRule": "Ajouter une règle de mappage",
+    "roleMappingRawExpressionResultDescription": "L'expression doit être évaluée à une chaîne ou un tableau de chaînes.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "L'expression doit être évaluée à une chaîne (un seul nom de rôle).",
+    "roleMappingMatchValuePlaceholder": "Valeur de la correspondance (par exemple: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Tapez les noms des rôles (exact par org)",
+    "roleMappingBuilderFreeformRowHint": "Les noms de rôle doivent correspondre à un rôle dans chaque organisation cible.",
+    "roleMappingRemoveRule": "Supprimer",
     "idpGoogleConfiguration": "Configuration Google",
     "idpGoogleConfigurationDescription": "Configurer les identifiants Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Durée de conservation des journaux d'accès",
     "logRetentionActionLabel": "Retention du journal des actions",
     "logRetentionActionDescription": "Durée de conservation du journal des actions",
+    "logRetentionConnectionLabel": "Rétention du journal de connexion",
+    "logRetentionConnectionDescription": "Durée de conservation des logs de connexion",
     "logRetentionDisabled": "Désactivé",
     "logRetention3Days": "3 jours",
     "logRetention7Days": "7 jours",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
     "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
     "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
+    "connectionLogs": "Journaux de connexion",
+    "connectionLogsDescription": "Voir les journaux de connexion pour les tunnels de cette organisation",
+    "sidebarLogsConnection": "Journaux de connexion",
+    "sidebarLogsStreaming": "Streaming en cours",
+    "sourceAddress": "Adresse source",
+    "destinationAddress": "Adresse de destination",
+    "duration": "Durée",
     "licenseRequiredToUse": "Une <enterpriseLicenseLink>licence Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> est requise pour utiliser cette fonctionnalité. <bookADemoLink>Réservez une démonstration ou une évaluation de POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Réservez une démo ou un essai POC</bookADemoLink>.",
     "certResolver": "Résolveur de certificat",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
     "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
     "approvalsEmptyStateButtonText": "Gérer les rôles",
-    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine"
+    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurer les politiques de mappage des rôles et de l'organisation dans l'onglet <policiesTabLink>Paramètres de la fourniture automatique</policiesTabLink>.",
+    "streamingTitle": "Streaming d'événements",
+    "streamingDescription": "Diffusez en temps réel des événements de votre organisation vers des destinations externes.",
+    "streamingUnnamedDestination": "Destination sans nom",
+    "streamingNoUrlConfigured": "Aucune URL configurée",
+    "streamingAddDestination": "Ajouter une destination",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envoyez des événements à n'importe quel point de terminaison HTTP avec une authentification flexible et un template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Flux d'événements vers un compartiment de stockage d'objet compatible S3. Bientôt.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Transférer des événements directement sur votre compte Datadog. Prochainement.",
+    "streamingTypePickerDescription": "Choisissez un type de destination pour commencer.",
+    "streamingFailedToLoad": "Impossible de charger les destinations",
+    "streamingUnexpectedError": "Une erreur inattendue s'est produite.",
+    "streamingFailedToUpdate": "Impossible de mettre à jour la destination",
+    "streamingDeletedSuccess": "Destination supprimée avec succès",
+    "streamingFailedToDelete": "Impossible de supprimer la destination",
+    "streamingDeleteTitle": "Supprimer la destination",
+    "streamingDeleteButtonText": "Supprimer la destination",
+    "streamingDeleteDialogAreYouSure": "Êtes-vous sûr de vouloir supprimer",
+    "streamingDeleteDialogThisDestination": "cette destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toutes les configurations seront définitivement supprimées.",
+    "httpDestEditTitle": "Modifier la destination",
+    "httpDestAddTitle": "Ajouter une destination HTTP",
+    "httpDestEditDescription": "Mettre à jour la configuration pour cette destination de streaming d'événements HTTP.",
+    "httpDestAddDescription": "Configurez un nouveau point de terminaison HTTP pour recevoir les événements de votre organisation.",
+    "httpDestTabSettings": "Réglages",
+    "httpDestTabHeaders": "En-têtes",
+    "httpDestTabBody": "Corps",
+    "httpDestTabLogs": "Journaux",
+    "httpDestNamePlaceholder": "Ma destination HTTP",
+    "httpDestUrlLabel": "URL de destination",
+    "httpDestUrlErrorHttpRequired": "L'URL doit utiliser http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS est requis pour les déploiements du cloud",
+    "httpDestUrlErrorInvalid": "Entrez une URL valide (par exemple https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentification",
+    "httpDestAuthDescription": "Choisissez comment les requêtes à votre terminaison sont authentifiées.",
+    "httpDestAuthNoneTitle": "Aucune authentification",
+    "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
+    "httpDestAuthBearerTitle": "Jeton de Porteur",
+    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer <token> à chaque requête.",
+    "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
+    "httpDestAuthBasicTitle": "Authentification basique",
+    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base <credentials> . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
+    "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
+    "httpDestAuthCustomTitle": "En-tête personnalisé",
+    "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nom de l'en-tête (par exemple X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valeur de l'en-tête",
+    "httpDestCustomHeadersTitle": "En-têtes HTTP personnalisés",
+    "httpDestCustomHeadersDescription": "Ajouter des en-têtes personnalisés à chaque requête sortante. Utile pour les jetons statiques ou un type de contenu personnalisé. Par défaut, Content-Type: application/json est envoyé.",
+    "httpDestNoHeadersConfigured": "Aucun en-tête personnalisé configuré. Cliquez sur \"Ajouter un en-tête\" pour en ajouter un.",
+    "httpDestHeaderNamePlaceholder": "Nom de l'en-tête",
+    "httpDestHeaderValuePlaceholder": "Valeur",
+    "httpDestAddHeader": "Ajouter un en-tête",
+    "httpDestBodyTemplateTitle": "Modèle de corps personnalisé",
+    "httpDestBodyTemplateDescription": "Contrôle la structure de charge utile JSON envoyée à votre terminal. Si désactivé, un objet JSON par défaut est envoyé pour chaque événement.",
+    "httpDestEnableBodyTemplate": "Activer le modèle de corps personnalisé",
+    "httpDestBodyTemplateLabel": "Modèle de corps (JSON)",
+    "httpDestBodyTemplateHint": "Utilisez les variables de modèle pour référencer les champs d'événement dans votre charge utile.",
+    "httpDestPayloadFormatTitle": "Format de la charge utile",
+    "httpDestPayloadFormatDescription": "Comment les événements sont sérialisés dans chaque corps de requête.",
+    "httpDestFormatJsonArrayTitle": "Tableau JSON",
+    "httpDestFormatJsonArrayDescription": "Une requête par lot, le corps est un tableau JSON. Compatible avec la plupart des webhooks génériques et des datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Une requête par lot, body est un JSON délimité par une nouvelle ligne — un objet par ligne, pas de tableau extérieur. Requis par Splunk HEC, Elastic / OpenSearch, et Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un événement par demande",
+    "httpDestFormatSingleDescription": "Envoie un POST HTTP séparé pour chaque événement individuel. Utilisé uniquement pour les terminaux qui ne peuvent pas gérer des lots.",
+    "httpDestLogTypesTitle": "Types de logs",
+    "httpDestLogTypesDescription": "Choisissez quels types de journaux sont envoyés à cette destination. Seuls les types de journaux activés seront diffusés.",
+    "httpDestAccessLogsTitle": "Journaux d'accès",
+    "httpDestAccessLogsDescription": "Tentatives d'accès aux ressources, y compris les demandes authentifiées et refusées.",
+    "httpDestActionLogsTitle": "Journaux des actions",
+    "httpDestActionLogsDescription": "Actions administratives effectuées par les utilisateurs au sein de l'organisation.",
+    "httpDestConnectionLogsTitle": "Journaux de connexion",
+    "httpDestConnectionLogsDescription": "Événements de connexion du site et du tunnel, y compris les connexions et les déconnexions.",
+    "httpDestRequestLogsTitle": "Journal des requêtes",
+    "httpDestRequestLogsDescription": "Journaux des requêtes HTTP pour les ressources proxiées, y compris la méthode, le chemin et le code de réponse.",
+    "httpDestSaveChanges": "Enregistrer les modifications",
+    "httpDestCreateDestination": "Créer une destination",
+    "httpDestUpdatedSuccess": "Destination mise à jour avec succès",
+    "httpDestCreatedSuccess": "Destination créée avec succès",
+    "httpDestUpdateFailed": "Impossible de mettre à jour la destination",
+    "httpDestCreateFailed": "Impossible de créer la destination"
 }

From 4bf148a4bf9beb0a32799cc2361d08d5e4b4cea4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:46 -0700
Subject: [PATCH 200/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 10b83f38d..e841490b2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -148,6 +148,11 @@
     "createLink": "Създаване на връзка",
     "resourcesNotFound": "Не са намерени ресурси",
     "resourceSearch": "Търсене на ресурси",
+    "machineSearch": "Търсене на машини",
+    "machinesSearch": "Търсене на клиенти на машини...",
+    "machineNotFound": "Не са намерени машини",
+    "userDeviceSearch": "Търсене на устройства на потребителя",
+    "userDevicesSearch": "Търсене на устройства на потребителя...",
     "openMenu": "Отваряне на менюто",
     "resource": "Ресурс",
     "title": "Заглавие",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Изтрийте API ключа",
     "apiKeysManage": "Управление на API ключове",
     "apiKeysDescription": "API ключове се използват за удостоверяване с интеграционния API",
+    "provisioningKeysTitle": "Ключ за осигуряване",
+    "provisioningKeysManage": "Управление на ключове за осигуряване",
+    "provisioningKeysDescription": "Ключовете за осигуряване се използват за удостоверяване на автоматичното осигуряване на сайта за вашата организация.",
+    "provisioningManage": "Осигуряване",
+    "provisioningDescription": "Управление на ключовете за осигуряване и преглед на чаканещите сайтове за одобрение.",
+    "pendingSites": "Чаканещи сайтове",
+    "siteApproveSuccess": "Сайтът е одобрен успешно",
+    "siteApproveError": "Грешка при одобряването на сайта",
+    "provisioningKeys": "Ключове за осигуряване",
+    "searchProvisioningKeys": "Търсене на ключове за осигуряване...",
+    "provisioningKeysAdd": "Генериране на ключ за осигуряване",
+    "provisioningKeysErrorDelete": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysErrorDeleteMessage": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysQuestionRemove": "Сигурни ли сте, че искате да премахнете този ключ за осигуряване от организацията?",
+    "provisioningKeysMessageRemove": "След като бъде премахнат, ключът няма да бъде използван за осигуряване на сайтове.",
+    "provisioningKeysDeleteConfirm": "Потвърдете изтриването на ключ за осигуряване",
+    "provisioningKeysDelete": "Изтриване на ключ за осигуряване",
+    "provisioningKeysCreate": "Генериране на ключ за осигуряване",
+    "provisioningKeysCreateDescription": "Генерирайте нов ключ за осигуряване за организацията",
+    "provisioningKeysSeeAll": "Вижте всички ключове за осигуряване",
+    "provisioningKeysSave": "Запазете ключа за осигуряване",
+    "provisioningKeysSaveDescription": "Ще можете да видите това само веднъж. Копирайте го на сигурно място.",
+    "provisioningKeysErrorCreate": "Грешка при създаване на ключ за осигуряване",
+    "provisioningKeysList": "Нов ключ за осигуряване",
+    "provisioningKeysMaxBatchSize": "Максимален размер на пакет",
+    "provisioningKeysUnlimitedBatchSize": "Неограничен размер на партида (без лимит)",
+    "provisioningKeysMaxBatchUnlimited": "Неограничено",
+    "provisioningKeysMaxBatchSizeInvalid": "Въведете валиден максимален размер на партида (1–1,000,000).",
+    "provisioningKeysValidUntil": "Валиден до",
+    "provisioningKeysValidUntilHint": "Оставете празно за неограничено валидност.",
+    "provisioningKeysValidUntilInvalid": "Въведете валидна дата и час.",
+    "provisioningKeysNumUsed": "Брой използвания",
+    "provisioningKeysLastUsed": "Последно използван",
+    "provisioningKeysNoExpiry": "Без изтичане",
+    "provisioningKeysNeverUsed": "Никога",
+    "provisioningKeysEdit": "Редактиране на ключ за осигуряване",
+    "provisioningKeysEditDescription": "Актуализирайте максималния размер на партида и времето на изтичане за този ключ.",
+    "provisioningKeysApproveNewSites": "Одобрете нови сайтове",
+    "provisioningKeysApproveNewSitesDescription": "Автоматично одобряване на сайтове, които се регистрират с този ключ.",
+    "provisioningKeysUpdateError": "Грешка при актуализирането на ключа за осигуряване",
+    "provisioningKeysUpdated": "Ключът за осигуряване е актуализиран",
+    "provisioningKeysUpdatedDescription": "Вашите промени бяха запазени.",
+    "provisioningKeysBannerTitle": "Ключове за осигуряване на сайта",
+    "provisioningKeysBannerDescription": "Генерирайте ключ за осигуряване и го използвайте с Newt конектора за автоматично създаване на сайтове при първото стартиране — няма нужда от създаване на отделни идентификационни данни за всеки сайт.",
+    "provisioningKeysBannerButtonText": "Научете повече",
+    "pendingSitesBannerTitle": "Чакащи сайтове",
+    "pendingSitesBannerDescription": "Сайтовете, които се свързват чрез ключ за осигуряване, се появяват тук за преглед. Одобрете всеки сайт, преди да стане активен и да получи достъп до вашите ресурси.",
+    "pendingSitesBannerButtonText": "Научете повече",
     "apiKeysSettings": "Настройки на {apiKeyName}",
     "userTitle": "Управление на всички потребители",
     "userDescription": "Преглед и управление на всички потребители в системата",
@@ -509,9 +562,12 @@
     "userSaved": "Потребителят е запазен",
     "userSavedDescription": "Потребителят беше актуализиран.",
     "autoProvisioned": "Автоматично предоставено",
+    "autoProvisionSettings": "Настройки за автоматично осигуряване",
     "autoProvisionedDescription": "Позволете този потребител да бъде автоматично управляван от доставчик на идентификационни данни",
     "accessControlsDescription": "Управлявайте какво може да достъпва и прави този потребител в организацията",
     "accessControlsSubmit": "Запазване на контролите за достъп",
+    "singleRolePerUserPlanNotice": "Вашият план поддържа само една роля на потребител.",
+    "singleRolePerUserEditionNotice": "Това издание поддържа само една роля на потребител.",
     "roles": "Роли",
     "accessUsersRoles": "Управление на потребители и роли",
     "accessUsersRolesDescription": "Поканете потребители и ги добавете към роли, за да управлявате достъпа до организацията",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Въведете конфигурационния токен от сървърната конзола.",
     "setupTokenRequired": "Необходим е конфигурационен токен",
     "actionUpdateSite": "Актуализиране на сайт",
+    "actionResetSiteBandwidth": "Нулиране на честотната лента на организацията",
     "actionListSiteRoles": "Изброяване на позволените роли за сайта",
     "actionCreateResource": "Създаване на ресурс",
     "actionDeleteResource": "Изтриване на ресурс",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Изтрийте потребител",
     "actionListUsers": "Изброяване на потребители",
     "actionAddUserRole": "Добавяне на роля на потребител",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Задайте роли на потребители",
     "actionGenerateAccessToken": "Генериране на токен за достъп",
     "actionDeleteAccessToken": "Изтриване на токен за достъп",
     "actionListAccessTokens": "Изброяване на токени за достъп",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Роли",
     "sidebarShareableLinks": "Връзки",
     "sidebarApiKeys": "API ключове",
+    "sidebarProvisioning": "Осигуряване",
     "sidebarSettings": "Настройки",
     "sidebarAllUsers": "Всички потребители",
     "sidebarIdentityProviders": "Идентификационни доставчици",
@@ -1890,6 +1948,40 @@
     "exitNode": "Изходен възел",
     "country": "Държава",
     "rulesMatchCountry": "Понастоящем на базата на изходния IP",
+    "region": "Регион",
+    "selectRegion": "Изберете регион",
+    "searchRegions": "Търсене на региони...",
+    "noRegionFound": "Регионът не е намерен.",
+    "rulesMatchRegion": "Изберете регионална групировка на държави",
+    "rulesErrorInvalidRegion": "Невалиден регион",
+    "rulesErrorInvalidRegionDescription": "Моля, изберете валиден регион.",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северна Африка",
+    "regionEasternAfrica": "Източна Африка",
+    "regionMiddleAfrica": "Централна Африка",
+    "regionSouthernAfrica": "Южна Африка",
+    "regionWesternAfrica": "Западна Африка",
+    "regionAmericas": "Америките",
+    "regionCaribbean": "Карибите",
+    "regionCentralAmerica": "Централна Америка",
+    "regionSouthAmerica": "Южна Америка",
+    "regionNorthernAmerica": "Северна Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Централна Азия",
+    "regionEasternAsia": "Източна Азия",
+    "regionSouthEasternAsia": "Югоизточна Азия",
+    "regionSouthernAsia": "Южна Азия",
+    "regionWesternAsia": "Западна Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Източна Европа",
+    "regionNorthernEurope": "Северна Европа",
+    "regionSouthernEurope": "Южна Европа",
+    "regionWesternEurope": "Западна Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Нова Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
     "managedSelfHosted": {
         "title": "Управлявано Самостоятелно-хоствано",
         "description": "По-надежден и по-нисък поддръжка на Самостоятелно-хостван Панголиин сървър с допълнителни екстри",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Невалидна стойност",
     "idpTypeLabel": "Тип на доставчика на идентичност",
     "roleMappingExpressionPlaceholder": "напр.: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксирани роли",
+    "roleMappingModeMappingBuilder": "Строител на карти",
+    "roleMappingModeRawExpression": "Необработено израз",
+    "roleMappingFixedRolesPlaceholderSelect": "Изберете една или повече роли",
+    "roleMappingFixedRolesPlaceholderFreeform": "Въведете имена на роли (точно съвпадение на организацията)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Присвойте същият набор от роли на всеки автоматично осигурен потребител.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "За стандартните политики въведете имена на роли, които съществуват във всяка организация, където е осигурен потребител. Имената трябва да съвпадат точно.",
+    "roleMappingClaimPath": "Път на иск",
+    "roleMappingClaimPathPlaceholder": "групи",
+    "roleMappingClaimPathDescription": "Път в съдържанието на маркера, който съдържа изходни стойности (например групи).",
+    "roleMappingMatchValue": "Съвпадение на стойност",
+    "roleMappingAssignRoles": "Присвояване на роли",
+    "roleMappingAddMappingRule": "Добавяне на правило за картироване",
+    "roleMappingRawExpressionResultDescription": "Изразът трябва да бъде оценен на низ или масив от низове.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Изразът трябва да бъде оценен на низ (едно име на роля).",
+    "roleMappingMatchValuePlaceholder": "Съвпадение на стойност (например: администратор)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Въведете имена на роли (точно по организация)",
+    "roleMappingBuilderFreeformRowHint": "Имената на ролите трябва да съвпадат с роля във всяка целева организация.",
+    "roleMappingRemoveRule": "Премахни",
     "idpGoogleConfiguration": "Конфигурация на Google",
     "idpGoogleConfigurationDescription": "Конфигурирайте Google OAuth2 идентификационни данни",
     "idpGoogleClientIdDescription": "Google OAuth2 идентификационен клиент",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Колко дълго да се задържат логовете за достъп",
     "logRetentionActionLabel": "Задържане на логове за действия",
     "logRetentionActionDescription": "Колко дълго да се задържат логовете за действия",
+    "logRetentionConnectionLabel": "Запазване на дневниците на връзките",
+    "logRetentionConnectionDescription": "Колко дълго да се съхраняват дневниците на връзките",
     "logRetentionDisabled": "Деактивирано",
     "logRetention3Days": "3 дни",
     "logRetention7Days": "7 дни",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Край на следващата година",
     "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
     "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
+    "connectionLogs": "Логове на връзката",
+    "connectionLogsDescription": "Вижте логовете на връзките за тунелите в тази организация",
+    "sidebarLogsConnection": "Логове на връзката",
+    "sidebarLogsStreaming": "Потоци",
+    "sourceAddress": "Източен адрес",
+    "destinationAddress": "Адрес на дестинация",
+    "duration": "Продължителност",
     "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> за използване на тази функция. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> е необходим за използване на тази функция. Тази функция също е налична в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
     "certResolver": "Решавач на сертификати",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
     "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
     "approvalsEmptyStateButtonText": "Управлявайте роли",
-    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн"
+    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн",
+    "idpAdminAutoProvisionPoliciesTabHint": "Конфигурирайте картографирането на ролите и организационните политики на раздела <policiesTabLink>Настройки за автоматично осигуряване</policiesTabLink>.",
+    "streamingTitle": "Събитийни потоци",
+    "streamingDescription": "Предавайте събития от вашата организация до външни дестинации в реално време.",
+    "streamingUnnamedDestination": "Неименувана дестинация",
+    "streamingNoUrlConfigured": "Не е конфигуриран URL",
+    "streamingAddDestination": "Добавяне на дестинация",
+    "streamingHttpWebhookTitle": "HTTP Уеб хук",
+    "streamingHttpWebhookDescription": "Изпратете събития до всяка HTTP крайна точка с гъвкаво удостоверяване и шаблониране.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Предавайте събития на хранилище, съвместимо с S3. Очаквайте скоро.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Пресочвайте събития директно към вашият акаунт в Datadog. Очаквайте скоро.",
+    "streamingTypePickerDescription": "Изберете вид на дестинацията, за да започнете.",
+    "streamingFailedToLoad": "Неуспешно зареждане на дестинации",
+    "streamingUnexpectedError": "Възникна неочаквана грешка.",
+    "streamingFailedToUpdate": "Неуспешно актуализиране на дестинация",
+    "streamingDeletedSuccess": "Дестинацията беше изтрита успешно",
+    "streamingFailedToDelete": "Неуспешно изтриване на дестинацията",
+    "streamingDeleteTitle": "Изтриване на дестинация",
+    "streamingDeleteButtonText": "Изтриване на дестинация",
+    "streamingDeleteDialogAreYouSure": "Сигурни ли сте, че искате да изтриете",
+    "streamingDeleteDialogThisDestination": "тази дестинация",
+    "streamingDeleteDialogPermanentlyRemoved": "? Всички конфигурации ще бъдат премахнати завинаги.",
+    "httpDestEditTitle": "Редактиране на дестинация",
+    "httpDestAddTitle": "Добавяне на HTTP дестинация",
+    "httpDestEditDescription": "Актуализирайте конфигурацията за този HTTP събитий.",
+    "httpDestAddDescription": "Конфигурирайте нов HTTP крайна точка, за да получавате събития на вашата организация.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заглавки",
+    "httpDestTabBody": "Тяло",
+    "httpDestTabLogs": "Логове",
+    "httpDestNamePlaceholder": "Моята HTTP дестинация",
+    "httpDestUrlLabel": "Дестинация URL",
+    "httpDestUrlErrorHttpRequired": "URL адресът трябва да използва http или https",
+    "httpDestUrlErrorHttpsRequired": "SSL е необходимо за облачни инсталации",
+    "httpDestUrlErrorInvalid": "Въведете валиден URL (напр. https://example.com/webhook)",
+    "httpDestAuthTitle": "Удостоверяване",
+    "httpDestAuthDescription": "Изберете как заявленията ви се удостоверяват.",
+    "httpDestAuthNoneTitle": "Без удостоверяване",
+    "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
+    "httpDestAuthBearerTitle": "Bearer Токен",
+    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer <token> към всяка заявка.",
+    "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
+    "httpDestAuthBasicTitle": "Основно удостоверяване",
+    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic <credentials> към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
+    "httpDestAuthBasicPlaceholder": "потребителско име:парола",
+    "httpDestAuthCustomTitle": "Персонализирано заглавие",
+    "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя на заглавието (напр. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestCustomHeadersTitle": "Персонализирани заглавия за HTTP",
+    "httpDestCustomHeadersDescription": "Добавяне на персонализирани заглавия към всяка изходяща заявка. Полезно за статични токени или персонални Content-Type. По подразбиране се изпраща Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Персонализирани заглавия не са конфигурирани. Кликнете \"Добавяне на заглавие\" да добавите такова.",
+    "httpDestHeaderNamePlaceholder": "Име на заглавието",
+    "httpDestHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestAddHeader": "Добавяне на заглавие",
+    "httpDestBodyTemplateTitle": "Шаблон на персонализирано тяло",
+    "httpDestBodyTemplateDescription": "Управлявайте структурата на JSON съобщението, изпратено до вашата крайна точка. Ако е деактивирано, по подразбиране се изпраща JSON обект за всяко събитие.",
+    "httpDestEnableBodyTemplate": "Активиране на персонализиран шаблон на тяло",
+    "httpDestBodyTemplateLabel": "Шаблон за тяло (JSON)",
+    "httpDestBodyTemplateHint": "Използвайте шаблонни променливи за позоваване на полетата на събитията в съобщението си.",
+    "httpDestPayloadFormatTitle": "Формат на полезния товар",
+    "httpDestPayloadFormatDescription": "Как се сериализират събитията във всеки заявка.",
+    "httpDestFormatJsonArrayTitle": "JSON масив",
+    "httpDestFormatJsonArrayDescription": "Една заявка на партида, тялото е JSON масив. Съвместим с повечето общи уеб куки и Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Една заявка на партида, тялото е ново линии отделени JSON — един обект на ред, няма външен масив. Изисквано от Splunk HEC, Elastic / OpenSearch и Grafana.",
+    "httpDestFormatSingleTitle": "Едно събитие на заявка",
+    "httpDestFormatSingleDescription": "Изпращат се отделни HTTP POST за всяко индивидуално събитие. Използвайте само за крайни точки, които не могат да обработват партиди.",
+    "httpDestLogTypesTitle": "Видове логове",
+    "httpDestLogTypesDescription": "Изберете кои видове журнални записи ще се предават към тази дестинация. Предаването ще се прави само за активирани видове журнални записи.",
+    "httpDestAccessLogsTitle": "Логове за достъп",
+    "httpDestAccessLogsDescription": "Опити за достъп до ресурс, включително удостоверени и отказани заявки.",
+    "httpDestActionLogsTitle": "Логове на действия",
+    "httpDestActionLogsDescription": "Административни действия, извършени от потребители в организацията.",
+    "httpDestConnectionLogsTitle": "Логове на връзката",
+    "httpDestConnectionLogsDescription": "Събития на свързване и прекъсване на сайта и тунела, включително свръзки и прекъсвания.",
+    "httpDestRequestLogsTitle": "Заявки за логове",
+    "httpDestRequestLogsDescription": "Регистри за HTTP заявките към проксирани ресурси, включително метод, път и код на отговор.",
+    "httpDestSaveChanges": "Запази промените",
+    "httpDestCreateDestination": "Създаване на дестинация",
+    "httpDestUpdatedSuccess": "Дестинацията беше актуализирана успешно",
+    "httpDestCreatedSuccess": "Дестинацията беше създадена успешно",
+    "httpDestUpdateFailed": "Неуспешно актуализиране на дестинацията",
+    "httpDestCreateFailed": "Неуспешно създаване на дестинацията"
 }

From c8e83fedeb464e744d9197496e2e44d83f8fb5b8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:48 -0700
Subject: [PATCH 201/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index ea12fe535..fe5de4199 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -148,6 +148,11 @@
     "createLink": "Vytvořit odkaz",
     "resourcesNotFound": "Nebyly nalezeny žádné zdroje",
     "resourceSearch": "Vyhledat zdroje",
+    "machineSearch": "Vyhledávací stroje",
+    "machinesSearch": "Hledat klienty stroje...",
+    "machineNotFound": "Nebyly nalezeny žádné stroje",
+    "userDeviceSearch": "Hledat uživatelská zařízení",
+    "userDevicesSearch": "Hledat uživatelská zařízení...",
     "openMenu": "Otevřít nabídku",
     "resource": "Zdroj",
     "title": "Název",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Odstranit klíč API",
     "apiKeysManage": "Správa API klíčů",
     "apiKeysDescription": "API klíče se používají k ověření s integračním API",
+    "provisioningKeysTitle": "Zajišťovací klíč",
+    "provisioningKeysManage": "Spravovat zajišťovací klíče",
+    "provisioningKeysDescription": "Zajišťovací klíče slouží k ověření automatického poskytování služeb vaší organizaci.",
+    "provisioningManage": "Zajištění",
+    "provisioningDescription": "Spravovat klíče pro nastavení a zkontrolovat čekající stránky čekající na schválení.",
+    "pendingSites": "Nevyřízené weby",
+    "siteApproveSuccess": "Web byl úspěšně schválen",
+    "siteApproveError": "Chyba při schvalování webu",
+    "provisioningKeys": "Poskytovací klíče",
+    "searchProvisioningKeys": "Hledat klíče k zajišťování...",
+    "provisioningKeysAdd": "Generovat zajišťovací klíč",
+    "provisioningKeysErrorDelete": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysErrorDeleteMessage": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysQuestionRemove": "Jste si jisti, že chcete odstranit tento konfigurační klíč z organizace?",
+    "provisioningKeysMessageRemove": "Jakmile je klíč odstraněn, nelze již použít pro poskytování služeb.",
+    "provisioningKeysDeleteConfirm": "Potvrdit odstranění zajišťovacího klíče",
+    "provisioningKeysDelete": "Odstranit zajišťovací klíč",
+    "provisioningKeysCreate": "Generovat zajišťovací klíč",
+    "provisioningKeysCreateDescription": "Vygenerovat nový klíč pro organizaci",
+    "provisioningKeysSeeAll": "Zobrazit všechny doplňovací klíče",
+    "provisioningKeysSave": "Uložit konfigurační klíč",
+    "provisioningKeysSaveDescription": "Toto můžete vidět pouze jednou. Zkopírujte ho na bezpečné místo.",
+    "provisioningKeysErrorCreate": "Chyba při vytváření doplňovacího klíče",
+    "provisioningKeysList": "Nový klíč pro poskytování informací",
+    "provisioningKeysMaxBatchSize": "Maximální velikost dávky",
+    "provisioningKeysUnlimitedBatchSize": "Neomezená velikost šarže (bez omezení)",
+    "provisioningKeysMaxBatchUnlimited": "Bez omezení",
+    "provisioningKeysMaxBatchSizeInvalid": "Zadejte platnou maximální velikost šarže (1–1,000,000).",
+    "provisioningKeysValidUntil": "Platné do",
+    "provisioningKeysValidUntilHint": "Ponechte prázdné, pokud vyprší platnost.",
+    "provisioningKeysValidUntilInvalid": "Zadejte platné datum a čas.",
+    "provisioningKeysNumUsed": "Časy použití",
+    "provisioningKeysLastUsed": "Naposledy použito",
+    "provisioningKeysNoExpiry": "Bez vypršení platnosti",
+    "provisioningKeysNeverUsed": "Nikdy",
+    "provisioningKeysEdit": "Upravit zajišťovací klíč",
+    "provisioningKeysEditDescription": "Aktualizujte maximální velikost dávky a dobu vypršení platnosti tohoto klíče.",
+    "provisioningKeysApproveNewSites": "Schválit nové stránky",
+    "provisioningKeysApproveNewSitesDescription": "Automaticky schvalovat weby, které se registrují pomocí tohoto klíče.",
+    "provisioningKeysUpdateError": "Chyba při aktualizaci klíče",
+    "provisioningKeysUpdated": "Zajišťovací klíč byl aktualizován",
+    "provisioningKeysUpdatedDescription": "Vaše změny byly uloženy.",
+    "provisioningKeysBannerTitle": "Klíče pro poskytování webu",
+    "provisioningKeysBannerDescription": "Vygenerujte konfigurační klíč a používejte jej pomocí nového konektoru k automatickému vytváření stránek při prvním startu – není třeba nastavovat samostatné přihlašovací údaje pro každý web.",
+    "provisioningKeysBannerButtonText": "Zjistit více",
+    "pendingSitesBannerTitle": "Nevyřízené weby",
+    "pendingSitesBannerDescription": "Zde se zobrazují stránky, které se připojují pomocí doplňovacího klíče. Schválte každý web předtím, než bude aktivní, a získejte přístup k vašim zdrojům.",
+    "pendingSitesBannerButtonText": "Zjistit více",
     "apiKeysSettings": "Nastavení {apiKeyName}",
     "userTitle": "Spravovat všechny uživatele",
     "userDescription": "Zobrazit a spravovat všechny uživatele v systému",
@@ -509,9 +562,12 @@
     "userSaved": "Uživatel uložen",
     "userSavedDescription": "Uživatel byl aktualizován.",
     "autoProvisioned": "Automaticky poskytnuto",
+    "autoProvisionSettings": "Automatická nastavení",
     "autoProvisionedDescription": "Povolit tomuto uživateli automaticky spravovat poskytovatel identity",
     "accessControlsDescription": "Spravovat co může tento uživatel přistupovat a dělat v organizaci",
     "accessControlsSubmit": "Uložit kontroly přístupu",
+    "singleRolePerUserPlanNotice": "Váš plán podporuje pouze jednu roli na uživatele.",
+    "singleRolePerUserEditionNotice": "Tato verze podporuje pouze jednu roli na uživatele.",
     "roles": "Role",
     "accessUsersRoles": "Spravovat uživatele a role",
     "accessUsersRolesDescription": "Pozvěte uživatele a přidejte je do rolí pro správu přístupu k organizaci",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Zadejte nastavovací token z konzole serveru.",
     "setupTokenRequired": "Je vyžadován token nastavení",
     "actionUpdateSite": "Aktualizovat stránku",
+    "actionResetSiteBandwidth": "Resetovat šířku pásma organizace",
     "actionListSiteRoles": "Seznam povolených rolí webu",
     "actionCreateResource": "Vytvořit zdroj",
     "actionDeleteResource": "Odstranit dokument",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Odstranit uživatele",
     "actionListUsers": "Seznam uživatelů",
     "actionAddUserRole": "Přidat uživatelskou roli",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Nastavit uživatelské role",
     "actionGenerateAccessToken": "Generovat přístupový token",
     "actionDeleteAccessToken": "Odstranit přístupový token",
     "actionListAccessTokens": "Seznam přístupových tokenů",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Role",
     "sidebarShareableLinks": "Odkazy",
     "sidebarApiKeys": "API klíče",
+    "sidebarProvisioning": "Zajištění",
     "sidebarSettings": "Nastavení",
     "sidebarAllUsers": "Všichni uživatelé",
     "sidebarIdentityProviders": "Poskytovatelé identity",
@@ -1890,6 +1948,40 @@
     "exitNode": "Ukončit uzel",
     "country": "L 343, 22.12.2009, s. 1).",
     "rulesMatchCountry": "Aktuálně založené na zdrojové IP adrese",
+    "region": "Oblasti",
+    "selectRegion": "Vyberte region",
+    "searchRegions": "Hledat regiony...",
+    "noRegionFound": "Nebyl nalezen žádný region.",
+    "rulesMatchRegion": "Vyberte regionální seskupení zemí",
+    "rulesErrorInvalidRegion": "Neplatný region",
+    "rulesErrorInvalidRegionDescription": "Vyberte prosím platný region.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Severní Afrika",
+    "regionEasternAfrica": "Východní Afrika",
+    "regionMiddleAfrica": "Střední Afrika",
+    "regionSouthernAfrica": "Jižní Afrika",
+    "regionWesternAfrica": "Západní Afrika",
+    "regionAmericas": "Ameriky",
+    "regionCaribbean": "Karibské",
+    "regionCentralAmerica": "Střední Amerika",
+    "regionSouthAmerica": "Jižní Amerika",
+    "regionNorthernAmerica": "Severní Amerika",
+    "regionAsia": "Asie",
+    "regionCentralAsia": "Střední Asie",
+    "regionEasternAsia": "Východní Asie",
+    "regionSouthEasternAsia": "jihovýchodní Asie",
+    "regionSouthernAsia": "Jižní Asie",
+    "regionWesternAsia": "Západní Asie",
+    "regionEurope": "L 347, 20.12.2013, s. 965).",
+    "regionEasternEurope": "Východní Evropa",
+    "regionNorthernEurope": "Severní Evropa",
+    "regionSouthernEurope": "Jižní Evropa",
+    "regionWesternEurope": "Západní Evropa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrálie a Nový Zéland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Spravované vlastní hostování",
         "description": "Spolehlivější a nízko udržovaný Pangolinův server s dalšími zvony a bičkami",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Neplatná hodnota",
     "idpTypeLabel": "Typ poskytovatele identity",
     "roleMappingExpressionPlaceholder": "např. obsahuje(skupiny, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Pevné role",
+    "roleMappingModeMappingBuilder": "Tvorba mapování",
+    "roleMappingModeRawExpression": "Surový výraz",
+    "roleMappingFixedRolesPlaceholderSelect": "Vyberte jednu nebo více rolí",
+    "roleMappingFixedRolesPlaceholderFreeform": "Napište názvy rolí (shoda podle organizace)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Přiřadit stejnou roli nastavenou každému uživateli automatického poskytování.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pro výchozí zásady zadejte názvy rolí, které existují v každé organizaci, kde jsou uživatelé poskytováni. Jména musí přesně odpovídat.",
+    "roleMappingClaimPath": "Cesta k žádosti",
+    "roleMappingClaimPathPlaceholder": "skupiny",
+    "roleMappingClaimPathDescription": "Cesta k užitečnému zatížení tokenu, která obsahuje zdrojové hodnoty (například skupiny).",
+    "roleMappingMatchValue": "Hodnota zápasu",
+    "roleMappingAssignRoles": "Přiřadit role",
+    "roleMappingAddMappingRule": "Přidat pravidlo pro mapování",
+    "roleMappingRawExpressionResultDescription": "Výraz se musí vyhodnotit do pole řetězce nebo řetězce.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Výraz musí být vyhodnocen na řetězec (jediný název role).",
+    "roleMappingMatchValuePlaceholder": "Hodnota zápasu (například: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Napište názvy rolí (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Názvy rolí musí odpovídat roli v každé cílové organizaci.",
+    "roleMappingRemoveRule": "Odstranit",
     "idpGoogleConfiguration": "Konfigurace Google",
     "idpGoogleConfigurationDescription": "Konfigurace přihlašovacích údajů Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Jak dlouho uchovávat přístupové záznamy",
     "logRetentionActionLabel": "Uchovávání protokolu akcí",
     "logRetentionActionDescription": "Jak dlouho uchovávat záznamy akcí",
+    "logRetentionConnectionLabel": "Uchovávání protokolu připojení",
+    "logRetentionConnectionDescription": "Jak dlouho uchovávat protokoly připojení",
     "logRetentionDisabled": "Zakázáno",
     "logRetention3Days": "3 dny",
     "logRetention7Days": "7 dní",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Konec následujícího roku",
     "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
     "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
+    "connectionLogs": "Protokoly připojení",
+    "connectionLogsDescription": "Zobrazit protokoly připojení pro tunely v této organizaci",
+    "sidebarLogsConnection": "Protokoly připojení",
+    "sidebarLogsStreaming": "Streamování",
+    "sourceAddress": "Zdrojová adresa",
+    "destinationAddress": "Cílová adresa",
+    "duration": "Doba trvání",
     "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> nebo <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Rezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
     "certResolver": "Oddělovač certifikátů",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
     "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
     "approvalsEmptyStateButtonText": "Spravovat role",
-    "domainErrorTitle": "Máme problém s ověřením tvé domény"
+    "domainErrorTitle": "Máme problém s ověřením tvé domény",
+    "idpAdminAutoProvisionPoliciesTabHint": "Nastavte pravidla mapování rolí a organizace na kartě <policiesTabLink>Automatická úprava nastavení</policiesTabLink>.",
+    "streamingTitle": "Streamování událostí",
+    "streamingDescription": "Streamujte události z vaší organizace do externích destinací v reálném čase.",
+    "streamingUnnamedDestination": "Nepojmenovaný cíl",
+    "streamingNoUrlConfigured": "Není nakonfigurována žádná URL",
+    "streamingAddDestination": "Přidat cíl",
+    "streamingHttpWebhookTitle": "HTTP webový háček",
+    "streamingHttpWebhookDescription": "Odeslat události na libovolný HTTP koncový bod s pružnou autentizací a šablonou.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streamujte události do úložiště, které je kompatibilní se S3. Brzy přijde.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Přeposlat události přímo do vašeho účtu Datadog účtu. Brzy přijde.",
+    "streamingTypePickerDescription": "Vyberte cílový typ pro začátek.",
+    "streamingFailedToLoad": "Nepodařilo se načíst destinace",
+    "streamingUnexpectedError": "Došlo k neočekávané chybě.",
+    "streamingFailedToUpdate": "Nepodařilo se aktualizovat cíl",
+    "streamingDeletedSuccess": "Cíl byl úspěšně odstraněn",
+    "streamingFailedToDelete": "Nepodařilo se odstranit cíl",
+    "streamingDeleteTitle": "Odstranit cíl",
+    "streamingDeleteButtonText": "Odstranit cíl",
+    "streamingDeleteDialogAreYouSure": "Jste si jisti, že chcete odstranit",
+    "streamingDeleteDialogThisDestination": "tato destinace",
+    "streamingDeleteDialogPermanentlyRemoved": "? Všechny konfigurace budou trvale odstraněny.",
+    "httpDestEditTitle": "Upravit cíl",
+    "httpDestAddTitle": "Přidat cíl HTTP",
+    "httpDestEditDescription": "Aktualizovat konfiguraci pro tuto destinaci HTTP události",
+    "httpDestAddDescription": "Konfigurace nového koncového bodu HTTP pro příjem událostí vaší organizace.",
+    "httpDestTabSettings": "Nastavení",
+    "httpDestTabHeaders": "Záhlaví",
+    "httpDestTabBody": "Tělo",
+    "httpDestTabLogs": "Logy",
+    "httpDestNamePlaceholder": "Moje HTTP cíl",
+    "httpDestUrlLabel": "Cílová adresa URL",
+    "httpDestUrlErrorHttpRequired": "URL musí používat http nebo https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS je vyžadován při nasazení do cloudu",
+    "httpDestUrlErrorInvalid": "Zadejte platnou URL (např. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autentifikace",
+    "httpDestAuthDescription": "Zvolte, jak jsou požadavky na tvůj koncový bod ověřeny.",
+    "httpDestAuthNoneTitle": "Žádné ověření",
+    "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
+    "httpDestAuthBearerTitle": "Token na doručitele",
+    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer <token> ke každému požadavku.",
+    "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
+    "httpDestAuthBasicTitle": "Základní ověření",
+    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní <credentials> hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
+    "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
+    "httpDestAuthCustomTitle": "Vlastní záhlaví",
+    "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Název záhlaví (např. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Hodnota záhlaví",
+    "httpDestCustomHeadersTitle": "Vlastní HTTP hlavičky",
+    "httpDestCustomHeadersDescription": "Přidat vlastní hlavičky ke každému odchozímu požadavku. Užitečné pro statické tokeny nebo vlastní Typ obsahu. Ve výchozím nastavení je typ obsahu: application/json.",
+    "httpDestNoHeadersConfigured": "Nejsou nakonfigurovány žádné vlastní záhlaví. Pro přidání klikněte na \"Přidat záhlaví\".",
+    "httpDestHeaderNamePlaceholder": "Název záhlaví",
+    "httpDestHeaderValuePlaceholder": "Hodnota",
+    "httpDestAddHeader": "Přidat záhlaví",
+    "httpDestBodyTemplateTitle": "Vlastní šablona těla",
+    "httpDestBodyTemplateDescription": "Ovládá strukturu užitečného zatížení JSON odeslanou na váš koncový bod. Pokud je vypnuto, je pro každou událost zaslán výchozí objekt JSON.",
+    "httpDestEnableBodyTemplate": "Povolit vlastní šablonu těla",
+    "httpDestBodyTemplateLabel": "Šablona těla (JSON)",
+    "httpDestBodyTemplateHint": "Použijte šablonové proměnné pro referenční pole události ve vašem užitečném zatížení.",
+    "httpDestPayloadFormatTitle": "Formát datového zatížení",
+    "httpDestPayloadFormatDescription": "Jak jsou události serializovány v každém žádajícím subjektu.",
+    "httpDestFormatJsonArrayTitle": "JSON pole",
+    "httpDestFormatJsonArrayDescription": "Jeden požadavek na každou šarži, tělo je pole JSON. Kompatibilní s většinou generických webových háčků a Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jeden požadavek na každou šarži, tělo je nově ohraničené JSON – jeden objekt na jednu čáru, bez vnějšího pole. Vyžaduje Splunk HEC, Elastic / OpenSearch, a Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedna událost na požadavek",
+    "httpDestFormatSingleDescription": "Odešle samostatnou HTTP POST pro každou jednotlivou událost. Používejte pouze pro koncové body, které nemohou zpracovávat dávky.",
+    "httpDestLogTypesTitle": "Typy protokolů",
+    "httpDestLogTypesDescription": "Vyberte, které typy logů jsou přesměrovány do této destinace. Budou streamovány pouze povolené typy logů.",
+    "httpDestAccessLogsTitle": "Protokoly přístupu",
+    "httpDestAccessLogsDescription": "Pokusy o přístup k dokumentům, včetně ověřených a zamítnutých požadavků.",
+    "httpDestActionLogsTitle": "Záznamy akcí",
+    "httpDestActionLogsDescription": "Správní opatření prováděná uživateli v rámci organizace.",
+    "httpDestConnectionLogsTitle": "Protokoly připojení",
+    "httpDestConnectionLogsDescription": "Události týkající se připojení lokality a tunelu, včetně připojení a odpojení.",
+    "httpDestRequestLogsTitle": "Záznamy požadavků",
+    "httpDestRequestLogsDescription": "HTTP záznamy požadavků pro proxy zdroje, včetně metod, cesty a kódu odpovědi.",
+    "httpDestSaveChanges": "Uložit změny",
+    "httpDestCreateDestination": "Vytvořit cíl",
+    "httpDestUpdatedSuccess": "Cíl byl úspěšně aktualizován",
+    "httpDestCreatedSuccess": "Cíl byl úspěšně vytvořen",
+    "httpDestUpdateFailed": "Nepodařilo se aktualizovat cíl",
+    "httpDestCreateFailed": "Nepodařilo se vytvořit cíl"
 }

From a7fefc84a832f196ba374cabe9cff884b0693993 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:49 -0700
Subject: [PATCH 202/314] New translations en-us.json (German)

---
 messages/de-DE.json | 175 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 173 insertions(+), 2 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index bfced13d0..0b72ececd 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -148,6 +148,11 @@
     "createLink": "Link erstellen",
     "resourcesNotFound": "Keine Ressourcen gefunden",
     "resourceSearch": "Suche Ressourcen",
+    "machineSearch": "Maschinen suchen",
+    "machinesSearch": "Suche Maschinen-Klienten...",
+    "machineNotFound": "Keine Maschinen gefunden",
+    "userDeviceSearch": "Benutzergeräte durchsuchen",
+    "userDevicesSearch": "Benutzergeräte durchsuchen...",
     "openMenu": "Menü öffnen",
     "resource": "Ressource",
     "title": "Titel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API-Schlüssel löschen",
     "apiKeysManage": "API-Schlüssel verwalten",
     "apiKeysDescription": "API-Schlüssel werden zur Authentifizierung mit der Integrations-API verwendet",
+    "provisioningKeysTitle": "Bereitstellungsschlüssel",
+    "provisioningKeysManage": "Bereitstellungsschlüssel verwalten",
+    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Seiten für Ihr Unternehmen zu authentifizieren.",
+    "provisioningManage": "Bereitstellung",
+    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Seiten prüfen, die noch auf Genehmigung warten.",
+    "pendingSites": "Ausstehende Seiten",
+    "siteApproveSuccess": "Site erfolgreich freigegeben",
+    "siteApproveError": "Fehler beim Bestätigen der Seite",
+    "provisioningKeys": "Bereitstellungsschlüssel",
+    "searchProvisioningKeys": "Bereitstellungsschlüssel suchen...",
+    "provisioningKeysAdd": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysErrorDelete": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysErrorDeleteMessage": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysQuestionRemove": "Sind Sie sicher, dass Sie diesen Bereitstellungsschlüssel aus der Organisation entfernen möchten?",
+    "provisioningKeysMessageRemove": "Einmal entfernt, kann der Schlüssel nicht mehr für die Bereitstellung der Site verwendet werden.",
+    "provisioningKeysDeleteConfirm": "Bereitstellungsschlüssel löschen bestätigen",
+    "provisioningKeysDelete": "Bereitstellungsschlüssel löschen",
+    "provisioningKeysCreate": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysCreateDescription": "Einen neuen Bereitstellungsschlüssel für die Organisation generieren",
+    "provisioningKeysSeeAll": "Alle Bereitstellungsschlüssel anzeigen",
+    "provisioningKeysSave": "Bereitstellungsschlüssel speichern",
+    "provisioningKeysSaveDescription": "Sie können dies nur einmal sehen. Kopieren Sie es an einen sicheren Ort.",
+    "provisioningKeysErrorCreate": "Fehler beim Erstellen des Bereitstellungsschlüssels",
+    "provisioningKeysList": "Neuer Bereitstellungsschlüssel",
+    "provisioningKeysMaxBatchSize": "Max. Batch-Größe",
+    "provisioningKeysUnlimitedBatchSize": "Unbegrenzte Batch-Größe (kein Limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unbegrenzt",
+    "provisioningKeysMaxBatchSizeInvalid": "Geben Sie eine gültige maximale Batchgröße ein (1–1.000.000).",
+    "provisioningKeysValidUntil": "Gültig bis",
+    "provisioningKeysValidUntilHint": "Leer lassen für keine Verjährung.",
+    "provisioningKeysValidUntilInvalid": "Geben Sie ein gültiges Datum und Zeit ein.",
+    "provisioningKeysNumUsed": "Verwendete Zeiten",
+    "provisioningKeysLastUsed": "Zuletzt verwendet",
+    "provisioningKeysNoExpiry": "Kein Ablauf",
+    "provisioningKeysNeverUsed": "Nie",
+    "provisioningKeysEdit": "Bereitstellungsschlüssel bearbeiten",
+    "provisioningKeysEditDescription": "Aktualisieren Sie die maximale Batch-Größe und Ablaufzeit für diesen Schlüssel.",
+    "provisioningKeysApproveNewSites": "Neue Seiten genehmigen",
+    "provisioningKeysApproveNewSitesDescription": "Sites, die sich mit diesem Schlüssel registrieren, automatisch freigeben.",
+    "provisioningKeysUpdateError": "Fehler beim Aktualisieren des Bereitstellungsschlüssels",
+    "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
+    "provisioningKeysUpdatedDescription": "Ihre Änderungen wurden gespeichert.",
+    "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
+    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Konnektor, um beim ersten Start automatisch Sites zu erstellen – keine Notwendigkeit, separate Anmeldeinformationen für jede Seite einzurichten.",
+    "provisioningKeysBannerButtonText": "Mehr erfahren",
+    "pendingSitesBannerTitle": "Ausstehende Seiten",
+    "pendingSitesBannerDescription": "Sites, die sich mit einem Bereitstellungsschlüssel verbinden, erscheinen hier zur Überprüfung. Bestätigen Sie jede Site, bevor sie aktiv wird und erhalten Zugriff auf Ihre Ressourcen.",
+    "pendingSitesBannerButtonText": "Mehr erfahren",
     "apiKeysSettings": "{apiKeyName} Einstellungen",
     "userTitle": "Alle Benutzer verwalten",
     "userDescription": "Alle Benutzer im System anzeigen und verwalten",
@@ -509,9 +562,12 @@
     "userSaved": "Benutzer gespeichert",
     "userSavedDescription": "Der Benutzer wurde aktualisiert.",
     "autoProvisioned": "Automatisch bereitgestellt",
+    "autoProvisionSettings": "Auto-Bereitstellungseinstellungen",
     "autoProvisionedDescription": "Erlaube diesem Benutzer die automatische Verwaltung durch Identitätsanbieter",
     "accessControlsDescription": "Verwalten Sie, worauf dieser Benutzer in der Organisation zugreifen und was er tun kann",
     "accessControlsSubmit": "Zugriffskontrollen speichern",
+    "singleRolePerUserPlanNotice": "Ihr Plan unterstützt nur eine Rolle pro Benutzer.",
+    "singleRolePerUserEditionNotice": "Diese Ausgabe unterstützt nur eine Rolle pro Benutzer.",
     "roles": "Rollen",
     "accessUsersRoles": "Benutzer & Rollen verwalten",
     "accessUsersRolesDescription": "Lade Benutzer ein und füge sie zu Rollen hinzu, um den Zugriff auf die Organisation zu verwalten",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Geben Sie das Setup-Token von der Serverkonsole ein.",
     "setupTokenRequired": "Setup-Token ist erforderlich",
     "actionUpdateSite": "Standorte aktualisieren",
+    "actionResetSiteBandwidth": "Organisations-Bandbreite zurücksetzen",
     "actionListSiteRoles": "Erlaubte Standort-Rollen auflisten",
     "actionCreateResource": "Ressource erstellen",
     "actionDeleteResource": "Ressource löschen",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Benutzer entfernen",
     "actionListUsers": "Benutzer auflisten",
     "actionAddUserRole": "Benutzerrolle hinzufügen",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Benutzerrollen festlegen",
     "actionGenerateAccessToken": "Zugriffstoken generieren",
     "actionDeleteAccessToken": "Zugriffstoken löschen",
     "actionListAccessTokens": "Zugriffstoken auflisten",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rollen",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "API-Schlüssel",
+    "sidebarProvisioning": "Bereitstellung",
     "sidebarSettings": "Einstellungen",
     "sidebarAllUsers": "Alle Benutzer",
     "sidebarIdentityProviders": "Identitätsanbieter",
@@ -1972,6 +2030,25 @@
     "invalidValue": "Ungültiger Wert",
     "idpTypeLabel": "Identitätsanbietertyp",
     "roleMappingExpressionPlaceholder": "z. B. enthalten(Gruppen, 'admin') && 'Admin' || 'Mitglied'",
+    "roleMappingModeFixedRoles": "Feste Rollen",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Roher Ausdruck",
+    "roleMappingFixedRolesPlaceholderSelect": "Wählen Sie eine oder mehrere Rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rollennamen eingeben (exakte Übereinstimmung pro Organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Weisen Sie jedem auto-provisionierten Benutzer die gleiche Rolle zu.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Für Standardrichtlinien geben Sie Rollennamen ein, die in jeder Organisation existieren, in der Benutzer angegeben sind. Namen müssen exakt übereinstimmen.",
+    "roleMappingClaimPath": "Pfad einfordern",
+    "roleMappingClaimPathPlaceholder": "gruppen",
+    "roleMappingClaimPathDescription": "Pfad in der Token Payload mit Quellwerten (zum Beispiel Gruppen).",
+    "roleMappingMatchValue": "Match-Wert",
+    "roleMappingAssignRoles": "Rollen zuweisen",
+    "roleMappingAddMappingRule": "Zuordnungsregel hinzufügen",
+    "roleMappingRawExpressionResultDescription": "Ausdruck muss zu einem String oder String Array ausgewertet werden.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Ausdruck muss zu einem String (einem einzigen Rollennamen) ausgewertet werden.",
+    "roleMappingMatchValuePlaceholder": "Match-Wert (z. B.: Admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rollennamen eingeben (exakt pro Ort)",
+    "roleMappingBuilderFreeformRowHint": "Rollennamen müssen mit einer Rolle in jeder Zielorganisation übereinstimmen.",
+    "roleMappingRemoveRule": "Entfernen",
     "idpGoogleConfiguration": "Google-Konfiguration",
     "idpGoogleConfigurationDescription": "Google OAuth2 Zugangsdaten konfigurieren",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2368,6 +2445,8 @@
     "logRetentionAccessDescription": "Wie lange Zugriffsprotokolle beibehalten werden sollen",
     "logRetentionActionLabel": "Aktionsprotokoll-Speicherung",
     "logRetentionActionDescription": "Dauer des Action-Logs",
+    "logRetentionConnectionLabel": "Verbindungsprotokoll-Speicherung",
+    "logRetentionConnectionDescription": "Wie lange Verbindungsprotokolle gespeichert werden sollen",
     "logRetentionDisabled": "Deaktiviert",
     "logRetention3Days": "3 Tage",
     "logRetention7Days": "7 Tage",
@@ -2378,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
     "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
     "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
+    "connectionLogs": "Verbindungsprotokolle",
+    "connectionLogsDescription": "Verbindungsprotokolle für Tunnel in dieser Organisation anzeigen",
+    "sidebarLogsConnection": "Verbindungsprotokolle",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Quelladresse",
+    "destinationAddress": "Zieladresse",
+    "duration": "Dauer",
     "licenseRequiredToUse": "Eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz oder <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> wird benötigt, um diese Funktion nutzen zu können. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können. Diese Funktion ist auch in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>verfügbar. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
     "certResolver": "Zertifikatsauflöser",
@@ -2717,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
     "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
     "approvalsEmptyStateButtonText": "Rollen verwalten",
-    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain"
+    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurieren Sie Rollenzuordnungs- und Organisationsrichtlinien auf der Registerkarte <policiesTabLink>Auto-Bereitstellungseinstellungen</policiesTabLink>.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Streamen Sie Events aus Ihrem Unternehmen in Echtzeit zu externen Zielen.",
+    "streamingUnnamedDestination": "Unbenanntes Ziel",
+    "streamingNoUrlConfigured": "Keine URL konfiguriert",
+    "streamingAddDestination": "Ziel hinzufügen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Sende Ereignisse an jeden HTTP-Endpunkt mit flexibler Authentifizierung und Vorlage.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streame Ereignisse in eine S3-kompatible Objekt-Speicher-Eimer. Kommt bald.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Events direkt an Ihr Datadog Konto weiterleiten. Kommen Sie bald.",
+    "streamingTypePickerDescription": "Wählen Sie einen Zieltyp aus, um loszulegen.",
+    "streamingFailedToLoad": "Fehler beim Laden der Ziele",
+    "streamingUnexpectedError": "Ein unerwarteter Fehler ist aufgetreten.",
+    "streamingFailedToUpdate": "Fehler beim Aktualisieren des Ziels",
+    "streamingDeletedSuccess": "Ziel erfolgreich gelöscht",
+    "streamingFailedToDelete": "Fehler beim Löschen des Ziels",
+    "streamingDeleteTitle": "Ziel löschen",
+    "streamingDeleteButtonText": "Ziel löschen",
+    "streamingDeleteDialogAreYouSure": "Sind Sie sicher, dass Sie löschen möchten",
+    "streamingDeleteDialogThisDestination": "dieses Ziel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle Konfiguration wird dauerhaft entfernt.",
+    "httpDestEditTitle": "Ziel bearbeiten",
+    "httpDestAddTitle": "HTTP-Ziel hinzufügen",
+    "httpDestEditDescription": "Aktualisiere die Konfiguration für dieses HTTP-Streaming-Ziel.",
+    "httpDestAddDescription": "Konfigurieren Sie einen neuen HTTP-Endpunkt, um die Ereignisse Ihrer Organisation zu empfangen.",
+    "httpDestTabSettings": "Einstellungen",
+    "httpDestTabHeaders": "Kopfzeilen",
+    "httpDestTabBody": "Körper",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "Mein HTTP-Ziel",
+    "httpDestUrlLabel": "Ziel-URL",
+    "httpDestUrlErrorHttpRequired": "URL muss http oder https verwenden",
+    "httpDestUrlErrorHttpsRequired": "HTTPS wird für Cloud-Deployment benötigt",
+    "httpDestUrlErrorInvalid": "Geben Sie eine gültige URL ein (z.B. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentifizierung",
+    "httpDestAuthDescription": "Legen Sie fest, wie Anfragen an Ihren Endpunkt authentifiziert werden.",
+    "httpDestAuthNoneTitle": "Keine Authentifizierung",
+    "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
+    "httpDestAuthBearerTitle": "Bären-Token",
+    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer <token> Header zu jeder Anfrage.",
+    "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
+    "httpDestAuthBasicTitle": "Einfacher Auth",
+    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic <credentials> Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
+    "httpDestAuthBasicPlaceholder": "benutzername:password",
+    "httpDestAuthCustomTitle": "Eigene Kopfzeile",
+    "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Headername (z.B. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header-Wert",
+    "httpDestCustomHeadersTitle": "Eigene HTTP-Header",
+    "httpDestCustomHeadersDescription": "Fügen Sie jeder ausgehenden Anfrage benutzerdefinierte Kopfzeilen hinzu. Nützlich für statische Tokens oder einen benutzerdefinierten Content-Typ. Standardmäßig wird Content-Type: application/json gesendet.",
+    "httpDestNoHeadersConfigured": "Keine benutzerdefinierten Header konfiguriert. Klicken Sie auf \"Header hinzufügen\", um einen hinzuzufügen.",
+    "httpDestHeaderNamePlaceholder": "Header-Name",
+    "httpDestHeaderValuePlaceholder": "Wert",
+    "httpDestAddHeader": "Header hinzufügen",
+    "httpDestBodyTemplateTitle": "Eigene Body-Vorlage",
+    "httpDestBodyTemplateDescription": "Steuere die JSON-Payload-Struktur, die an deinen Endpunkt gesendet wurde. Wenn deaktiviert, wird für jede Veranstaltung ein Standard-JSON-Objekt gesendet.",
+    "httpDestEnableBodyTemplate": "Eigene Körpervorlage aktivieren",
+    "httpDestBodyTemplateLabel": "Body-Vorlage (JSON)",
+    "httpDestBodyTemplateHint": "Verwenden Sie Template-Variablen, um Ereignisfelder in Ihrer Payload zu referenzieren.",
+    "httpDestPayloadFormatTitle": "Payload-Format",
+    "httpDestPayloadFormatDescription": "Wie Ereignisse in jedes Anfragegremium serialisiert werden.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Eine Anfrage pro Stapel ist ein JSON-Array. Kompatibel mit den meisten generischen Webhooks und Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eine Anfrage pro Batch, der Körper ist newline-getrenntes JSON — ein Objekt pro Zeile, kein äußeres Array. Benötigt von Splunk HEC, Elastic / OpenSearch, und Grafana Loki.",
+    "httpDestFormatSingleTitle": "Ein Ereignis pro Anfrage",
+    "httpDestFormatSingleDescription": "Sendet eine separate HTTP-POST für jedes einzelne Ereignis. Nur für Endpunkte, die Batches nicht handhaben können.",
+    "httpDestLogTypesTitle": "Log-Typen",
+    "httpDestLogTypesDescription": "Wählen Sie, welche Log-Typen an dieses Ziel weitergeleitet werden. Nur aktivierte Log-Typen werden gestreamt.",
+    "httpDestAccessLogsTitle": "Zugriffsprotokolle",
+    "httpDestAccessLogsDescription": "Ressourcenzugriffe, einschließlich authentifizierter und abgelehnter Anfragen.",
+    "httpDestActionLogsTitle": "Aktionsprotokolle",
+    "httpDestActionLogsDescription": "Administrative Maßnahmen, die von Benutzern innerhalb der Organisation durchgeführt werden.",
+    "httpDestConnectionLogsTitle": "Verbindungsprotokolle",
+    "httpDestConnectionLogsDescription": "Site- und Tunnelverbindungen, einschließlich Verbindungen und Trennungen.",
+    "httpDestRequestLogsTitle": "Logs anfordern",
+    "httpDestRequestLogsDescription": "HTTP-Request-Protokolle für proxiierte Ressourcen, einschließlich Methode, Pfad und Antwort-Code.",
+    "httpDestSaveChanges": "Änderungen speichern",
+    "httpDestCreateDestination": "Ziel erstellen",
+    "httpDestUpdatedSuccess": "Ziel erfolgreich aktualisiert",
+    "httpDestCreatedSuccess": "Ziel erfolgreich erstellt",
+    "httpDestUpdateFailed": "Fehler beim Aktualisieren des Ziels",
+    "httpDestCreateFailed": "Fehler beim Erstellen des Ziels"
 }

From 8559942c5cfe68abe6db6d9bd2d19cd9f52bb6e5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:51 -0700
Subject: [PATCH 203/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 6891cd290..990e2be66 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -148,6 +148,11 @@
     "createLink": "Crea Collegamento",
     "resourcesNotFound": "Nessuna risorsa trovata",
     "resourceSearch": "Cerca risorse",
+    "machineSearch": "Ricerca macchine",
+    "machinesSearch": "Cerca client macchina...",
+    "machineNotFound": "Nessuna macchina trovata",
+    "userDeviceSearch": "Cerca dispositivi utente",
+    "userDevicesSearch": "Cerca dispositivi utente...",
     "openMenu": "Apri menu",
     "resource": "Risorsa",
     "title": "Titolo",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Elimina Chiave API",
     "apiKeysManage": "Gestisci Chiavi API",
     "apiKeysDescription": "Le chiavi API sono utilizzate per autenticarsi con l'API di integrazione",
+    "provisioningKeysTitle": "Chiave Di Provvedimento",
+    "provisioningKeysManage": "Gestisci Chiavi Di Provvedimento",
+    "provisioningKeysDescription": "Le chiavi di provisioning vengono utilizzate per autenticare il provisioning automatico del sito per la tua organizzazione.",
+    "provisioningManage": "Accantonamento",
+    "provisioningDescription": "Gestire le chiavi di provisioning e rivedere i siti in attesa di approvazione.",
+    "pendingSites": "Siti In Attesa",
+    "siteApproveSuccess": "Sito approvato con successo",
+    "siteApproveError": "Errore nell'approvazione del sito",
+    "provisioningKeys": "Chiavi Di Provvedimento",
+    "searchProvisioningKeys": "Cerca i tasti di provisioning ...",
+    "provisioningKeysAdd": "Genera Chiave Di Provvedimento",
+    "provisioningKeysErrorDelete": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysErrorDeleteMessage": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysQuestionRemove": "Sei sicuro di voler rimuovere questa chiave di provisioning dall'organizzazione?",
+    "provisioningKeysMessageRemove": "Una volta rimossa, la chiave non può più essere utilizzata per il provisioning.",
+    "provisioningKeysDeleteConfirm": "Conferma Elimina Chiave Provvisoria",
+    "provisioningKeysDelete": "Elimina chiave di provisioning",
+    "provisioningKeysCreate": "Genera Chiave Di Provvedimento",
+    "provisioningKeysCreateDescription": "Genera una nuova chiave di provisioning per l'organizzazione",
+    "provisioningKeysSeeAll": "Vedi tutte le chiavi di provisioning",
+    "provisioningKeysSave": "Salva la chiave di provisioning",
+    "provisioningKeysSaveDescription": "Sarai in grado di vedere solo una volta. Copiarlo in un posto sicuro.",
+    "provisioningKeysErrorCreate": "Errore nella creazione della chiave di provisioning",
+    "provisioningKeysList": "Nuova chiave di provisioning",
+    "provisioningKeysMaxBatchSize": "Dimensione massima lotto",
+    "provisioningKeysUnlimitedBatchSize": "Dimensione illimitata del lotto (nessun limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimitato",
+    "provisioningKeysMaxBatchSizeInvalid": "Inserisci un lotto massimo valido (1–1.000.000).",
+    "provisioningKeysValidUntil": "Valido fino al",
+    "provisioningKeysValidUntilHint": "Lasciare vuoto per nessuna scadenza.",
+    "provisioningKeysValidUntilInvalid": "Inserisci una data e ora valide.",
+    "provisioningKeysNumUsed": "Volte usate",
+    "provisioningKeysLastUsed": "Ultimo utilizzo",
+    "provisioningKeysNoExpiry": "Nessuna scadenza",
+    "provisioningKeysNeverUsed": "Mai",
+    "provisioningKeysEdit": "Modifica Chiave Di Provvedimento",
+    "provisioningKeysEditDescription": "Aggiorna la dimensione massima del lotto e il tempo di scadenza per questa chiave.",
+    "provisioningKeysApproveNewSites": "Approva nuovi siti",
+    "provisioningKeysApproveNewSitesDescription": "Approvare automaticamente i siti che si registrano con questa chiave.",
+    "provisioningKeysUpdateError": "Errore nell'aggiornamento della chiave di provisioning",
+    "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
+    "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
+    "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
+    "provisioningKeysBannerDescription": "Generare una chiave di provisioning e usarla con il connettore Newt per creare automaticamente siti al primo avvio — non è necessario impostare credenziali separate per ogni sito.",
+    "provisioningKeysBannerButtonText": "Scopri di più",
+    "pendingSitesBannerTitle": "Siti In Attesa",
+    "pendingSitesBannerDescription": "I siti che si connettono utilizzando una chiave di provisioning appaiono qui per la revisione. Approva ogni sito prima che diventi attivo e ottenga l'accesso alle tue risorse.",
+    "pendingSitesBannerButtonText": "Scopri di più",
     "apiKeysSettings": "Impostazioni {apiKeyName}",
     "userTitle": "Gestisci Tutti Gli Utenti",
     "userDescription": "Visualizza e gestisci tutti gli utenti del sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Utente salvato",
     "userSavedDescription": "L'utente è stato aggiornato.",
     "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Impostazioni Automatiche Di Fornitura",
     "autoProvisionedDescription": "Permetti a questo utente di essere gestito automaticamente dal provider di identità",
     "accessControlsDescription": "Gestisci cosa questo utente può accedere e fare nell'organizzazione",
     "accessControlsSubmit": "Salva Controlli di Accesso",
+    "singleRolePerUserPlanNotice": "Il tuo piano supporta solo un ruolo per utente.",
+    "singleRolePerUserEditionNotice": "Questa edizione supporta solo un ruolo per utente.",
     "roles": "Ruoli",
     "accessUsersRoles": "Gestisci Utenti e Ruoli",
     "accessUsersRolesDescription": "Invita gli utenti e aggiungili ai ruoli per gestire l'accesso all'organizzazione",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Inserisci il token di configurazione dalla console del server.",
     "setupTokenRequired": "Il token di configurazione è richiesto",
     "actionUpdateSite": "Aggiorna Sito",
+    "actionResetSiteBandwidth": "Reimposta Larghezza Banda Dell'Organizzazione",
     "actionListSiteRoles": "Elenca Ruoli Sito Consentiti",
     "actionCreateResource": "Crea Risorsa",
     "actionDeleteResource": "Elimina Risorsa",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Rimuovi Utente",
     "actionListUsers": "Elenca Utenti",
     "actionAddUserRole": "Aggiungi Ruolo Utente",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Imposta Ruoli Utente",
     "actionGenerateAccessToken": "Genera Token di Accesso",
     "actionDeleteAccessToken": "Elimina Token di Accesso",
     "actionListAccessTokens": "Elenca Token di Accesso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Ruoli",
     "sidebarShareableLinks": "Collegamenti",
     "sidebarApiKeys": "Chiavi API",
+    "sidebarProvisioning": "Accantonamento",
     "sidebarSettings": "Impostazioni",
     "sidebarAllUsers": "Tutti Gli Utenti",
     "sidebarIdentityProviders": "Fornitori Di Identità",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo di Uscita",
     "country": "Paese",
     "rulesMatchCountry": "Attualmente basato sull'IP di origine",
+    "region": "Regione",
+    "selectRegion": "Seleziona regione",
+    "searchRegions": "Cerca regioni...",
+    "noRegionFound": "Nessuna regione trovata.",
+    "rulesMatchRegion": "Seleziona un raggruppamento regionale di paesi",
+    "rulesErrorInvalidRegion": "Regione non valida",
+    "rulesErrorInvalidRegionDescription": "Seleziona una regione valida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Africa Settentrionale",
+    "regionEasternAfrica": "Africa Orientale",
+    "regionMiddleAfrica": "Africa Centrale",
+    "regionSouthernAfrica": "Africa Meridionale",
+    "regionWesternAfrica": "Africa Occidentale",
+    "regionAmericas": "Americhe",
+    "regionCaribbean": "Caraibi",
+    "regionCentralAmerica": "America Centrale",
+    "regionSouthAmerica": "America Del Sud",
+    "regionNorthernAmerica": "America Del Nord",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Centrale",
+    "regionEasternAsia": "Asia Orientale",
+    "regionSouthEasternAsia": "Asia Sudorientale",
+    "regionSouthernAsia": "Asia Meridionale",
+    "regionWesternAsia": "Asia Occidentale",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Orientale",
+    "regionNorthernEurope": "Europa Settentrionale",
+    "regionSouthernEurope": "Europa Meridionale",
+    "regionWesternEurope": "Europa Occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia e Nuova Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gestito Auto-Ospitato",
         "description": "Server Pangolin self-hosted più affidabile e a bassa manutenzione con campanelli e fischietti extra",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valore non valido",
     "idpTypeLabel": "Tipo Provider Identità",
     "roleMappingExpressionPlaceholder": "es. contiene(gruppi, 'admin') && 'Admin' <unk> <unk> 'Membro'",
+    "roleMappingModeFixedRoles": "Ruoli Fissi",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Espressione Raw",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleziona uno o più ruoli",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digita nomi dei ruoli (corrispondenza esatta per organizzazione)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assegna lo stesso ruolo impostato a ogni utente auto-provisioned.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Per i criteri predefiniti, digita i nomi dei ruoli che esistono in ogni organizzazione in cui gli utenti sono forniti. I nomi devono corrispondere esattamente.",
+    "roleMappingClaimPath": "Richiedi Percorso",
+    "roleMappingClaimPathPlaceholder": "gruppi",
+    "roleMappingClaimPathDescription": "Percorso nel payload del token che contiene valori sorgente (ad esempio, gruppi).",
+    "roleMappingMatchValue": "Valore Della Partita",
+    "roleMappingAssignRoles": "Assegna Ruoli",
+    "roleMappingAddMappingRule": "Aggiungi Regola Mappatura",
+    "roleMappingRawExpressionResultDescription": "Espressione deve essere valutata in una stringa o array di stringhe.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Espressione deve valutare in una stringa (un singolo nome ruolo).",
+    "roleMappingMatchValuePlaceholder": "Valore della corrispondenza (per esempio: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digita i nomi dei ruoli (esatto per org)",
+    "roleMappingBuilderFreeformRowHint": "I nomi dei ruoli devono corrispondere a un ruolo in ogni organizzazione di destinazione.",
+    "roleMappingRemoveRule": "Rimuovi",
     "idpGoogleConfiguration": "Configurazione Google",
     "idpGoogleConfigurationDescription": "Configura le credenziali di Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Per quanto tempo conservare i log di accesso",
     "logRetentionActionLabel": "Ritenzione Registro Azioni",
     "logRetentionActionDescription": "Per quanto tempo conservare i log delle azioni",
+    "logRetentionConnectionLabel": "Ritenzione Registro Di Connessione",
+    "logRetentionConnectionDescription": "Per quanto tempo conservare i log di connessione",
     "logRetentionDisabled": "Disabilitato",
     "logRetention3Days": "3 giorni",
     "logRetention7Days": "7 giorni",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
     "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
     "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
+    "connectionLogs": "Log Di Connessione",
+    "connectionLogsDescription": "Visualizza i log di connessione per i tunnel in questa organizzazione",
+    "sidebarLogsConnection": "Log Di Connessione",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Indirizzo Di Origine",
+    "destinationAddress": "Indirizzo Di Destinazione",
+    "duration": "Durata",
     "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzione è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
     "certResolver": "Risolutore Di Certificato",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
     "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
     "approvalsEmptyStateButtonText": "Gestisci Ruoli",
-    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio"
+    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configura la mappatura dei ruoli e le politiche di organizzazione nella scheda <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming Eventi",
+    "streamingDescription": "Trasmetti eventi dalla tua organizzazione a destinazioni esterne in tempo reale.",
+    "streamingUnnamedDestination": "Destinazione senza nome",
+    "streamingNoUrlConfigured": "Nessun URL configurato",
+    "streamingAddDestination": "Aggiungi Destinazione",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Invia eventi a qualsiasi endpoint HTTP con autenticazione e template flessibili.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Trasmetti eventi su un contenitore di archiviazione per oggetti compatibile con S3. Presto in arrivo.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Inoltra gli eventi direttamente al tuo account Datadog. In arrivo.",
+    "streamingTypePickerDescription": "Scegli un tipo di destinazione per iniziare.",
+    "streamingFailedToLoad": "Impossibile caricare le destinazioni",
+    "streamingUnexpectedError": "Si è verificato un errore imprevisto.",
+    "streamingFailedToUpdate": "Impossibile aggiornare la destinazione",
+    "streamingDeletedSuccess": "Destinazione eliminata con successo",
+    "streamingFailedToDelete": "Impossibile eliminare la destinazione",
+    "streamingDeleteTitle": "Elimina Destinazione",
+    "streamingDeleteButtonText": "Elimina Destinazione",
+    "streamingDeleteDialogAreYouSure": "Sei sicuro di voler eliminare",
+    "streamingDeleteDialogThisDestination": "questa destinazione",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tutta la configurazione verrà definitivamente rimossa.",
+    "httpDestEditTitle": "Modifica Destinazione",
+    "httpDestAddTitle": "Aggiungi Destinazione HTTP",
+    "httpDestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming di eventi HTTP.",
+    "httpDestAddDescription": "Configura un nuovo endpoint HTTP per ricevere gli eventi della tua organizzazione.",
+    "httpDestTabSettings": "Impostazioni",
+    "httpDestTabHeaders": "Intestazioni",
+    "httpDestTabBody": "Corpo",
+    "httpDestTabLogs": "Registri",
+    "httpDestNamePlaceholder": "La mia destinazione HTTP",
+    "httpDestUrlLabel": "Url Di Destinazione",
+    "httpDestUrlErrorHttpRequired": "L'URL deve usare http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS è richiesto sulle distribuzioni cloud",
+    "httpDestUrlErrorInvalid": "Inserisci un URL valido (es. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticazione",
+    "httpDestAuthDescription": "Scegli come vengono autenticate le richieste al tuo endpoint.",
+    "httpDestAuthNoneTitle": "Nessuna Autenticazione",
+    "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
+    "httpDestAuthBearerTitle": "Token Del Portatore",
+    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer <token> ad ogni richiesta.",
+    "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
+    "httpDestAuthBasicTitle": "Autenticazione Base",
+    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base <credentials> . Fornisce le credenziali come username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Intestazione Personalizzata",
+    "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome intestazione (es. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valore intestazione",
+    "httpDestCustomHeadersTitle": "Intestazioni Http Personalizzate",
+    "httpDestCustomHeadersDescription": "Aggiungi intestazioni personalizzate ad ogni richiesta in uscita. Utile per token statici o un tipo di contenuto personalizzato. Come impostazione predefinita, viene inviato il tipo di contenuto/json.",
+    "httpDestNoHeadersConfigured": "Nessuna intestazione personalizzata configurata. Fare clic su \"Aggiungi intestazione\" per aggiungerne una.",
+    "httpDestHeaderNamePlaceholder": "Nome intestazione",
+    "httpDestHeaderValuePlaceholder": "Valore",
+    "httpDestAddHeader": "Aggiungi Intestazione",
+    "httpDestBodyTemplateTitle": "Modello Corpo Personalizzato",
+    "httpDestBodyTemplateDescription": "Controlla la struttura JSON payload inviata al tuo endpoint. Se disabilitata, viene inviato un oggetto JSON predefinito per ogni evento.",
+    "httpDestEnableBodyTemplate": "Abilita modello corpo personalizzato",
+    "httpDestBodyTemplateLabel": "Modello Corpo (JSON)",
+    "httpDestBodyTemplateHint": "Usa le variabili del modello per fare riferimento ai campi dell'evento nel tuo payload.",
+    "httpDestPayloadFormatTitle": "Formato Payload",
+    "httpDestPayloadFormatDescription": "Come gli eventi sono serializzati in ogni organismo di richiesta.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Una richiesta per lotto, corpo è un array JSON. Compatibile con la maggior parte dei webhooks generici e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una richiesta per lotto, corpo è newline-delimited JSON — un oggetto per linea, nessun array esterno. Richiesto da Splunk HEC, Elastic / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un Evento Per Richiesta",
+    "httpDestFormatSingleDescription": "Invia un HTTP POST separato per ogni singolo evento. Usa solo per gli endpoint che non possono gestire i batch.",
+    "httpDestLogTypesTitle": "Tipi Di Log",
+    "httpDestLogTypesDescription": "Scegli quali tipi di log vengono inoltrati a questa destinazione. Verranno trasmessi solo i tipi di log abilitati.",
+    "httpDestAccessLogsTitle": "Log Accesso",
+    "httpDestAccessLogsDescription": "Tentativi di accesso alle risorse, comprese le richieste autenticate e negate.",
+    "httpDestActionLogsTitle": "Log Azioni",
+    "httpDestActionLogsDescription": "Azioni amministrative eseguite dagli utenti all'interno dell'organizzazione.",
+    "httpDestConnectionLogsTitle": "Log Di Connessione",
+    "httpDestConnectionLogsDescription": "Eventi di connessione al sito e al tunnel, inclusi collegamenti e disconnessioni.",
+    "httpDestRequestLogsTitle": "Log Richiesta",
+    "httpDestRequestLogsDescription": "Registri di richiesta HTTP per le risorse proxy, inclusi metodo, percorso e codice di risposta.",
+    "httpDestSaveChanges": "Salva Modifiche",
+    "httpDestCreateDestination": "Crea Destinazione",
+    "httpDestUpdatedSuccess": "Destinazione aggiornata con successo",
+    "httpDestCreatedSuccess": "Destinazione creata con successo",
+    "httpDestUpdateFailed": "Impossibile aggiornare la destinazione",
+    "httpDestCreateFailed": "Impossibile creare la destinazione"
 }

From 82ba2bd809ea847ea083329237e81c4e0b5da7f0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:52 -0700
Subject: [PATCH 204/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 02915abd7..e0ae07d66 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -148,6 +148,11 @@
     "createLink": "링크 생성",
     "resourcesNotFound": "리소스가 발견되지 않았습니다.",
     "resourceSearch": "리소스 검색",
+    "machineSearch": "기계 검색",
+    "machinesSearch": "기계 클라이언트 검색...",
+    "machineNotFound": "기계를 찾을 수 없습니다",
+    "userDeviceSearch": "사용자 장치 검색",
+    "userDevicesSearch": "사용자 장치 검색...",
     "openMenu": "메뉴 열기",
     "resource": "리소스",
     "title": "제목",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API 키 삭제",
     "apiKeysManage": "API 키 관리",
     "apiKeysDescription": "API 키는 통합 API와 인증하는 데 사용됩니다.",
+    "provisioningKeysTitle": "프로비저닝 키",
+    "provisioningKeysManage": "프로비저닝 키 관리",
+    "provisioningKeysDescription": "프로비저닝 키는 조직의 자동 사이트 프로비저닝 인증에 사용됩니다.",
+    "provisioningManage": "프로비저닝",
+    "provisioningDescription": "프로비저닝 키를 관리하고 승인을 기다리는 사이트를 검토합니다.",
+    "pendingSites": "대기중인 사이트",
+    "siteApproveSuccess": "사이트가 성공적으로 승인되었습니다",
+    "siteApproveError": "사이트 승인 오류",
+    "provisioningKeys": "프로비저닝 키",
+    "searchProvisioningKeys": "프로비저닝 키 검색...",
+    "provisioningKeysAdd": "프로비저닝 키 생성",
+    "provisioningKeysErrorDelete": "프로비저닝 키 삭제 오류",
+    "provisioningKeysErrorDeleteMessage": "프로비저닝 키 삭제 오류",
+    "provisioningKeysQuestionRemove": "이 프로비저닝 키를 조직에서 제거하시겠습니까?",
+    "provisioningKeysMessageRemove": "제거 후에는 이 키를 사이트 프로비저닝에 사용할 수 없습니다.",
+    "provisioningKeysDeleteConfirm": "프로비저닝 키 삭제 확인",
+    "provisioningKeysDelete": "프로비저닝 키 삭제",
+    "provisioningKeysCreate": "프로비저닝 키 생성",
+    "provisioningKeysCreateDescription": "조직을 위한 새로운 프로비저닝 키 생성",
+    "provisioningKeysSeeAll": "모든 프로비저닝 키 보기",
+    "provisioningKeysSave": "프로비저닝 키 저장",
+    "provisioningKeysSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
+    "provisioningKeysErrorCreate": "프로비저닝 키 생성 오류",
+    "provisioningKeysList": "새 프로비저닝 키",
+    "provisioningKeysMaxBatchSize": "최대 배치 크기",
+    "provisioningKeysUnlimitedBatchSize": "무제한 배치 크기 (제한 없음)",
+    "provisioningKeysMaxBatchUnlimited": "무제한",
+    "provisioningKeysMaxBatchSizeInvalid": "유효한 최대 배치 크기를 입력하세요 (1–1,000,000).",
+    "provisioningKeysValidUntil": "유효 기간",
+    "provisioningKeysValidUntilHint": "만료 날짜를 설정하지 않을 경우 빈칸으로 남겨 두세요.",
+    "provisioningKeysValidUntilInvalid": "유효한 날짜와 시간을 입력하세요.",
+    "provisioningKeysNumUsed": "사용 횟수",
+    "provisioningKeysLastUsed": "마지막 사용",
+    "provisioningKeysNoExpiry": "만료 없음",
+    "provisioningKeysNeverUsed": "절대",
+    "provisioningKeysEdit": "프로비저닝 키 수정",
+    "provisioningKeysEditDescription": "이 키의 최대 배치 크기 및 만료 시간을 업데이트하세요.",
+    "provisioningKeysApproveNewSites": "새로운 사이트 승인",
+    "provisioningKeysApproveNewSitesDescription": "이 키를 등록하는 사이트를 자동으로 승인합니다.",
+    "provisioningKeysUpdateError": "프로비저닝 키 업데이트 오류",
+    "provisioningKeysUpdated": "프로비저닝 키가 업데이트되었습니다",
+    "provisioningKeysUpdatedDescription": "변경 사항이 저장되었습니다.",
+    "provisioningKeysBannerTitle": "사이트 프로비저닝 키",
+    "provisioningKeysBannerDescription": "프로비저닝 키를 생성하여 Newt 커넥터와 함께 사용해 첫 실행 시 자동으로 사이트를 생성하세요 — 각 사이트마다 별도의 인증을 설정할 필요가 없습니다.",
+    "provisioningKeysBannerButtonText": "자세히 알아보기",
+    "pendingSitesBannerTitle": "대기중인 사이트",
+    "pendingSitesBannerDescription": "프로비저닝 키를 사용하여 연결하는 사이트는 검토 대기 중입니다. 사이트가 활성화되어 리소스에 액세스하기 전에 각 사이트를 승인하세요.",
+    "pendingSitesBannerButtonText": "자세히 알아보기",
     "apiKeysSettings": "{apiKeyName} 설정",
     "userTitle": "모든 사용자 관리",
     "userDescription": "시스템의 모든 사용자를 보고 관리합니다",
@@ -509,9 +562,12 @@
     "userSaved": "사용자 저장됨",
     "userSavedDescription": "사용자가 업데이트되었습니다.",
     "autoProvisioned": "자동 프로비저닝됨",
+    "autoProvisionSettings": "자동 프로비저닝 설정",
     "autoProvisionedDescription": "이 사용자가 ID 공급자에 의해 자동으로 관리될 수 있도록 허용합니다",
     "accessControlsDescription": "이 사용자가 조직에서 접근하고 수행할 수 있는 작업을 관리하세요",
     "accessControlsSubmit": "접근 제어 저장",
+    "singleRolePerUserPlanNotice": "계획에는 사용자당 한 가지 역할만 지원됩니다.",
+    "singleRolePerUserEditionNotice": "이 판에는 사용자당 한 가지 역할만 지원됩니다.",
     "roles": "역할",
     "accessUsersRoles": "사용자 및 역할 관리",
     "accessUsersRolesDescription": "사용자를 초대하고 역할에 추가하여 조직에 대한 접근을 관리하세요",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "서버 콘솔에서 설정 토큰 입력.",
     "setupTokenRequired": "설정 토큰이 필요합니다",
     "actionUpdateSite": "사이트 업데이트",
+    "actionResetSiteBandwidth": "조직 대역폭 재설정",
     "actionListSiteRoles": "허용된 사이트 역할 목록",
     "actionCreateResource": "리소스 생성",
     "actionDeleteResource": "리소스 삭제",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "사용자 제거",
     "actionListUsers": "사용자 목록",
     "actionAddUserRole": "사용자 역할 추가",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "사용자 역할 설정",
     "actionGenerateAccessToken": "액세스 토큰 생성",
     "actionDeleteAccessToken": "액세스 토큰 삭제",
     "actionListAccessTokens": "액세스 토큰 목록",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "역할",
     "sidebarShareableLinks": "링크",
     "sidebarApiKeys": "API 키",
+    "sidebarProvisioning": "프로비저닝",
     "sidebarSettings": "설정",
     "sidebarAllUsers": "모든 사용자",
     "sidebarIdentityProviders": "신원 공급자",
@@ -1890,6 +1948,40 @@
     "exitNode": "종단 노드",
     "country": "국가",
     "rulesMatchCountry": "현재 소스 IP를 기반으로 합니다",
+    "region": "지역",
+    "selectRegion": "지역 선택",
+    "searchRegions": "지역 검색...",
+    "noRegionFound": "지역을 찾을 수 없습니다.",
+    "rulesMatchRegion": "국가의 지역 구성을 선택합니다",
+    "rulesErrorInvalidRegion": "잘못된 지역",
+    "rulesErrorInvalidRegionDescription": "유효한 지역을 선택하세요.",
+    "regionAfrica": "아프리카",
+    "regionNorthernAfrica": "북부 아프리카",
+    "regionEasternAfrica": "동부 아프리카",
+    "regionMiddleAfrica": "중부 아프리카",
+    "regionSouthernAfrica": "남부 아프리카",
+    "regionWesternAfrica": "서부 아프리카",
+    "regionAmericas": "아메리카",
+    "regionCaribbean": "카리브",
+    "regionCentralAmerica": "중앙 아메리카",
+    "regionSouthAmerica": "남아메리카",
+    "regionNorthernAmerica": "북미",
+    "regionAsia": "아시아",
+    "regionCentralAsia": "중앙 아시아",
+    "regionEasternAsia": "동아시아",
+    "regionSouthEasternAsia": "동남아시아",
+    "regionSouthernAsia": "남아시아",
+    "regionWesternAsia": "서아시아",
+    "regionEurope": "유럽",
+    "regionEasternEurope": "동부 유럽",
+    "regionNorthernEurope": "북부 유럽",
+    "regionSouthernEurope": "남부 유럽",
+    "regionWesternEurope": "서부 유럽",
+    "regionOceania": "오세아니아",
+    "regionAustraliaAndNewZealand": "호주와 뉴질랜드",
+    "regionMelanesia": "멜라네시아",
+    "regionMicronesia": "미크로네시아",
+    "regionPolynesia": "폴리네시아",
     "managedSelfHosted": {
         "title": "관리 자체 호스팅",
         "description": "더 신뢰할 수 있고 낮은 유지보수의 자체 호스팅 팡골린 서버, 추가 기능 포함",
@@ -1938,6 +2030,25 @@
     "invalidValue": "잘못된 값",
     "idpTypeLabel": "신원 공급자 유형",
     "roleMappingExpressionPlaceholder": "예: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "고정 역할",
+    "roleMappingModeMappingBuilder": "매핑 빌더",
+    "roleMappingModeRawExpression": "원시 표현식",
+    "roleMappingFixedRolesPlaceholderSelect": "하나 이상의 역할을 선택하세요",
+    "roleMappingFixedRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히 일치)",
+    "roleMappingFixedRolesDescriptionSameForAll": "모든 자동 프로비전 사용자에게 동일한 역할 세트를 할당합니다.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "기본 정책의 경우 사용자가 프로비저닝된 조직의 역할 이름을 입력하세요. 이름은 정확히 일치해야 합니다.",
+    "roleMappingClaimPath": "클레임 경로",
+    "roleMappingClaimPathPlaceholder": "그룹",
+    "roleMappingClaimPathDescription": "토큰 페이로드에서 소스 값을 포함하는 경로 (예: 그룹).",
+    "roleMappingMatchValue": "매치 값",
+    "roleMappingAssignRoles": "역할 할당",
+    "roleMappingAddMappingRule": "매핑 규칙 추가",
+    "roleMappingRawExpressionResultDescription": "표현식은 문자열 또는 문자열 배열로 평가되어야 합니다.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "표현식은 문자열 (단일 역할 이름)로 평가되어야 합니다.",
+    "roleMappingMatchValuePlaceholder": "매치 값 (예: 관리자)",
+    "roleMappingAssignRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히)",
+    "roleMappingBuilderFreeformRowHint": "역할 이름은 각 대상 조직의 역할과 일치해야 합니다.",
+    "roleMappingRemoveRule": "제거",
     "idpGoogleConfiguration": "Google 구성",
     "idpGoogleConfigurationDescription": "Google OAuth2 자격 증명을 구성합니다.",
     "idpGoogleClientIdDescription": "Google OAuth2 클라이언트 ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
     "logRetentionActionLabel": "작업 로그 보관",
     "logRetentionActionDescription": "작업 로그를 얼마나 오래 보관할지",
+    "logRetentionConnectionLabel": "연결 로그 보유 기간",
+    "logRetentionConnectionDescription": "연결 로그를 얼마나 오래 보유할지",
     "logRetentionDisabled": "비활성화됨",
     "logRetention3Days": "3 일",
     "logRetention7Days": "7 일",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "다음 연도 말",
     "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
     "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
+    "connectionLogs": "연결 로그",
+    "connectionLogsDescription": "이 조직의 터널 연결 로그 보기",
+    "sidebarLogsConnection": "연결 로그",
+    "sidebarLogsStreaming": "스트리밍",
+    "sourceAddress": "소스 주소",
+    "destinationAddress": "대상 주소",
+    "duration": "지속 시간",
     "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이(가) 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
     "certResolver": "인증서 해결사",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
     "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
     "approvalsEmptyStateButtonText": "역할 관리",
-    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다."
+    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다.",
+    "idpAdminAutoProvisionPoliciesTabHint": "<policiesTabLink>자동 프로비저닝 설정</policiesTabLink> 탭에서 역할 매핑 및 조직 정책을 구성합니다.",
+    "streamingTitle": "이벤트 스트리밍",
+    "streamingDescription": "조직의 이벤트를 외부 목적지로 실시간 전송합니다.",
+    "streamingUnnamedDestination": "이름이 없는 대상지",
+    "streamingNoUrlConfigured": "설정된 URL이 없습니다",
+    "streamingAddDestination": "대상지 추가",
+    "streamingHttpWebhookTitle": "HTTP 웹훅",
+    "streamingHttpWebhookDescription": "유연한 인증 및 템플릿 작성 기능을 갖춘 HTTP 엔드포인트에 이벤트를 전송합니다.",
+    "streamingS3Title": "아마존 S3",
+    "streamingS3Description": "S3 호환 객체 스토리지 버킷에 이벤트를 스트리밍합니다. 곧 제공됩니다.",
+    "streamingDatadogTitle": "데이터독",
+    "streamingDatadogDescription": "이벤트를 직접 Datadog 계정으로 전달합니다. 곧 제공됩니다.",
+    "streamingTypePickerDescription": "목표 유형을 선택하여 시작합니다.",
+    "streamingFailedToLoad": "대상 로드에 실패했습니다",
+    "streamingUnexpectedError": "예기치 않은 오류가 발생했습니다.",
+    "streamingFailedToUpdate": "대상지를 업데이트하는 데 실패했습니다",
+    "streamingDeletedSuccess": "대상지가 성공적으로 삭제되었습니다",
+    "streamingFailedToDelete": "대상지 삭제 실패",
+    "streamingDeleteTitle": "대상지 삭제",
+    "streamingDeleteButtonText": "대상지 삭제",
+    "streamingDeleteDialogAreYouSure": "삭제하시겠습니까",
+    "streamingDeleteDialogThisDestination": "이 대상지",
+    "streamingDeleteDialogPermanentlyRemoved": "? 모든 구성은 영구적으로 제거됩니다.",
+    "httpDestEditTitle": "대상지 수정",
+    "httpDestAddTitle": "HTTP 대상지 추가",
+    "httpDestEditDescription": "이 HTTP 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
+    "httpDestAddDescription": "조직의 이벤트 수신을 위한 새로운 HTTP 엔드포인트를 구성하세요.",
+    "httpDestTabSettings": "설정",
+    "httpDestTabHeaders": "헤더",
+    "httpDestTabBody": "본문",
+    "httpDestTabLogs": "로그",
+    "httpDestNamePlaceholder": "내 HTTP 대상",
+    "httpDestUrlLabel": "대상 URL",
+    "httpDestUrlErrorHttpRequired": "URL은 http 또는 https를 사용해야 합니다",
+    "httpDestUrlErrorHttpsRequired": "클라우드 배포에는 HTTPS가 필요합니다",
+    "httpDestUrlErrorInvalid": "유효한 URL을 입력하세요 (예: https://example.com/webhook)",
+    "httpDestAuthTitle": "인증",
+    "httpDestAuthDescription": "엔드포인트에 대한 요청 인증 방법을 선택하세요.",
+    "httpDestAuthNoneTitle": "인증 없음",
+    "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
+    "httpDestAuthBearerTitle": "Bearer 토큰",
+    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer <token> 헤더를 추가합니다.",
+    "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
+    "httpDestAuthBasicTitle": "기본 인증",
+    "httpDestAuthBasicDescription": "Authorization: Basic <credentials> 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
+    "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
+    "httpDestAuthCustomTitle": "사용자 정의 헤더",
+    "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "헤더 이름 (예: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "헤더 값",
+    "httpDestCustomHeadersTitle": "사용자 정의 HTTP 헤더",
+    "httpDestCustomHeadersDescription": "모든 발신 요청에 사용자 정의 헤더를 추가합니다. 정적 토큰 또는 사용자 정의 Content-Type에 유용합니다. 기본적으로 Content-Type: application/json이 전송됩니다.",
+    "httpDestNoHeadersConfigured": "구성된 사용자 정의 헤더가 없습니다. \"헤더 추가\"를 클릭하여 추가하세요.",
+    "httpDestHeaderNamePlaceholder": "헤더 이름",
+    "httpDestHeaderValuePlaceholder": "값",
+    "httpDestAddHeader": "헤더 추가",
+    "httpDestBodyTemplateTitle": "사용자 정의 본문 템플릿",
+    "httpDestBodyTemplateDescription": "엔드포인트에 전송되는 JSON 페이로드 구조를 제어합니다. 비활성화된 경우 각 이벤트에 대해 기본 JSON 객체가 전송됩니다.",
+    "httpDestEnableBodyTemplate": "사용자 정의 본문 템플릿 활성화",
+    "httpDestBodyTemplateLabel": "본문 템플릿 (JSON)",
+    "httpDestBodyTemplateHint": "템플릿 변수를 사용하여 페이로드에서 이벤트 필드를 참조하세요.",
+    "httpDestPayloadFormatTitle": "페이로드 형식",
+    "httpDestPayloadFormatDescription": "각 요청 본문에 이벤트가 시리얼라이즈되는 방식입니다.",
+    "httpDestFormatJsonArrayTitle": "JSON 배열",
+    "httpDestFormatJsonArrayDescription": "각 배치마다 요청 하나씩, 본문은 JSON 배열입니다. 대부분의 일반 웹훅 및 Datadog과 호환됩니다.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "각 배치마다 요청 하나씩, 본문은 줄 구분 JSON — 한 라인에 하나의 객체가 있으며 외부 배열이 없습니다. Splunk HEC, Elastic / OpenSearch, Grafana Loki에 필요합니다.",
+    "httpDestFormatSingleTitle": "각 요청 당 하나의 이벤트",
+    "httpDestFormatSingleDescription": "각 개별 이벤트에 대해 별도의 HTTP POST를 전송합니다. 배치를 처리할 수 없는 엔드포인트에만 사용하세요.",
+    "httpDestLogTypesTitle": "로그 유형",
+    "httpDestLogTypesDescription": "이 대상지에 전달될 로그 유형을 선택하세요. 활성화된 로그 유형만 스트리밍 됩니다.",
+    "httpDestAccessLogsTitle": "접근 로그",
+    "httpDestAccessLogsDescription": "인증 및 거부된 요청을 포함한 리소스 접근 시도.",
+    "httpDestActionLogsTitle": "작업 로그",
+    "httpDestActionLogsDescription": "조직 내에서 사용자가 수행한 관리 작업.",
+    "httpDestConnectionLogsTitle": "연결 로그",
+    "httpDestConnectionLogsDescription": "사이트 및 터널 연결 이벤트, 연결 및 연결 끊기를 포함합니다.",
+    "httpDestRequestLogsTitle": "요청 로그",
+    "httpDestRequestLogsDescription": "프록시된 리소스에 대한 HTTP 요청 로그, 메서드, 경로 및 응답 코드를 포함합니다.",
+    "httpDestSaveChanges": "변경 사항 저장",
+    "httpDestCreateDestination": "대상지 생성",
+    "httpDestUpdatedSuccess": "대상지가 성공적으로 업데이트되었습니다",
+    "httpDestCreatedSuccess": "대상지가 성공적으로 생성되었습니다",
+    "httpDestUpdateFailed": "대상지를 업데이트하는 데 실패했습니다",
+    "httpDestCreateFailed": "대상지를 생성하는 데 실패했습니다"
 }

From 75193bb0a212382877daa8d7bbabd97081504d5a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:54 -0700
Subject: [PATCH 205/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index f0eaff3fd..e38aec788 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -148,6 +148,11 @@
     "createLink": "Koppeling aanmaken",
     "resourcesNotFound": "Geen bronnen gevonden",
     "resourceSearch": "Zoek bronnen",
+    "machineSearch": "Zoek machines",
+    "machinesSearch": "Zoek machine-clients...",
+    "machineNotFound": "Geen machines gevonden",
+    "userDeviceSearch": "Gebruikersapparaten zoeken",
+    "userDevicesSearch": "Gebruikersapparaten zoeken...",
     "openMenu": "Menu openen",
     "resource": "Bron",
     "title": "Aanspreektitel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API-sleutel verwijderen",
     "apiKeysManage": "API-sleutels beheren",
     "apiKeysDescription": "API-sleutels worden gebruikt om te verifiëren met de integratie-API",
+    "provisioningKeysTitle": "Vertrekkende sleutel",
+    "provisioningKeysManage": "Beheren van Provisioning Sleutels",
+    "provisioningKeysDescription": "Provisionerende sleutels worden gebruikt om geautomatiseerde sitebepaling voor uw organisatie te verifiëren.",
+    "provisioningManage": "Provisie",
+    "provisioningDescription": "Voorzieningssleutels beheren en sites beoordelen in afwachting van goedkeuring.",
+    "pendingSites": "Openstaande sites",
+    "siteApproveSuccess": "Site succesvol goedgekeurd",
+    "siteApproveError": "Fout bij goedkeuren website",
+    "provisioningKeys": "Verhelderende sleutels",
+    "searchProvisioningKeys": "Zoek provisioningsleutels ...",
+    "provisioningKeysAdd": "Genereer Provisioning Sleutel",
+    "provisioningKeysErrorDelete": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysErrorDeleteMessage": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysQuestionRemove": "Weet u zeker dat u deze proefsleutel van de organisatie wilt verwijderen?",
+    "provisioningKeysMessageRemove": "Eenmaal verwijderd, kan de sleutel niet meer worden gebruikt voor site-instructie.",
+    "provisioningKeysDeleteConfirm": "Bevestig Verwijderen Provisione-sleutel",
+    "provisioningKeysDelete": "Provisione-sleutel verwijderen",
+    "provisioningKeysCreate": "Genereer Provisioning Sleutel",
+    "provisioningKeysCreateDescription": "Een nieuwe provisioningsleutel voor de organisatie genereren",
+    "provisioningKeysSeeAll": "Bekijk alle provisioning sleutels",
+    "provisioningKeysSave": "Sla de provisioning sleutel op",
+    "provisioningKeysSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een veilige plaats.",
+    "provisioningKeysErrorCreate": "Fout bij aanmaken provisioning sleutel",
+    "provisioningKeysList": "Nieuwe provisioning sleutel",
+    "provisioningKeysMaxBatchSize": "Maximale batchgrootte",
+    "provisioningKeysUnlimitedBatchSize": "Onbeperkte batchgrootte (geen limiet)",
+    "provisioningKeysMaxBatchUnlimited": "Onbeperkt",
+    "provisioningKeysMaxBatchSizeInvalid": "Voer een geldige maximale batchgrootte in (1–1.000,000).",
+    "provisioningKeysValidUntil": "Geldig tot",
+    "provisioningKeysValidUntilHint": "Laat leeg voor geen vervaldatum.",
+    "provisioningKeysValidUntilInvalid": "Voer een geldige datum en tijd in.",
+    "provisioningKeysNumUsed": "Aantal keer gebruikt",
+    "provisioningKeysLastUsed": "Laatst gebruikt",
+    "provisioningKeysNoExpiry": "Geen vervaldatum",
+    "provisioningKeysNeverUsed": "Nooit",
+    "provisioningKeysEdit": "Wijzig Provisioning Sleutel",
+    "provisioningKeysEditDescription": "Werk de maximale batchgrootte en verlooptijd voor deze sleutel bij.",
+    "provisioningKeysApproveNewSites": "Goedkeuren van nieuwe sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatisch sites goedkeuren die zich registreren met deze sleutel.",
+    "provisioningKeysUpdateError": "Fout tijdens bijwerken provisioning sleutel",
+    "provisioningKeysUpdated": "Provisie sleutel bijgewerkt",
+    "provisioningKeysUpdatedDescription": "Uw wijzigingen zijn opgeslagen.",
+    "provisioningKeysBannerTitle": "Bewerkingssleutels voor websites",
+    "provisioningKeysBannerDescription": "Genereer een provisioning-sleutel en gebruik deze met de Newt-connector om automatisch sites aan te maken bij het opstarten van de eerste opstart- het is niet nodig om afzonderlijke inloggegevens in te stellen voor elke site.",
+    "provisioningKeysBannerButtonText": "Meer informatie",
+    "pendingSitesBannerTitle": "Openstaande sites",
+    "pendingSitesBannerDescription": "Sites die met elkaar verbinden met behulp van een provisioning-sleutel verschijnen hier voor beoordeling. Accepteer elke site voordat deze actief wordt en krijgt toegang tot uw bronnen.",
+    "pendingSitesBannerButtonText": "Meer informatie",
     "apiKeysSettings": "{apiKeyName} instellingen",
     "userTitle": "Alle gebruikers beheren",
     "userDescription": "Bekijk en beheer alle gebruikers in het systeem",
@@ -509,9 +562,12 @@
     "userSaved": "Gebruiker opgeslagen",
     "userSavedDescription": "De gebruiker is bijgewerkt.",
     "autoProvisioned": "Automatisch bevestigen",
+    "autoProvisionSettings": "Auto Provisie Instellingen",
     "autoProvisionedDescription": "Toestaan dat deze gebruiker automatisch wordt beheerd door een identiteitsprovider",
     "accessControlsDescription": "Beheer wat deze gebruiker toegang heeft tot en doet in de organisatie",
     "accessControlsSubmit": "Bewaar Toegangsbesturing",
+    "singleRolePerUserPlanNotice": "Uw plan ondersteunt slechts één rol per gebruiker.",
+    "singleRolePerUserEditionNotice": "Deze editie ondersteunt slechts één rol per gebruiker.",
     "roles": "Rollen",
     "accessUsersRoles": "Beheer Gebruikers & Rollen",
     "accessUsersRolesDescription": "Nodig gebruikers uit en voeg ze toe aan de rollen om toegang tot de organisatie te beheren",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Voer het setup-token in vanaf de serverconsole.",
     "setupTokenRequired": "Setup-token is vereist",
     "actionUpdateSite": "Site bijwerken",
+    "actionResetSiteBandwidth": "Reset organisatieschandbreedte",
     "actionListSiteRoles": "Toon toegestane sitenollen",
     "actionCreateResource": "Bron maken",
     "actionDeleteResource": "Document verwijderen",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Gebruiker verwijderen",
     "actionListUsers": "Gebruikers weergeven",
     "actionAddUserRole": "Gebruikersrol toevoegen",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Stel gebruikersrollen in",
     "actionGenerateAccessToken": "Genereer Toegangstoken",
     "actionDeleteAccessToken": "Verwijder toegangstoken",
     "actionListAccessTokens": "Lijst toegangstokens",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rollen",
     "sidebarShareableLinks": "Koppelingen",
     "sidebarApiKeys": "API sleutels",
+    "sidebarProvisioning": "Provisie",
     "sidebarSettings": "Instellingen",
     "sidebarAllUsers": "Alle gebruikers",
     "sidebarIdentityProviders": "Identiteit aanbieders",
@@ -1890,6 +1948,40 @@
     "exitNode": "Exit Node",
     "country": "Land",
     "rulesMatchCountry": "Momenteel gebaseerd op bron IP",
+    "region": "Regio",
+    "selectRegion": "Selecteer regio",
+    "searchRegions": "Zoek regio's...",
+    "noRegionFound": "Geen regio gevonden.",
+    "rulesMatchRegion": "Selecteer een regionale groepering van landen",
+    "rulesErrorInvalidRegion": "Ongeldige regio",
+    "rulesErrorInvalidRegionDescription": "Selecteer een geldige regio.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Noord-Afrika",
+    "regionEasternAfrica": "Oost Afrika",
+    "regionMiddleAfrica": "Midden Afrika",
+    "regionSouthernAfrica": "Zuidelijk Afrika",
+    "regionWesternAfrica": "Westelijk Afrika",
+    "regionAmericas": "Amerika's",
+    "regionCaribbean": "Caraïben",
+    "regionCentralAmerica": "Midden-Amerika",
+    "regionSouthAmerica": "Zuid Amerika",
+    "regionNorthernAmerica": "Noord-Amerika",
+    "regionAsia": "Azië",
+    "regionCentralAsia": "Centraal-Azië",
+    "regionEasternAsia": "Oost-Azië",
+    "regionSouthEasternAsia": "Zuid-Oost-Azië",
+    "regionSouthernAsia": "Zuid-Azië",
+    "regionWesternAsia": "Westelijk Azië",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Oost-Europa",
+    "regionNorthernEurope": "Noord-Europa",
+    "regionSouthernEurope": "Zuid-Europa",
+    "regionWesternEurope": "West-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australië en Nieuw-Zeeland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Beheerde Self-Hosted",
         "description": "betrouwbaardere en slecht onderhouden Pangolin server met extra klokken en klokkenluiders",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Ongeldige waarde",
     "idpTypeLabel": "Identiteit provider type",
     "roleMappingExpressionPlaceholder": "bijvoorbeeld bevat (groepen, 'admin') && 'Admin' ½ 'Member'",
+    "roleMappingModeFixedRoles": "Vaste rollen",
+    "roleMappingModeMappingBuilder": "Toewijzing Bouwer",
+    "roleMappingModeRawExpression": "Ruwe expressie",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecteer één of meer rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Typ rolnamen (exacte overeenkomst per organisatie)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Wijs dezelfde rolset toe aan elke auto-provisioned gebruiker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Voor standaardbeleid, typ rolnamen die bestaan in elke organisatie waar gebruikers worden opgegeven. Namen moeten exact overeenkomen.",
+    "roleMappingClaimPath": "Claim pad",
+    "roleMappingClaimPathPlaceholder": "Groepen",
+    "roleMappingClaimPathDescription": "Pad in de token payload die bronwaarden bevat (bijvoorbeeld groepen).",
+    "roleMappingMatchValue": "Kies een waarde",
+    "roleMappingAssignRoles": "Rollen toewijzen",
+    "roleMappingAddMappingRule": "Toewijzingsregel toevoegen",
+    "roleMappingRawExpressionResultDescription": "Expressie moet een tekenreeks of tekenreeks evalueren.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressie moet evalueren naar een tekenreeks (een naam met één rol).",
+    "roleMappingMatchValuePlaceholder": "Overeenkomende waarde (bijvoorbeeld: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Typ rolnamen (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Rol namen moeten overeenkomen met een rol in elke doelorganisatie.",
+    "roleMappingRemoveRule": "Verwijderen",
     "idpGoogleConfiguration": "Google Configuratie",
     "idpGoogleConfigurationDescription": "Configureer de Google OAuth2-referenties",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Hoe lang de toegangslogboeken behouden blijven",
     "logRetentionActionLabel": "Actie log bewaring",
     "logRetentionActionDescription": "Hoe lang de action logs behouden moeten blijven",
+    "logRetentionConnectionLabel": "Connectie log bewaring",
+    "logRetentionConnectionDescription": "Hoe lang de verbindingslogs onderhouden",
     "logRetentionDisabled": "Uitgeschakeld",
     "logRetention3Days": "3 dagen",
     "logRetention7Days": "7 dagen",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
     "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
     "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
+    "connectionLogs": "Connectie Logs",
+    "connectionLogsDescription": "Toon verbindingslogs voor tunnels in deze organisatie",
+    "sidebarLogsConnection": "Connectie Logs",
+    "sidebarLogsStreaming": "Streamen",
+    "sourceAddress": "Bron adres",
+    "destinationAddress": "Adres bestemming",
+    "duration": "Duur",
     "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie of <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is vereist om deze functie te gebruiken. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
     "certResolver": "Certificaat Resolver",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
     "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
     "approvalsEmptyStateButtonText": "Rollen beheren",
-    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein"
+    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configureer rolverrekening en organisatie beleid in het <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event streaming",
+    "streamingDescription": "Stream events van uw organisatie naar externe bestemmingen in realtime.",
+    "streamingUnnamedDestination": "Naamloze bestemming",
+    "streamingNoUrlConfigured": "Geen URL ingesteld",
+    "streamingAddDestination": "Bestemming toevoegen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Stuur gebeurtenissen naar elk HTTP eindpunt met flexibele authenticatie en template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events naar een S3-compatibele object-opslagemmer. Binnenkort beschikbaar.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Stuur gebeurtenissen rechtstreeks door naar je Datadog account. Binnenkort beschikbaar.",
+    "streamingTypePickerDescription": "Kies een bestemmingstype om te beginnen.",
+    "streamingFailedToLoad": "Laden van bestemmingen mislukt",
+    "streamingUnexpectedError": "Er is een onverwachte fout opgetreden.",
+    "streamingFailedToUpdate": "Bijwerken bestemming mislukt",
+    "streamingDeletedSuccess": "Bestemming succesvol verwijderd",
+    "streamingFailedToDelete": "Verwijderen van bestemming mislukt",
+    "streamingDeleteTitle": "Verwijder bestemming",
+    "streamingDeleteButtonText": "Verwijder bestemming",
+    "streamingDeleteDialogAreYouSure": "Weet u zeker dat u wilt verwijderen",
+    "streamingDeleteDialogThisDestination": "deze bestemming",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle configuratie zal permanent worden verwijderd.",
+    "httpDestEditTitle": "Bewerk bestemming",
+    "httpDestAddTitle": "Voeg HTTP bestemming toe",
+    "httpDestEditDescription": "Werk de configuratie voor deze HTTP-event streaming bestemming bij.",
+    "httpDestAddDescription": "Configureer een nieuw HTTP-eindpunt om de gebeurtenissen van uw organisatie te ontvangen.",
+    "httpDestTabSettings": "Instellingen",
+    "httpDestTabHeaders": "Kopteksten",
+    "httpDestTabBody": "Lichaam",
+    "httpDestTabLogs": "Logboeken",
+    "httpDestNamePlaceholder": "Mijn HTTP-bestemming",
+    "httpDestUrlLabel": "Bestemming URL",
+    "httpDestUrlErrorHttpRequired": "URL moet http of https gebruiken",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is vereist op cloud implementaties",
+    "httpDestUrlErrorInvalid": "Voer een geldige URL in (bijv. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authenticatie",
+    "httpDestAuthDescription": "Kies hoe verzoeken voor uw eindpunt zijn geverifieerd.",
+    "httpDestAuthNoneTitle": "Geen authenticatie",
+    "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
+    "httpDestAuthBearerTitle": "Betere Token",
+    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager <token> header aan elke aanvraag.",
+    "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
+    "httpDestAuthBasicTitle": "Basis authenticatie",
+    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis <credentials> kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
+    "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
+    "httpDestAuthCustomTitle": "Aangepaste koptekst",
+    "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header naam (bijv. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header waarde",
+    "httpDestCustomHeadersTitle": "Aangepaste HTTP Headers",
+    "httpDestCustomHeadersDescription": "Voeg aangepaste headers toe aan elk uitgaande verzoek. Handig voor statische tokens of een aangepast Content-Type. Standaard Content-Type: application/json wordt verzonden.",
+    "httpDestNoHeadersConfigured": "Geen aangepaste headers geconfigureerd. Klik op \"Header\" om er een toe te voegen.",
+    "httpDestHeaderNamePlaceholder": "Naam koptekst",
+    "httpDestHeaderValuePlaceholder": "Waarde",
+    "httpDestAddHeader": "Koptekst toevoegen",
+    "httpDestBodyTemplateTitle": "Aangepaste Body Sjabloon",
+    "httpDestBodyTemplateDescription": "Bestuur de JSON payload structuur verzonden naar uw eindpunt. Indien uitgeschakeld, wordt een standaard JSON object verzonden voor elke event.",
+    "httpDestEnableBodyTemplate": "Aangepaste lichaam sjabloon inschakelen",
+    "httpDestBodyTemplateLabel": "Body sjabloon (JSON)",
+    "httpDestBodyTemplateHint": "Gebruik sjabloonvariabelen om te verwijzen naar gebeurtenisvelden in uw payload.",
+    "httpDestPayloadFormatTitle": "Payload formaat",
+    "httpDestPayloadFormatDescription": "Hoe evenementen worden geserialiseerd in elk verzoeklichaam.",
+    "httpDestFormatJsonArrayTitle": "JSON matrix",
+    "httpDestFormatJsonArrayDescription": "Eén verzoek per batch, lichaam is een JSON-array. Compatibel met de meeste algemene webhooks en Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eén aanvraag per batch, lichaam is nieuwe JSON gescheiden - één object per regel, geen buitenste array. Vereist door Splunk HEC, Elastic / OpenSearch, en Grafana Loki.",
+    "httpDestFormatSingleTitle": "Eén afspraak per verzoek",
+    "httpDestFormatSingleDescription": "Stuurt een aparte HTTP POST voor elk individueel event. Gebruik alleen voor eindpunten die geen batches kunnen verwerken.",
+    "httpDestLogTypesTitle": "Log soorten",
+    "httpDestLogTypesDescription": "Kies welke log types doorgestuurd worden naar deze bestemming. Alleen ingeschakelde log types worden gestreden.",
+    "httpDestAccessLogsTitle": "Toegang tot logboek",
+    "httpDestAccessLogsDescription": "Hulpbrontoegangspogingen, inclusief geauthenticeerde en weigerde aanvragen.",
+    "httpDestActionLogsTitle": "Actie logs",
+    "httpDestActionLogsDescription": "Administratieve acties uitgevoerd door gebruikers binnen de organisatie.",
+    "httpDestConnectionLogsTitle": "Connectie Logs",
+    "httpDestConnectionLogsDescription": "Verbinding met de Site en tunnel maken verbroken, inclusief verbindingen en verbindingen.",
+    "httpDestRequestLogsTitle": "Logboeken aanvragen",
+    "httpDestRequestLogsDescription": "HTTP request logs voor proxied hulpmiddelen, waaronder methode, pad en response code.",
+    "httpDestSaveChanges": "Wijzigingen opslaan",
+    "httpDestCreateDestination": "Maak bestemming aan",
+    "httpDestUpdatedSuccess": "Bestemming succesvol bijgewerkt",
+    "httpDestCreatedSuccess": "Bestemming succesvol aangemaakt",
+    "httpDestUpdateFailed": "Bijwerken bestemming mislukt",
+    "httpDestCreateFailed": "Aanmaken bestemming mislukt"
 }

From 64d3c6b2d9efb4e0936f3e8741f3ff6f27cbb087 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:56 -0700
Subject: [PATCH 206/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 998fcc880..3a9607e7c 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -148,6 +148,11 @@
     "createLink": "Utwórz link",
     "resourcesNotFound": "Nie znaleziono zasobów",
     "resourceSearch": "Szukaj zasobów",
+    "machineSearch": "Wyszukiwarki",
+    "machinesSearch": "Szukaj klientów maszyn...",
+    "machineNotFound": "Nie znaleziono maszyn",
+    "userDeviceSearch": "Szukaj urządzeń użytkownika",
+    "userDevicesSearch": "Szukaj urządzeń użytkownika...",
     "openMenu": "Otwórz menu",
     "resource": "Zasoby",
     "title": "Tytuł",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Usuń klucz API",
     "apiKeysManage": "Zarządzaj kluczami API",
     "apiKeysDescription": "Klucze API służą do uwierzytelniania z API integracji",
+    "provisioningKeysTitle": "Klucz Zaopatrzenia",
+    "provisioningKeysManage": "Zarządzaj kluczami zaopatrzenia",
+    "provisioningKeysDescription": "Klucze zaopatrzenia są używane do uwierzytelniania zautomatyzowanego zaopatrzenia twojej organizacji.",
+    "provisioningManage": "Dostarczanie",
+    "provisioningDescription": "Zarządzaj kluczami rezerwacji i sprawdzaj oczekujące strony oczekujące na zatwierdzenie.",
+    "pendingSites": "Witryny oczekujące",
+    "siteApproveSuccess": "Witryna została pomyślnie zatwierdzona",
+    "siteApproveError": "Błąd zatwierdzania witryny",
+    "provisioningKeys": "Klucze Zaopatrzenia",
+    "searchProvisioningKeys": "Szukaj kluczy zaopatrzenia...",
+    "provisioningKeysAdd": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysErrorDelete": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysErrorDeleteMessage": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysQuestionRemove": "Czy na pewno chcesz usunąć ten klucz rezerwacji z organizacji?",
+    "provisioningKeysMessageRemove": "Po usunięciu, klucz nie może być już używany do tworzenia witryny.",
+    "provisioningKeysDeleteConfirm": "Potwierdź usunięcie klucza zaopatrzenia",
+    "provisioningKeysDelete": "Usuń klucz zaopatrzenia",
+    "provisioningKeysCreate": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysCreateDescription": "Wygeneruj nowy klucz tworzenia rezerw dla organizacji",
+    "provisioningKeysSeeAll": "Zobacz wszystkie klucze rezerwacji",
+    "provisioningKeysSave": "Zapisz klucz zaopatrzenia",
+    "provisioningKeysSaveDescription": "Możesz to zobaczyć tylko raz. Skopiuj je do bezpiecznego miejsca.",
+    "provisioningKeysErrorCreate": "Błąd podczas tworzenia klucza zaopatrzenia",
+    "provisioningKeysList": "Nowy klucz rezerwacji",
+    "provisioningKeysMaxBatchSize": "Maksymalny rozmiar partii",
+    "provisioningKeysUnlimitedBatchSize": "Nieograniczony rozmiar partii (bez limitu)",
+    "provisioningKeysMaxBatchUnlimited": "Nieograniczona",
+    "provisioningKeysMaxBatchSizeInvalid": "Wprowadź poprawny maksymalny rozmiar partii (1–1 000,000).",
+    "provisioningKeysValidUntil": "Ważny do",
+    "provisioningKeysValidUntilHint": "Pozostaw puste, aby nie wygasnąć.",
+    "provisioningKeysValidUntilInvalid": "Wprowadź prawidłową datę i godzinę.",
+    "provisioningKeysNumUsed": "Używane czasy",
+    "provisioningKeysLastUsed": "Ostatnio używane",
+    "provisioningKeysNoExpiry": "Brak wygaśnięcia",
+    "provisioningKeysNeverUsed": "Nigdy",
+    "provisioningKeysEdit": "Edytuj klucz zaopatrzenia",
+    "provisioningKeysEditDescription": "Zaktualizuj maksymalny rozmiar partii i czas wygaśnięcia dla tego klucza.",
+    "provisioningKeysApproveNewSites": "Zatwierdź nowe witryny",
+    "provisioningKeysApproveNewSitesDescription": "Automatycznie zatwierdzaj witryny, które rejestrują się za pomocą tego klucza.",
+    "provisioningKeysUpdateError": "Błąd podczas aktualizacji klucza zaopatrzenia",
+    "provisioningKeysUpdated": "Klucz zaopatrzenia zaktualizowany",
+    "provisioningKeysUpdatedDescription": "Twoje zmiany zostały zapisane.",
+    "provisioningKeysBannerTitle": "Klucze Zaopatrzenia witryny",
+    "provisioningKeysBannerDescription": "Wygeneruj klucz tworzenia rezerw i użyj go z konektorem Newt do automatycznego tworzenia witryn przy pierwszym uruchomieniu — nie ma potrzeby ustawiania oddzielnych poświadczeń dla każdej witryny.",
+    "provisioningKeysBannerButtonText": "Dowiedz się więcej",
+    "pendingSitesBannerTitle": "Witryny oczekujące",
+    "pendingSitesBannerDescription": "Witryny, które łączą się przy użyciu klucza zaopatrzenia, pojawiają się tutaj, aby przejrzeć. Zatwierdź każdą witrynę, zanim stanie się aktywna i uzyska dostęp do twoich zasobów.",
+    "pendingSitesBannerButtonText": "Dowiedz się więcej",
     "apiKeysSettings": "Ustawienia {apiKeyName}",
     "userTitle": "Zarządzaj wszystkimi użytkownikami",
     "userDescription": "Zobacz i zarządzaj wszystkimi użytkownikami w systemie",
@@ -509,9 +562,12 @@
     "userSaved": "Użytkownik zapisany",
     "userSavedDescription": "Użytkownik został zaktualizowany.",
     "autoProvisioned": "Przesłane automatycznie",
+    "autoProvisionSettings": "Ustawienia automatycznego dostarczania",
     "autoProvisionedDescription": "Pozwól temu użytkownikowi na automatyczne zarządzanie przez dostawcę tożsamości",
     "accessControlsDescription": "Zarządzaj tym, do czego użytkownik ma dostęp i co może robić w organizacji",
     "accessControlsSubmit": "Zapisz kontrole dostępu",
+    "singleRolePerUserPlanNotice": "Twój plan obsługuje tylko jedną rolę na użytkownika.",
+    "singleRolePerUserEditionNotice": "Ta edycja obsługuje tylko jedną rolę na użytkownika.",
     "roles": "Role",
     "accessUsersRoles": "Zarządzaj użytkownikami i rolami",
     "accessUsersRolesDescription": "Zaproś użytkowników i dodaj je do ról do zarządzania dostępem do organizacji",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Wprowadź token konfiguracji z konsoli serwera.",
     "setupTokenRequired": "Wymagany jest token konfiguracji",
     "actionUpdateSite": "Aktualizuj witrynę",
+    "actionResetSiteBandwidth": "Zresetuj przepustowość organizacji",
     "actionListSiteRoles": "Lista dozwolonych ról witryny",
     "actionCreateResource": "Utwórz zasób",
     "actionDeleteResource": "Usuń zasób",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Usuń użytkownika",
     "actionListUsers": "Lista użytkowników",
     "actionAddUserRole": "Dodaj rolę użytkownika",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Ustaw role użytkownika",
     "actionGenerateAccessToken": "Wygeneruj token dostępu",
     "actionDeleteAccessToken": "Usuń token dostępu",
     "actionListAccessTokens": "Lista tokenów dostępu",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Role",
     "sidebarShareableLinks": "Linki",
     "sidebarApiKeys": "Klucze API",
+    "sidebarProvisioning": "Dostarczanie",
     "sidebarSettings": "Ustawienia",
     "sidebarAllUsers": "Wszyscy użytkownicy",
     "sidebarIdentityProviders": "Dostawcy tożsamości",
@@ -1890,6 +1948,40 @@
     "exitNode": "Węzeł Wyjściowy",
     "country": "Kraj",
     "rulesMatchCountry": "Obecnie bazuje na adresie IP źródła",
+    "region": "Region",
+    "selectRegion": "Wybierz region",
+    "searchRegions": "Szukaj regionów...",
+    "noRegionFound": "Nie znaleziono regionu.",
+    "rulesMatchRegion": "Wybierz regionalną grupę krajów",
+    "rulesErrorInvalidRegion": "Nieprawidłowy region",
+    "rulesErrorInvalidRegionDescription": "Proszę wybrać prawidłowy region.",
+    "regionAfrica": "Afryka",
+    "regionNorthernAfrica": "Afryka Północna",
+    "regionEasternAfrica": "Afryka Wschodnia",
+    "regionMiddleAfrica": "Afryka Środkowa",
+    "regionSouthernAfrica": "Afryka Południowa",
+    "regionWesternAfrica": "Afryka Zachodnia",
+    "regionAmericas": "Ameryka",
+    "regionCaribbean": "Karaiby",
+    "regionCentralAmerica": "Ameryka Środkowa",
+    "regionSouthAmerica": "Ameryka Południowej",
+    "regionNorthernAmerica": "Ameryka Północna",
+    "regionAsia": "Akwakultura",
+    "regionCentralAsia": "Azja Środkowa",
+    "regionEasternAsia": "Azja Wschodnia",
+    "regionSouthEasternAsia": "Azja Południowo-Wschodnia",
+    "regionSouthernAsia": "Azja Południowa",
+    "regionWesternAsia": "Azja Zachodnia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Wschodnia",
+    "regionNorthernEurope": "Europa Północna",
+    "regionSouthernEurope": "Europa Południowa",
+    "regionWesternEurope": "Europa Zachodnia",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia i Nowa Zelandia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Zarządzane Samodzielnie-Hostingowane",
         "description": "Większa niezawodność i niska konserwacja serwera Pangolin z dodatkowymi dzwonkami i sygnałami",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Nieprawidłowa wartość",
     "idpTypeLabel": "Typ dostawcy tożsamości",
     "roleMappingExpressionPlaceholder": "np. zawiera(grupy, 'admin') && 'Admin' || 'Członek'",
+    "roleMappingModeFixedRoles": "Stałe role",
+    "roleMappingModeMappingBuilder": "Konstruktor mapowania",
+    "roleMappingModeRawExpression": "Surowe wyrażenie",
+    "roleMappingFixedRolesPlaceholderSelect": "Wybierz jedną lub więcej ról",
+    "roleMappingFixedRolesPlaceholderFreeform": "Wpisz nazwy ról (dopasowanie na organizację)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Przypisz tę samą rolę do każdego automatycznie udostępnionego użytkownika.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "W przypadku domyślnych zasad nazwy ról typu które istnieją w każdej organizacji, gdzie użytkownicy są zapisywani. Nazwy muszą się dokładnie zgadzać.",
+    "roleMappingClaimPath": "Ścieżka przejęcia",
+    "roleMappingClaimPathPlaceholder": "grupy",
+    "roleMappingClaimPathDescription": "Ścieżka w payloadzie tokenów, która zawiera wartości źródłowe (np. grupy).",
+    "roleMappingMatchValue": "Wartość dopasowania",
+    "roleMappingAssignRoles": "Przypisz role",
+    "roleMappingAddMappingRule": "Dodaj regułę mapowania",
+    "roleMappingRawExpressionResultDescription": "Wyrażenie musi ocenić do tablicy ciągów lub ciągów.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Wyrażenie musi oceniać ciąg znaków (pojedyncza nazwa).",
+    "roleMappingMatchValuePlaceholder": "Wartość dopasowania (na przykład: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Wpisz nazwy ról (aktywizacja na org)",
+    "roleMappingBuilderFreeformRowHint": "Nazwy ról muszą pasować do roli w każdej organizacji docelowej.",
+    "roleMappingRemoveRule": "Usuń",
     "idpGoogleConfiguration": "Konfiguracja Google",
     "idpGoogleConfigurationDescription": "Skonfiguruj dane logowania Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Jak długo zachować dzienniki dostępu",
     "logRetentionActionLabel": "Zachowanie dziennika akcji",
     "logRetentionActionDescription": "Jak długo zachować dzienniki akcji",
+    "logRetentionConnectionLabel": "Zachowanie dziennika połączeń",
+    "logRetentionConnectionDescription": "Jak długo zachować dzienniki połączeń",
     "logRetentionDisabled": "Wyłączone",
     "logRetention3Days": "3 dni",
     "logRetention7Days": "7 dni",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Koniec następnego roku",
     "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
     "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
+    "connectionLogs": "Dzienniki połączeń",
+    "connectionLogsDescription": "Wyświetl dzienniki połączeń dla tuneli w tej organizacji",
+    "sidebarLogsConnection": "Dzienniki połączeń",
+    "sidebarLogsStreaming": "Strumieniowanie",
+    "sourceAddress": "Adres źródłowy",
+    "destinationAddress": "Adres docelowy",
+    "duration": "Czas trwania",
     "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lub <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezerwuj wersję demonstracyjną lub wersję próbną POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Zarezerwuj demo lub okres próbny POC</bookADemoLink>.",
     "certResolver": "Rozwiązywanie certyfikatów",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
     "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
     "approvalsEmptyStateButtonText": "Zarządzaj rolami",
-    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny"
+    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny",
+    "idpAdminAutoProvisionPoliciesTabHint": "Skonfiguruj mapowanie ról i zasady organizacji na karcie <policiesTabLink>Auto Provivision Settings</policiesTabLink>.",
+    "streamingTitle": "Strumieniowanie wydarzeń",
+    "streamingDescription": "Wydarzenia strumieniowe z Twojej organizacji do zewnętrznych miejsc przeznaczenia w czasie rzeczywistym.",
+    "streamingUnnamedDestination": "Miejsce przeznaczenia bez nazwy",
+    "streamingNoUrlConfigured": "Brak skonfigurowanego adresu URL",
+    "streamingAddDestination": "Dodaj cel",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Wyślij zdarzenia do dowolnego punktu końcowego HTTP z elastycznym uwierzytelnianiem i szablonem.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Zdarzenia strumieniowe do magazynu obiektów kompatybilnych z S3. Już wkrótce.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Przekaż wydarzenia bezpośrednio do Twojego konta Datadog. Już wkrótce.",
+    "streamingTypePickerDescription": "Wybierz typ docelowy, aby rozpocząć.",
+    "streamingFailedToLoad": "Nie udało się załadować miejsc docelowych",
+    "streamingUnexpectedError": "Wystąpił nieoczekiwany błąd.",
+    "streamingFailedToUpdate": "Nie udało się zaktualizować miejsca docelowego",
+    "streamingDeletedSuccess": "Cel usunięty pomyślnie",
+    "streamingFailedToDelete": "Nie udało się usunąć miejsca docelowego",
+    "streamingDeleteTitle": "Usuń cel",
+    "streamingDeleteButtonText": "Usuń cel",
+    "streamingDeleteDialogAreYouSure": "Czy na pewno chcesz usunąć",
+    "streamingDeleteDialogThisDestination": "ten cel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Wszystkie konfiguracje zostaną trwale usunięte.",
+    "httpDestEditTitle": "Edytuj cel",
+    "httpDestAddTitle": "Dodaj cel HTTP",
+    "httpDestEditDescription": "Aktualizuj konfigurację dla tego celu przesyłania strumieniowego zdarzeń HTTP.",
+    "httpDestAddDescription": "Skonfiguruj nowy punkt końcowy HTTP, aby otrzymywać wydarzenia organizacji.",
+    "httpDestTabSettings": "Ustawienia",
+    "httpDestTabHeaders": "Nagłówki",
+    "httpDestTabBody": "Ciało",
+    "httpDestTabLogs": "Logi",
+    "httpDestNamePlaceholder": "Mój cel HTTP",
+    "httpDestUrlLabel": "Adres docelowy",
+    "httpDestUrlErrorHttpRequired": "Adres URL musi używać http lub https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS jest wymagany dla wdrożenia w chmurze",
+    "httpDestUrlErrorInvalid": "Wprowadź poprawny adres URL (np. https://example.com/webhook)",
+    "httpDestAuthTitle": "Uwierzytelnianie",
+    "httpDestAuthDescription": "Wybierz sposób uwierzytelniania żądań do Twojego punktu końcowego.",
+    "httpDestAuthNoneTitle": "Brak uwierzytelniania",
+    "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
+    "httpDestAuthBearerTitle": "Token Bearer",
+    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer <token> do każdego żądania.",
+    "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
+    "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
+    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic <credentials> . Podaj poświadczenia jako nazwę użytkownika: hasło.",
+    "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
+    "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
+    "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nazwa nagłówka (np. klucz X-API)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Wartość nagłówka",
+    "httpDestCustomHeadersTitle": "Niestandardowe nagłówki HTTP",
+    "httpDestCustomHeadersDescription": "Dodaj własne nagłówki do każdego wychodzącego żądania. Przydatne dla tokenów statycznych lub niestandardowego typu zawartości. Domyślnie Content-Type: aplikacja/json jest wysyłane.",
+    "httpDestNoHeadersConfigured": "Nie skonfigurowano nagłówków niestandardowych. Kliknij \"Dodaj nagłówek\", aby go dodać.",
+    "httpDestHeaderNamePlaceholder": "Nazwa nagłówka",
+    "httpDestHeaderValuePlaceholder": "Wartość",
+    "httpDestAddHeader": "Dodaj nagłówek",
+    "httpDestBodyTemplateTitle": "Własny szablon ciała",
+    "httpDestBodyTemplateDescription": "Kontroluj strukturę JSON wysyłaną do Twojego punktu końcowego. Jeśli wyłączone, dla każdego zdarzenia wysyłany jest domyślny obiekt JSON.",
+    "httpDestEnableBodyTemplate": "Włącz niestandardowy szablon ciała",
+    "httpDestBodyTemplateLabel": "Szablon ciała (JSON)",
+    "httpDestBodyTemplateHint": "Użyj zmiennych szablonu do odniesienia pól zdarzeń w twoim payloadzie.",
+    "httpDestPayloadFormatTitle": "Format obciążenia",
+    "httpDestPayloadFormatDescription": "Jak zdarzenia są serializowane w każdym organie żądania.",
+    "httpDestFormatJsonArrayTitle": "Tablica JSON",
+    "httpDestFormatJsonArrayDescription": "Jedna prośba na partię, treść jest tablicą JSON. Kompatybilna z najbardziej ogólnymi webhookami i Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jedno żądanie na partię, ciałem jest plik JSON rozdzielony na newline-delimited — jeden obiekt na wiersz, bez tablicy zewnętrznej. Wymagane przez Splunk HEC, Elastic / OpenSesearch i Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedno wydarzenie na żądanie",
+    "httpDestFormatSingleDescription": "Wysyła oddzielny POST HTTP dla każdego zdarzenia. Użyj tylko dla punktów końcowych, które nie mogą obsługiwać partii.",
+    "httpDestLogTypesTitle": "Typy logów",
+    "httpDestLogTypesDescription": "Wybierz, które typy logów są przekazywane do tego miejsca docelowego. Tylko włączone typy logów będą strumieniowane.",
+    "httpDestAccessLogsTitle": "Logi dostępu",
+    "httpDestAccessLogsDescription": "Próby dostępu do zasobów, w tym uwierzytelnione i odrzucone żądania.",
+    "httpDestActionLogsTitle": "Dzienniki działań",
+    "httpDestActionLogsDescription": "Działania administracyjne wykonywane przez użytkowników w organizacji.",
+    "httpDestConnectionLogsTitle": "Dzienniki połączeń",
+    "httpDestConnectionLogsDescription": "Zdarzenia związane z miejscem i tunelem, w tym połączenia i rozłączenia.",
+    "httpDestRequestLogsTitle": "Dzienniki żądań",
+    "httpDestRequestLogsDescription": "Logi żądań HTTP dla zasobów proxy, w tym metody, ścieżki i kodu odpowiedzi.",
+    "httpDestSaveChanges": "Zapisz zmiany",
+    "httpDestCreateDestination": "Utwórz cel",
+    "httpDestUpdatedSuccess": "Cel został pomyślnie zaktualizowany",
+    "httpDestCreatedSuccess": "Cel został utworzony pomyślnie",
+    "httpDestUpdateFailed": "Nie udało się zaktualizować miejsca docelowego",
+    "httpDestCreateFailed": "Nie udało się utworzyć miejsca docelowego"
 }

From 467808f1744086c28f5e900747a031333ada8bdf Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:57 -0700
Subject: [PATCH 207/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index b121f4b16..2573ed6da 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -148,6 +148,11 @@
     "createLink": "Criar Link",
     "resourcesNotFound": "Nenhum recurso encontrado",
     "resourceSearch": "Recursos de pesquisa",
+    "machineSearch": "Procurar máquinas",
+    "machinesSearch": "Pesquisar clientes de máquina...",
+    "machineNotFound": "Nenhuma máquina encontrada",
+    "userDeviceSearch": "Procurar dispositivos do usuário",
+    "userDevicesSearch": "Pesquisar dispositivos do usuário...",
     "openMenu": "Abrir menu",
     "resource": "Recurso",
     "title": "Título",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Excluir Chave API",
     "apiKeysManage": "Gerir Chaves API",
     "apiKeysDescription": "As chaves API são usadas para autenticar com a API de integração",
+    "provisioningKeysTitle": "Chave de provisionamento",
+    "provisioningKeysManage": "Gerenciar chaves de provisionamento",
+    "provisioningKeysDescription": "Chaves de provisionamento são usadas para autenticar o provisionamento automatizado do site para sua organização.",
+    "provisioningManage": "Provisionamento",
+    "provisioningDescription": "Gerenciar chaves de provisionamento e revisar sites pendentes aguardando aprovação.",
+    "pendingSites": "Sites pendentes",
+    "siteApproveSuccess": "Site aprovado com sucesso",
+    "siteApproveError": "Erro ao aprovar site",
+    "provisioningKeys": "Posicionando chaves",
+    "searchProvisioningKeys": "Pesquisar chaves de provisionamento...",
+    "provisioningKeysAdd": "Gerar chave de provisionamento",
+    "provisioningKeysErrorDelete": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysErrorDeleteMessage": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysQuestionRemove": "Tem certeza de que deseja remover esta chave de provisionamento da organização?",
+    "provisioningKeysMessageRemove": "Uma vez removida, a chave não pode mais ser usada para o provisionamento do site.",
+    "provisioningKeysDeleteConfirm": "Confirmar chave de exclusão",
+    "provisioningKeysDelete": "Apagar chave de provisionamento",
+    "provisioningKeysCreate": "Gerar chave de provisionamento",
+    "provisioningKeysCreateDescription": "Gerar uma nova chave de provisionamento para a organização",
+    "provisioningKeysSeeAll": "Ver todas as chaves provisionadas",
+    "provisioningKeysSave": "Salvar a chave de provisionamento",
+    "provisioningKeysSaveDescription": "Você só será capaz de ver esta vez. Copiá-lo para um lugar seguro.",
+    "provisioningKeysErrorCreate": "Erro ao criar chave de provisionamento",
+    "provisioningKeysList": "Nova chave de aprovisionamento",
+    "provisioningKeysMaxBatchSize": "Tamanho máximo do lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamanho ilimitado em lote (sem limite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Informe um tamanho máximo válido em lote (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valido ate",
+    "provisioningKeysValidUntilHint": "Deixe em branco para nenhuma expiração.",
+    "provisioningKeysValidUntilInvalid": "Informe uma data e hora válidas.",
+    "provisioningKeysNumUsed": "Use percentual",
+    "provisioningKeysLastUsed": "Última utilização",
+    "provisioningKeysNoExpiry": "Sem vencimento",
+    "provisioningKeysNeverUsed": "nunca",
+    "provisioningKeysEdit": "Editar chave de provisionamento",
+    "provisioningKeysEditDescription": "Atualizar o tamanho máximo do lote e tempo de expiração para esta chave.",
+    "provisioningKeysApproveNewSites": "Aprovar novos sites",
+    "provisioningKeysApproveNewSitesDescription": "Aprovar automaticamente sites que se registram com esta chave.",
+    "provisioningKeysUpdateError": "Erro ao atualizar chave de provisionamento",
+    "provisioningKeysUpdated": "Chave de provisionamento atualizada",
+    "provisioningKeysUpdatedDescription": "Suas alterações foram salvas.",
+    "provisioningKeysBannerTitle": "Chaves de provisionamento do site",
+    "provisioningKeysBannerDescription": "Gerar uma chave de provisionamento e usá-la com o conector de Newt para criar automaticamente sites na primeira inicialização — não é necessário configurar credenciais separadas para cada site.",
+    "provisioningKeysBannerButtonText": "Saiba mais",
+    "pendingSitesBannerTitle": "Sites pendentes",
+    "pendingSitesBannerDescription": "Sites que conectam usando uma chave de provisionamento aparecem aqui para revisão. Aprovar cada site antes de se tornar ativo e ganhar acesso a seus recursos.",
+    "pendingSitesBannerButtonText": "Saiba mais",
     "apiKeysSettings": "Configurações de {apiKeyName}",
     "userTitle": "Gerir Todos os Utilizadores",
     "userDescription": "Visualizar e gerir todos os utilizadores no sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Usuário salvo",
     "userSavedDescription": "O utilizador foi atualizado.",
     "autoProvisioned": "Auto provisionado",
+    "autoProvisionSettings": "Configurações de provisão automática",
     "autoProvisionedDescription": "Permitir que este utilizador seja gerido automaticamente pelo provedor de identidade",
     "accessControlsDescription": "Gerir o que este utilizador pode aceder e fazer na organização",
     "accessControlsSubmit": "Guardar Controlos de Acesso",
+    "singleRolePerUserPlanNotice": "Seu plano suporta apenas uma função por usuário.",
+    "singleRolePerUserEditionNotice": "Esta edição suporta apenas uma função por usuário.",
     "roles": "Funções",
     "accessUsersRoles": "Gerir Utilizadores e Funções",
     "accessUsersRolesDescription": "Convidar usuários e adicioná-los a funções para gerenciar o acesso à organização",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Digite o token de configuração do console do servidor.",
     "setupTokenRequired": "Token de configuração é necessário",
     "actionUpdateSite": "Atualizar Site",
+    "actionResetSiteBandwidth": "Redefinir banda da organização",
     "actionListSiteRoles": "Listar Funções Permitidas do Site",
     "actionCreateResource": "Criar Recurso",
     "actionDeleteResource": "Eliminar Recurso",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Remover Utilizador",
     "actionListUsers": "Listar Utilizadores",
     "actionAddUserRole": "Adicionar Função ao Utilizador",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Definir funções do usuário",
     "actionGenerateAccessToken": "Gerar Token de Acesso",
     "actionDeleteAccessToken": "Eliminar Token de Acesso",
     "actionListAccessTokens": "Listar Tokens de Acesso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Papéis",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "Chaves API",
+    "sidebarProvisioning": "Provisionamento",
     "sidebarSettings": "Configurações",
     "sidebarAllUsers": "Todos os utilizadores",
     "sidebarIdentityProviders": "Provedores de identidade",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo de Saída",
     "country": "País",
     "rulesMatchCountry": "Atualmente baseado no IP de origem",
+    "region": "Região",
+    "selectRegion": "Selecionar região",
+    "searchRegions": "Procurar regiões...",
+    "noRegionFound": "Nenhuma região encontrada.",
+    "rulesMatchRegion": "Selecione um grupo regional de países",
+    "rulesErrorInvalidRegion": "Região inválida",
+    "rulesErrorInvalidRegionDescription": "Por favor, selecione uma região válida.",
+    "regionAfrica": "África",
+    "regionNorthernAfrica": "África do Norte",
+    "regionEasternAfrica": "África Oriental",
+    "regionMiddleAfrica": "África Média",
+    "regionSouthernAfrica": "África Austral",
+    "regionWesternAfrica": "África Ocidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América do Sul",
+    "regionNorthernAmerica": "América do Norte",
+    "regionAsia": "Ásia",
+    "regionCentralAsia": "Ásia Central",
+    "regionEasternAsia": "Ásia Oriental",
+    "regionSouthEasternAsia": "Sudeste da Ásia",
+    "regionSouthernAsia": "Sudeste da Ásia",
+    "regionWesternAsia": "Ásia Ocidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Oriental",
+    "regionNorthernEurope": "Europa do Norte",
+    "regionSouthernEurope": "Europa do Sul",
+    "regionWesternEurope": "Europa Ocidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrália e Nova Zelândia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gerenciado Auto-Hospedado",
         "description": "Servidor Pangolin auto-hospedado mais confiável e com baixa manutenção com sinos extras e assobiamentos",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valor Inválido",
     "idpTypeLabel": "Tipo de provedor de identidade",
     "roleMappingExpressionPlaceholder": "ex.: Contem (grupos, 'administrador') && 'Administrador' 「'Membro'",
+    "roleMappingModeFixedRoles": "Papéis fixos",
+    "roleMappingModeMappingBuilder": "Mapeando Construtor",
+    "roleMappingModeRawExpression": "Expressão Bruta",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecione um ou mais papéis",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digite o nome das funções (correspondência exata por organização)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Atribuir o mesmo conjunto de funções a cada usuário auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para políticas padrão, nomes de funções de tipo que existem em cada organização onde os usuários são fornecidos. Nomes devem coincidir exatamente.",
+    "roleMappingClaimPath": "Caminho da Reivindicação",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Caminho no payload token que contém valores de origem (por exemplo, grupos).",
+    "roleMappingMatchValue": "Valor Correspondente",
+    "roleMappingAssignRoles": "Atribuir Papéis",
+    "roleMappingAddMappingRule": "Adicionar regra de mapeamento",
+    "roleMappingRawExpressionResultDescription": "Expressão deve retornar à matriz string ou string.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressão deve ser avaliada para uma string (um nome de função única).",
+    "roleMappingMatchValuePlaceholder": "Valor do jogo (por exemplo: administrador)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digite nomes de funções ((exact por org)",
+    "roleMappingBuilderFreeformRowHint": "Nomes de papéis devem corresponder a um papel em cada organizaçãoalvo.",
+    "roleMappingRemoveRule": "Remover",
     "idpGoogleConfiguration": "Configuração do Google",
     "idpGoogleConfigurationDescription": "Configurar as credenciais do Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Por quanto tempo manter os registros de acesso",
     "logRetentionActionLabel": "Ação de Retenção no Log",
     "logRetentionActionDescription": "Por quanto tempo manter os registros de ação",
+    "logRetentionConnectionLabel": "Retenção de registro de conexão",
+    "logRetentionConnectionDescription": "Por quanto tempo manter os registros de conexão",
     "logRetentionDisabled": "Desabilitado",
     "logRetention3Days": "3 dias",
     "logRetention7Days": "7 dias",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
     "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
     "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
+    "connectionLogs": "Logs da conexão",
+    "connectionLogsDescription": "Ver logs de conexão para túneis nesta organização",
+    "sidebarLogsConnection": "Logs da conexão",
+    "sidebarLogsStreaming": "Transmitindo",
+    "sourceAddress": "Endereço de origem",
+    "destinationAddress": "Endereço de destino",
+    "duration": "Duração",
     "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> é necessária para usar este recurso. <bookADemoLink>Reserve um teste de demonstração ou POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserve uma demonstração ou avaliação POC</bookADemoLink>.",
     "certResolver": "Resolvedor de Certificado",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
     "approvalsEmptyStateButtonText": "Gerir Funções",
-    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio"
+    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurar funções de mapeamento e políticas de organização na aba <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming do Evento",
+    "streamingDescription": "Transmita eventos de sua organização para destinos externos em tempo real.",
+    "streamingUnnamedDestination": "Destino sem nome",
+    "streamingNoUrlConfigured": "Nenhuma URL configurada",
+    "streamingAddDestination": "Adicionar destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envie os eventos para qualquer endpoint HTTP com autenticação flexível e modelo.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmitir eventos para um balde de armazenamento de objetos compatível com S3. Em breve.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Encaminha eventos diretamente para a sua conta no Datadog. Em breve.",
+    "streamingTypePickerDescription": "Escolha um tipo de destino para começar.",
+    "streamingFailedToLoad": "Falha ao carregar destinos",
+    "streamingUnexpectedError": "Ocorreu um erro inesperado.",
+    "streamingFailedToUpdate": "Falha ao atualizar destino",
+    "streamingDeletedSuccess": "Destino apagado com sucesso",
+    "streamingFailedToDelete": "Falha ao excluir destino",
+    "streamingDeleteTitle": "Excluir destino",
+    "streamingDeleteButtonText": "Excluir destino",
+    "streamingDeleteDialogAreYouSure": "Tem certeza de que deseja excluir",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Todas as configurações serão permanentemente removidas.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Adicionar Destino HTTP",
+    "httpDestEditDescription": "Atualizar a configuração para este destino de transmissão de eventos HTTP.",
+    "httpDestAddDescription": "Configure um novo ponto de extremidade HTTP para receber eventos da sua organização.",
+    "httpDestTabSettings": "Confirgurações",
+    "httpDestTabHeaders": "Cabeçalhos",
+    "httpDestTabBody": "Conteúdo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Meu destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "A URL deve usar http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS é necessário em implantações em nuvem",
+    "httpDestUrlErrorInvalid": "Informe uma URL válida (por exemplo, https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticação",
+    "httpDestAuthDescription": "Escolha como os pedidos para seu endpoint são autenticados.",
+    "httpDestAuthNoneTitle": "Sem Autenticação",
+    "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
+    "httpDestAuthBearerTitle": "Token do portador",
+    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer <token> header a cada requisição.",
+    "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
+    "httpDestAuthBasicTitle": "Autenticação básica",
+    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho <credentials> básico. Forneça credenciais como nome de usuário:senha.",
+    "httpDestAuthBasicPlaceholder": "Usuário:password",
+    "httpDestAuthCustomTitle": "Cabeçalho personalizado",
+    "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome do cabeçalho (ex: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor do cabeçalho",
+    "httpDestCustomHeadersTitle": "Cabeçalhos HTTP personalizados",
+    "httpDestCustomHeadersDescription": "Adicionar cabeçalhos personalizados a todas as solicitações de saída. Útil para tokens estáticos ou um tipo de conteúdo personalizado. Por padrão, Content-Type: application/json é enviado.",
+    "httpDestNoHeadersConfigured": "Nenhum cabeçalho personalizado configurado. Clique em \"Adicionar Cabeçalho\" para adicionar um.",
+    "httpDestHeaderNamePlaceholder": "Nome do Cabeçalho",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Adicionar Cabeçalho",
+    "httpDestBodyTemplateTitle": "Modelo de corpo personalizado",
+    "httpDestBodyTemplateDescription": "Controla a estrutura de carga JSON enviada ao seu endpoint. Se desativado, um objeto JSON padrão é enviado para cada evento.",
+    "httpDestEnableBodyTemplate": "Ativar modelo personalizado de corpo",
+    "httpDestBodyTemplateLabel": "Modelo de corpo (JSON)",
+    "httpDestBodyTemplateHint": "Use variáveis de template para referenciar campos de evento em seu payload.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Como os eventos são serializados em cada corpo do pedido.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Um pedido por lote, o corpo é um array JSON. Compatível com a maioria dos webhooks genéricos e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Um pedido por lote, o corpo é um JSON delimitado por nova-linha — um objeto por linha, sem array exterior. Requerido pelo Splunk HEC, Elástico / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Um Evento por Requisição",
+    "httpDestFormatSingleDescription": "Envia um POST HTTP separado para cada evento. Utilize apenas para endpoints que não podem manipular lotes.",
+    "httpDestLogTypesTitle": "Tipos de log",
+    "httpDestLogTypesDescription": "Escolha quais tipos de log são encaminhados para este destino. Somente serão racionalizados os tipos de logs habilitados.",
+    "httpDestAccessLogsTitle": "Logs de Acesso",
+    "httpDestAccessLogsDescription": "Tentativas de acesso a recursos, incluindo solicitações autenticadas e negadas.",
+    "httpDestActionLogsTitle": "Logs de Ações",
+    "httpDestActionLogsDescription": "Ações administrativas realizadas por usuários dentro da organização.",
+    "httpDestConnectionLogsTitle": "Logs da conexão",
+    "httpDestConnectionLogsDescription": "Eventos de conexão de site e túnel, incluindo conexões e desconexões.",
+    "httpDestRequestLogsTitle": "Registro de pedidos",
+    "httpDestRequestLogsDescription": "Logs de solicitação HTTP para recursos proxy incluindo o método, o caminho e o código de resposta.",
+    "httpDestSaveChanges": "Salvar as alterações",
+    "httpDestCreateDestination": "Criar destino",
+    "httpDestUpdatedSuccess": "Destino atualizado com sucesso",
+    "httpDestCreatedSuccess": "Destino criado com sucesso",
+    "httpDestUpdateFailed": "Falha ao atualizar destino",
+    "httpDestCreateFailed": "Falha ao criar destino"
 }

From d07996d435e777a54925c2bf14b85afaa9e2255d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:59 -0700
Subject: [PATCH 208/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 175 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 173 insertions(+), 2 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 98a787f45..b44ec36ed 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -148,6 +148,11 @@
     "createLink": "Создать ссылку",
     "resourcesNotFound": "Ресурсы не найдены",
     "resourceSearch": "Поиск ресурсов",
+    "machineSearch": "Поиск машин",
+    "machinesSearch": "Поиск клиентов машины...",
+    "machineNotFound": "Машины не найдены",
+    "userDeviceSearch": "Поиск устройств пользователя",
+    "userDevicesSearch": "Поиск устройств пользователя...",
     "openMenu": "Открыть меню",
     "resource": "Ресурс",
     "title": "Заголовок",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Удаление ключа API",
     "apiKeysManage": "Управление ключами API",
     "apiKeysDescription": "Ключи API используются для аутентификации в интеграционном API",
+    "provisioningKeysTitle": "Ключ подготовки",
+    "provisioningKeysManage": "Управление ключами подготовки",
+    "provisioningKeysDescription": "Ключи подготовки используются для аутентификации автоматического обеспечения сайта для вашей организации.",
+    "provisioningManage": "Подготовка",
+    "provisioningDescription": "Управляйте предоставленными ключами и проверять непроверенные сайты, ожидающие утверждения.",
+    "pendingSites": "Ожидающие сайты",
+    "siteApproveSuccess": "Сайт успешно утвержден",
+    "siteApproveError": "Ошибка при утверждении сайта",
+    "provisioningKeys": "Ключи подготовки",
+    "searchProvisioningKeys": "Поиск подготовительных ключей...",
+    "provisioningKeysAdd": "Сгенерировать ключ подготовки",
+    "provisioningKeysErrorDelete": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysErrorDeleteMessage": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysQuestionRemove": "Вы уверены, что хотите удалить этот ключ подготовки из организации?",
+    "provisioningKeysMessageRemove": "После удаления ключ больше не может быть использован для размещения сайта.",
+    "provisioningKeysDeleteConfirm": "Подтвердите удаление ключа подготовки",
+    "provisioningKeysDelete": "Удалить ключ подготовки",
+    "provisioningKeysCreate": "Сгенерировать ключ подготовки",
+    "provisioningKeysCreateDescription": "Создать новый подготовительный ключ для организации",
+    "provisioningKeysSeeAll": "Посмотреть все подготовительные ключи",
+    "provisioningKeysSave": "Сохранить ключ подготовки",
+    "provisioningKeysSaveDescription": "Вы сможете увидеть это только один раз. Скопируйте его в безопасное место.",
+    "provisioningKeysErrorCreate": "Ошибка при создании ключа подготовки",
+    "provisioningKeysList": "Новый подготовительный ключ",
+    "provisioningKeysMaxBatchSize": "Макс. размер партии",
+    "provisioningKeysUnlimitedBatchSize": "Неограниченный размер партии (без ограничений)",
+    "provisioningKeysMaxBatchUnlimited": "Неограниченный",
+    "provisioningKeysMaxBatchSizeInvalid": "Введите максимальный размер пакета (1–1,000,000).",
+    "provisioningKeysValidUntil": "Действителен до",
+    "provisioningKeysValidUntilHint": "Оставьте пустым для отсутствия срока действия.",
+    "provisioningKeysValidUntilInvalid": "Введите правильную дату и время.",
+    "provisioningKeysNumUsed": "Использовано раз",
+    "provisioningKeysLastUsed": "Последнее использованное",
+    "provisioningKeysNoExpiry": "Без истечения срока",
+    "provisioningKeysNeverUsed": "Никогда",
+    "provisioningKeysEdit": "Редактировать ключ подготовки",
+    "provisioningKeysEditDescription": "Обновить максимальный размер и срок действия этого ключа.",
+    "provisioningKeysApproveNewSites": "Одобрить новые сайты",
+    "provisioningKeysApproveNewSitesDescription": "Автоматически одобрять сайты, регистрирующиеся с этим ключом.",
+    "provisioningKeysUpdateError": "Ошибка при обновлении ключа подготовки",
+    "provisioningKeysUpdated": "Ключ подготовки обновлен",
+    "provisioningKeysUpdatedDescription": "Ваши изменения были сохранены.",
+    "provisioningKeysBannerTitle": "Ключи подготовки сайта",
+    "provisioningKeysBannerDescription": "Генерировать подготовительный ключ и использовать его вместе с Новым коннектором для автоматического создания сайтов при первом запуске — нет необходимости настраивать отдельные учетные данные для каждого сайта.",
+    "provisioningKeysBannerButtonText": "Узнать больше",
+    "pendingSitesBannerTitle": "Ожидающие сайты",
+    "pendingSitesBannerDescription": "Сайты, связанные с использованием ключа подготовки, появляются здесь для проверки. Одобрите каждый сайт, прежде чем он станет активным и получит доступ к вашим ресурсам.",
+    "pendingSitesBannerButtonText": "Узнать больше",
     "apiKeysSettings": "Настройки {apiKeyName}",
     "userTitle": "Управление всеми пользователями",
     "userDescription": "Просмотр и управление всеми пользователями в системе",
@@ -509,9 +562,12 @@
     "userSaved": "Пользователь сохранён",
     "userSavedDescription": "Пользователь был обновлён.",
     "autoProvisioned": "Автоподбор",
+    "autoProvisionSettings": "Настройки автоматического обеспечения",
     "autoProvisionedDescription": "Разрешить автоматическое управление этим пользователем",
     "accessControlsDescription": "Управляйте тем, к чему этот пользователь может получить доступ и что делать в организации",
     "accessControlsSubmit": "Сохранить контроль доступа",
+    "singleRolePerUserPlanNotice": "Ваш план поддерживает только одну роль каждого пользователя.",
+    "singleRolePerUserEditionNotice": "Эта редакция поддерживает только одну роль для каждого пользователя.",
     "roles": "Роли",
     "accessUsersRoles": "Управление пользователями и ролями",
     "accessUsersRolesDescription": "Пригласить пользователей и добавить их в роли для управления доступом к организации",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Введите токен настройки из консоли сервера.",
     "setupTokenRequired": "Токен настройки обязателен",
     "actionUpdateSite": "Обновить сайт",
+    "actionResetSiteBandwidth": "Сброс пропускной способности организации",
     "actionListSiteRoles": "Список разрешенных ролей сайта",
     "actionCreateResource": "Создать ресурс",
     "actionDeleteResource": "Удалить ресурс",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Удалить пользователя",
     "actionListUsers": "Список пользователей",
     "actionAddUserRole": "Добавить роль пользователя",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Установка ролей пользователей",
     "actionGenerateAccessToken": "Сгенерировать токен доступа",
     "actionDeleteAccessToken": "Удалить токен доступа",
     "actionListAccessTokens": "Список токенов доступа",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Роли",
     "sidebarShareableLinks": "Ссылки",
     "sidebarApiKeys": "API ключи",
+    "sidebarProvisioning": "Подготовка",
     "sidebarSettings": "Настройки",
     "sidebarAllUsers": "Все пользователи",
     "sidebarIdentityProviders": "Поставщики удостоверений",
@@ -1972,6 +2030,25 @@
     "invalidValue": "Неверное значение",
     "idpTypeLabel": "Тип поставщика удостоверений",
     "roleMappingExpressionPlaceholder": "например, contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксированные роли",
+    "roleMappingModeMappingBuilder": "Сопоставляющий конструктор",
+    "roleMappingModeRawExpression": "Сырое выражение",
+    "roleMappingFixedRolesPlaceholderSelect": "Выберите одну или несколько ролей",
+    "roleMappingFixedRolesPlaceholderFreeform": "Тип имен ролей (точное совпадение по организации)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Назначить одну и ту же роль, которая установлена каждому автообеспеченному пользователю.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Для политик по умолчанию, введите имена ролей, которые существуют в каждой организации, где пользователи предоставлены. Имена должны соответствовать точно.",
+    "roleMappingClaimPath": "Путь к заявлению",
+    "roleMappingClaimPathPlaceholder": "группы",
+    "roleMappingClaimPathDescription": "Путь в полезной нагрузке токенов, который содержит исходные значения (например, группы).",
+    "roleMappingMatchValue": "Значение матча",
+    "roleMappingAssignRoles": "Назначить роли",
+    "roleMappingAddMappingRule": "Добавить правило сопоставления",
+    "roleMappingRawExpressionResultDescription": "Выражение должно быть оценено к строке или строковому массиву.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Выражение должно быть оценено строке (название одной роли).",
+    "roleMappingMatchValuePlaceholder": "Значение совпадения (например: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Введите имена ролей (точное по организациям)",
+    "roleMappingBuilderFreeformRowHint": "Имена ролей должны соответствовать роли в каждой целевой организации.",
+    "roleMappingRemoveRule": "Удалить",
     "idpGoogleConfiguration": "Конфигурация Google",
     "idpGoogleConfigurationDescription": "Настройка учетных данных Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2368,6 +2445,8 @@
     "logRetentionAccessDescription": "Как долго сохранять журналы доступа",
     "logRetentionActionLabel": "Сохранение журнала действий",
     "logRetentionActionDescription": "Как долго хранить журналы действий",
+    "logRetentionConnectionLabel": "Сохранение журнала подключений",
+    "logRetentionConnectionDescription": "Как долго хранить журналы подключений",
     "logRetentionDisabled": "Отключено",
     "logRetention3Days": "3 дня",
     "logRetention7Days": "7 дней",
@@ -2378,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Конец следующего года",
     "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
     "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
+    "connectionLogs": "Журнал подключений",
+    "connectionLogsDescription": "Просмотр журналов подключения туннелей в этой организации",
+    "sidebarLogsConnection": "Журнал подключений",
+    "sidebarLogsStreaming": "Вещание",
+    "sourceAddress": "Адрес источника",
+    "destinationAddress": "Адрес назначения",
+    "duration": "Продолжительность",
     "licenseRequiredToUse": "Требуется лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> для использования этой функции. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
     "certResolver": "Резольвер сертификата",
@@ -2717,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
     "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
     "approvalsEmptyStateButtonText": "Управление ролями",
-    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена"
+    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена",
+    "idpAdminAutoProvisionPoliciesTabHint": "Настройте сопоставление ролей и организационные политики на вкладке <policiesTabLink>Настройки авто-предоставления</policiesTabLink>.",
+    "streamingTitle": "Поток событий",
+    "streamingDescription": "Трансляция событий от вашей организации к внешним направлениям в режиме реального времени.",
+    "streamingUnnamedDestination": "Место назначения без имени",
+    "streamingNoUrlConfigured": "URL-адрес не настроен",
+    "streamingAddDestination": "Добавить место назначения",
+    "streamingHttpWebhookTitle": "HTTP вебхук",
+    "streamingHttpWebhookDescription": "Отправлять события на любую конечную точку HTTP с гибкой аутентификацией и шаблоном.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Потоковая передача событий к пакету хранения объектов, совместимому с S3.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Перенаправлять события непосредственно на ваш аккаунт в Datadog. Скоро будет доступно.",
+    "streamingTypePickerDescription": "Выберите тип назначения, чтобы начать.",
+    "streamingFailedToLoad": "Не удалось загрузить места назначения",
+    "streamingUnexpectedError": "Произошла непредвиденная ошибка.",
+    "streamingFailedToUpdate": "Не удалось обновить место назначения",
+    "streamingDeletedSuccess": "Адрес назначения успешно удален",
+    "streamingFailedToDelete": "Не удалось удалить место назначения",
+    "streamingDeleteTitle": "Удалить адрес назначения",
+    "streamingDeleteButtonText": "Удалить адрес назначения",
+    "streamingDeleteDialogAreYouSure": "Вы уверены, что хотите удалить",
+    "streamingDeleteDialogThisDestination": "это место назначения",
+    "streamingDeleteDialogPermanentlyRemoved": "? Все настройки будут удалены навсегда.",
+    "httpDestEditTitle": "Изменить адрес назначения",
+    "httpDestAddTitle": "Добавить HTTP адрес",
+    "httpDestEditDescription": "Обновление конфигурации для этого HTTP события потокового назначения.",
+    "httpDestAddDescription": "Настройте новую HTTP-конечную точку для получения событий вашей организации.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заголовки",
+    "httpDestTabBody": "Тело",
+    "httpDestTabLogs": "Логи",
+    "httpDestNamePlaceholder": "Мой HTTP адрес назначения",
+    "httpDestUrlLabel": "URL назначения",
+    "httpDestUrlErrorHttpRequired": "URL должен использовать http или https",
+    "httpDestUrlErrorHttpsRequired": "Требуется HTTPS при развертывании облака",
+    "httpDestUrlErrorInvalid": "Введите действительный URL (например, https://example.com/webhook)",
+    "httpDestAuthTitle": "Аутентификация",
+    "httpDestAuthDescription": "Выберите, как запросы к вашей конечной точке аутентифицированы.",
+    "httpDestAuthNoneTitle": "Нет аутентификации",
+    "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
+    "httpDestAuthBearerTitle": "Жетон носителя",
+    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer <token> к каждому запросу.",
+    "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
+    "httpDestAuthBasicTitle": "Базовая авторизация",
+    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic <credentials> header. Предоставьте учетные данные в качестве имени пользователя:password.",
+    "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
+    "httpDestAuthCustomTitle": "Пользовательский заголовок",
+    "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя заголовка (например, X-API-ключ)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Значение заголовка",
+    "httpDestCustomHeadersTitle": "Пользовательские HTTP-заголовки",
+    "httpDestCustomHeadersDescription": "Добавляет пользовательские заголовки к каждому исходящему запросу. Полезно для статических маркеров или пользовательского типа содержимого. По умолчанию отправляется Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Пользовательские заголовки не настроены. Нажмите \"Добавить заголовок\", чтобы добавить их.",
+    "httpDestHeaderNamePlaceholder": "Название заголовка",
+    "httpDestHeaderValuePlaceholder": "Значение",
+    "httpDestAddHeader": "Добавить заголовок",
+    "httpDestBodyTemplateTitle": "Пользовательский шаблон тела",
+    "httpDestBodyTemplateDescription": "Контролируйте структуру JSON приложения, отправленную на вашу конечную точку. Если отключено, для каждого события отправляется JSON объект по умолчанию.",
+    "httpDestEnableBodyTemplate": "Включить настраиваемый шаблон тела",
+    "httpDestBodyTemplateLabel": "Шаблон тела (JSON)",
+    "httpDestBodyTemplateHint": "Использовать шаблонные переменные для ссылки поля событий в вашей полезной нагрузке.",
+    "httpDestPayloadFormatTitle": "Формат нагрузки",
+    "httpDestPayloadFormatDescription": "Как события сериализуются в каждый орган запроса.",
+    "httpDestFormatJsonArrayTitle": "JSON массив",
+    "httpDestFormatJsonArrayDescription": "По одному запросу на каждую партию, тело является JSON-массивом. Совместим с большинством общих вебхуков и Датадог.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "По одному запросу на каждую партию, тело - это JSON, разделённый новой строкой, по одному объекту на строку, без внешнего массива. Требуется в Splunk HEC, Elastic / OpenSearch, и Grafana Loki.",
+    "httpDestFormatSingleTitle": "Одно событие на запрос",
+    "httpDestFormatSingleDescription": "Отправляет отдельный HTTP POST для каждого отдельного события. Используйте только для конечных точек, которые не могут обрабатывать пакеты.",
+    "httpDestLogTypesTitle": "Типы журналов",
+    "httpDestLogTypesDescription": "Выберите, какие типы журналов пересылаются в этот пункт назначения. Только включенные типы журналов будут транслированы.",
+    "httpDestAccessLogsTitle": "Журналы доступа",
+    "httpDestAccessLogsDescription": "Попытки доступа к ресурсам, включая аутентифицированные и отклоненные запросы.",
+    "httpDestActionLogsTitle": "Журнал действий",
+    "httpDestActionLogsDescription": "Административные меры, осуществляемые пользователями в рамках организации.",
+    "httpDestConnectionLogsTitle": "Журнал подключений",
+    "httpDestConnectionLogsDescription": "События связи с сайтами и туннелями, включая соединения и отключения.",
+    "httpDestRequestLogsTitle": "Запросить журналы",
+    "httpDestRequestLogsDescription": "Журналы запросов HTTP для проксируемых ресурсов, включая метод, путь и код ответа.",
+    "httpDestSaveChanges": "Сохранить изменения",
+    "httpDestCreateDestination": "Создать адрес назначения",
+    "httpDestUpdatedSuccess": "Адрес назначения успешно обновлен",
+    "httpDestCreatedSuccess": "Адрес назначения успешно создан",
+    "httpDestUpdateFailed": "Не удалось обновить место назначения",
+    "httpDestCreateFailed": "Не удалось создать место назначения"
 }

From 546769ca6666fd57a939f691cb01644d562356bc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:00 -0700
Subject: [PATCH 209/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 2fc52b885..39a2919f8 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -148,6 +148,11 @@
     "createLink": "Crear enlace",
     "resourcesNotFound": "No se encontraron recursos",
     "resourceSearch": "Buscar recursos",
+    "machineSearch": "Buscar máquinas",
+    "machinesSearch": "Buscar clientes...",
+    "machineNotFound": "No hay máquinas",
+    "userDeviceSearch": "Buscar dispositivos de usuario",
+    "userDevicesSearch": "Buscar dispositivos de usuario...",
     "openMenu": "Abrir menú",
     "resource": "Recurso",
     "title": "Título",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Borrar Clave API",
     "apiKeysManage": "Administrar claves API",
     "apiKeysDescription": "Las claves API se utilizan para autenticar con la API de integración",
+    "provisioningKeysTitle": "Clave de aprovisionamiento",
+    "provisioningKeysManage": "Administrar Claves de Aprovisionamiento",
+    "provisioningKeysDescription": "Las claves de aprovisionamiento se utilizan para autenticar la provisión automatizada del sitio para su organización.",
+    "provisioningManage": "Aprovisionamiento",
+    "provisioningDescription": "Administrar las claves de aprovisionamiento y revisar los sitios pendientes de aprobación.",
+    "pendingSites": "Sitios pendientes",
+    "siteApproveSuccess": "Sitio aprobado con éxito",
+    "siteApproveError": "Error al aprobar el sitio",
+    "provisioningKeys": "Claves de aprovisionamiento",
+    "searchProvisioningKeys": "Buscar claves de suministro...",
+    "provisioningKeysAdd": "Generar clave de aprovisionamiento",
+    "provisioningKeysErrorDelete": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysErrorDeleteMessage": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysQuestionRemove": "¿Está seguro que desea eliminar esta clave de aprovisionamiento de la organización?",
+    "provisioningKeysMessageRemove": "Una vez eliminada, la clave ya no se puede utilizar para la disposición del sitio.",
+    "provisioningKeysDeleteConfirm": "Confirmar Eliminar Clave de Aprovisionamiento",
+    "provisioningKeysDelete": "Eliminar clave de aprovisionamiento",
+    "provisioningKeysCreate": "Generar clave de aprovisionamiento",
+    "provisioningKeysCreateDescription": "Generar una nueva clave de aprovisionamiento para la organización",
+    "provisioningKeysSeeAll": "Ver todas las claves de aprovisionamiento",
+    "provisioningKeysSave": "Guardar la clave de aprovisionamiento",
+    "provisioningKeysSaveDescription": "Sólo podrás verlo una vez. Copítalo a un lugar seguro.",
+    "provisioningKeysErrorCreate": "Error al crear la clave de provisioning",
+    "provisioningKeysList": "Nueva clave de aprovisionamiento",
+    "provisioningKeysMaxBatchSize": "Tamaño máximo de lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamaño ilimitado del lote (sin límite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Introduzca un tamaño máximo de lote válido (1–1,000,000).",
+    "provisioningKeysValidUntil": "Válido hasta",
+    "provisioningKeysValidUntilHint": "Dejar vacío para no expirar.",
+    "provisioningKeysValidUntilInvalid": "Introduzca una fecha y hora válidas.",
+    "provisioningKeysNumUsed": "Tiempos usados",
+    "provisioningKeysLastUsed": "Último uso",
+    "provisioningKeysNoExpiry": "No expiración",
+    "provisioningKeysNeverUsed": "Nunca",
+    "provisioningKeysEdit": "Editar clave de aprovisionamiento",
+    "provisioningKeysEditDescription": "Actualizar el tamaño máximo de lote y el tiempo de caducidad para esta clave.",
+    "provisioningKeysApproveNewSites": "Aprobar nuevos sitios",
+    "provisioningKeysApproveNewSitesDescription": "Aprobar automáticamente los sitios que se registran con esta clave.",
+    "provisioningKeysUpdateError": "Error al actualizar la clave de aprovisionamiento",
+    "provisioningKeysUpdated": "Clave de aprovisionamiento actualizada",
+    "provisioningKeysUpdatedDescription": "Sus cambios han sido guardados.",
+    "provisioningKeysBannerTitle": "Claves de aprovisionamiento del sitio",
+    "provisioningKeysBannerDescription": "Generar una clave de aprovisionamiento y usarla con el conector Newt para crear automáticamente sitios en el primer inicio — no es necesario configurar credenciales separadas para cada sitio.",
+    "provisioningKeysBannerButtonText": "Saber más",
+    "pendingSitesBannerTitle": "Sitios pendientes",
+    "pendingSitesBannerDescription": "Los sitios que se conectan usando una clave de aprovisionamiento aparecen aquí para su revisión. Aprobar cada sitio antes de que se active y obtenga acceso a sus recursos.",
+    "pendingSitesBannerButtonText": "Saber más",
     "apiKeysSettings": "Ajustes {apiKeyName}",
     "userTitle": "Administrar todos los usuarios",
     "userDescription": "Ver y administrar todos los usuarios en el sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Usuario guardado",
     "userSavedDescription": "El usuario ha sido actualizado.",
     "autoProvisioned": "Auto asegurado",
+    "autoProvisionSettings": "Configuración de Auto Provision",
     "autoProvisionedDescription": "Permitir a este usuario ser administrado automáticamente por el proveedor de identidad",
     "accessControlsDescription": "Administrar lo que este usuario puede acceder y hacer en la organización",
     "accessControlsSubmit": "Guardar controles de acceso",
+    "singleRolePerUserPlanNotice": "Tu plan sólo soporta un rol por usuario.",
+    "singleRolePerUserEditionNotice": "Esta edición sólo soporta un rol por usuario.",
     "roles": "Roles",
     "accessUsersRoles": "Administrar usuarios y roles",
     "accessUsersRolesDescription": "Invitar usuarios y añadirlos a roles para administrar el acceso a la organización",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Ingrese el token de configuración desde la consola del servidor.",
     "setupTokenRequired": "Se requiere el token de configuración",
     "actionUpdateSite": "Actualizar sitio",
+    "actionResetSiteBandwidth": "Restablecer ancho de banda de la organización",
     "actionListSiteRoles": "Lista de roles permitidos del sitio",
     "actionCreateResource": "Crear Recurso",
     "actionDeleteResource": "Eliminar Recurso",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Eliminar usuario",
     "actionListUsers": "Listar usuarios",
     "actionAddUserRole": "Añadir rol de usuario",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Establecer roles de usuario",
     "actionGenerateAccessToken": "Generar token de acceso",
     "actionDeleteAccessToken": "Eliminar token de acceso",
     "actionListAccessTokens": "Lista de Tokens de Acceso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roles",
     "sidebarShareableLinks": "Enlaces",
     "sidebarApiKeys": "Claves API",
+    "sidebarProvisioning": "Aprovisionamiento",
     "sidebarSettings": "Ajustes",
     "sidebarAllUsers": "Todos los usuarios",
     "sidebarIdentityProviders": "Proveedores de identidad",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo de Salida",
     "country": "País",
     "rulesMatchCountry": "Actualmente basado en IP de origen",
+    "region": "Región",
+    "selectRegion": "Seleccionar región",
+    "searchRegions": "Buscar regiones...",
+    "noRegionFound": "Región no encontrada.",
+    "rulesMatchRegion": "Seleccione una agrupación regional de países",
+    "rulesErrorInvalidRegion": "Región no válida",
+    "rulesErrorInvalidRegionDescription": "Por favor, seleccione una región válida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "África septentrional",
+    "regionEasternAfrica": "África oriental",
+    "regionMiddleAfrica": "África central",
+    "regionSouthernAfrica": "África del Sur",
+    "regionWesternAfrica": "África Occidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América del Sur",
+    "regionNorthernAmerica": "América del Norte",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Central",
+    "regionEasternAsia": "Asia oriental",
+    "regionSouthEasternAsia": "Asia sudoriental",
+    "regionSouthernAsia": "Asia meridional",
+    "regionWesternAsia": "Asia Occidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa del Este",
+    "regionNorthernEurope": "Europa septentrional",
+    "regionSouthernEurope": "Europa meridional",
+    "regionWesternEurope": "Europa Occidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia y Nueva Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Autogestionado",
         "description": "Servidor Pangolin autoalojado más fiable y de bajo mantenimiento con campanas y silbidos extra",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valor inválido",
     "idpTypeLabel": "Tipo de proveedor de identidad",
     "roleMappingExpressionPlaceholder": "e.g., contiene(grupos, 'administrador') && 'administrador' || 'miembro'",
+    "roleMappingModeFixedRoles": "Roles fijos",
+    "roleMappingModeMappingBuilder": "Constructor de mapeo",
+    "roleMappingModeRawExpression": "Expresión sin procesar",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleccione uno o más roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Nombre de rol de tipo (coincidencia exacta por organización)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Asignar el mismo rol establecido a cada usuario auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para las políticas predeterminadas, escriba nombres de roles que existen en cada organización donde los usuarios son proporcionados. Los nombres deben coincidir exactamente.",
+    "roleMappingClaimPath": "Reclamar ruta",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Ruta en el payload del token que contiene valores de origen (por ejemplo, grupos).",
+    "roleMappingMatchValue": "Valor de partida",
+    "roleMappingAssignRoles": "Asignar roles",
+    "roleMappingAddMappingRule": "Añadir regla de mapeo",
+    "roleMappingRawExpressionResultDescription": "La expresión debe evaluar a un array de cadenas o cadenas.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "La expresión debe evaluar una cadena (un solo nombre de rol).",
+    "roleMappingMatchValuePlaceholder": "Valor coincidente (por ejemplo: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Escriba nombres de rol (exacto por org)",
+    "roleMappingBuilderFreeformRowHint": "Los nombres de rol deben coincidir con un rol en cada organización objetivo.",
+    "roleMappingRemoveRule": "Eliminar",
     "idpGoogleConfiguration": "Configuración de Google",
     "idpGoogleConfigurationDescription": "Configurar las credenciales de Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Cuánto tiempo retener los registros de acceso",
     "logRetentionActionLabel": "Retención de registro de acción",
     "logRetentionActionDescription": "Cuánto tiempo retener los registros de acción",
+    "logRetentionConnectionLabel": "Retención de Registro de Conexión",
+    "logRetentionConnectionDescription": "Cuánto tiempo conservar los registros de conexión",
     "logRetentionDisabled": "Deshabilitado",
     "logRetention3Days": "3 días",
     "logRetention7Days": "7 días",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fin del año siguiente",
     "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
     "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
+    "connectionLogs": "Registros de conexión",
+    "connectionLogsDescription": "Ver registros de conexión para túneles en esta organización",
+    "sidebarLogsConnection": "Registros de conexión",
+    "sidebarLogsStreaming": "Transmisión",
+    "sourceAddress": "Dirección de origen",
+    "destinationAddress": "Dirección de destino",
+    "duration": "Duración",
     "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> para usar esta función. <bookADemoLink>Reserve una demostración o prueba POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserva una demostración o prueba POC</bookADemoLink>.",
     "certResolver": "Resolver certificado",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
     "approvalsEmptyStateButtonText": "Administrar roles",
-    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio"
+    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure el mapeo de roles y las políticas de organización en la pestaña <policiesTabLink>Configuración de provisión automática</policiesTabLink>.",
+    "streamingTitle": "Transmisión de Eventos",
+    "streamingDescription": "Transmita eventos desde su organización a destinos externos en tiempo real.",
+    "streamingUnnamedDestination": "Destino sin nombre",
+    "streamingNoUrlConfigured": "No hay URL configurada",
+    "streamingAddDestination": "Añadir destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Enviar eventos a cualquier extremo HTTP con autenticación flexible y plantilla.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmite eventos a un bucket de almacenamiento de objetos compatible con S3. Próximamente.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Reenviar eventos directamente a tu cuenta de Datadog. Próximamente.",
+    "streamingTypePickerDescription": "Elija un tipo de destino para empezar.",
+    "streamingFailedToLoad": "Error al cargar destinos",
+    "streamingUnexpectedError": "Se ha producido un error inesperado.",
+    "streamingFailedToUpdate": "Error al actualizar destino",
+    "streamingDeletedSuccess": "Destino eliminado correctamente",
+    "streamingFailedToDelete": "Error al eliminar destino",
+    "streamingDeleteTitle": "Eliminar destino",
+    "streamingDeleteButtonText": "Eliminar destino",
+    "streamingDeleteDialogAreYouSure": "¿Está seguro que desea eliminar",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toda la configuración se eliminará permanentemente.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Añadir destino HTTP",
+    "httpDestEditDescription": "Actualizar la configuración para este destino de transmisión de eventos HTTP.",
+    "httpDestAddDescription": "Configure un nuevo extremo HTTP para recibir los eventos de su organización.",
+    "httpDestTabSettings": "Ajustes",
+    "httpDestTabHeaders": "Encabezados",
+    "httpDestTabBody": "Cuerpo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Mi destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "URL debe usar http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS es necesario en implementaciones en la nube",
+    "httpDestUrlErrorInvalid": "Introduzca una URL válida (ej. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticación",
+    "httpDestAuthDescription": "Elija cómo están autenticadas las solicitudes en su punto final.",
+    "httpDestAuthNoneTitle": "Sin autenticación",
+    "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
+    "httpDestAuthBearerTitle": "Tóken de portador",
+    "httpDestAuthBearerDescription": "Añade una autorización: portador <token> encabezado a cada solicitud.",
+    "httpDestAuthBearerPlaceholder": "Tu clave o token API",
+    "httpDestAuthBasicTitle": "Auth Básica",
+    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico <credentials> . Proporcione credenciales como nombre de usuario: contraseña.",
+    "httpDestAuthBasicPlaceholder": "usuario:contraseña",
+    "httpDestAuthCustomTitle": "Cabecera personalizada",
+    "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nombre de cabecera (ej. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor de cabecera",
+    "httpDestCustomHeadersTitle": "Cabeceras HTTP personalizadas",
+    "httpDestCustomHeadersDescription": "Añadir cabeceras personalizadas a cada petición saliente. Útil para tokens estáticos o un tipo de contenido personalizado. De forma predeterminada, Content Type: application/json es enviado.",
+    "httpDestNoHeadersConfigured": "No hay cabeceras personalizadas. Haga clic en \"Añadir cabecera\" para añadir una.",
+    "httpDestHeaderNamePlaceholder": "Nombre de cabecera",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Añadir cabecera",
+    "httpDestBodyTemplateTitle": "Plantilla de cuerpo personalizada",
+    "httpDestBodyTemplateDescription": "Controla la estructura de carga de JSON enviada a tu punto final. Si está desactivado, se envía un objeto JSON por defecto para cada evento.",
+    "httpDestEnableBodyTemplate": "Activar plantilla de cuerpo personalizado",
+    "httpDestBodyTemplateLabel": "Plantilla de cuerpo (JSON)",
+    "httpDestBodyTemplateHint": "Utilice variables de plantilla para referenciar los campos del evento en su carga útil.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Cómo se serializan los eventos en cada cuerpo de solicitud.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Una petición por lote, cuerpo es una matriz JSON. Compatible con la mayoría de los webhooks y Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una petición por lote, el cuerpo es JSON delimitado por línea — un objeto por línea, sin arrays externos. Requerido por Splunk HEC, Elastic / OpenSearch, y Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un evento por solicitud",
+    "httpDestFormatSingleDescription": "Envía un HTTP POST separado para cada evento individual. Úsalo sólo para los extremos que no pueden manejar lotes.",
+    "httpDestLogTypesTitle": "Tipos de Log",
+    "httpDestLogTypesDescription": "Elija qué tipos de registro son reenviados a este destino. Sólo los tipos de registro habilitados serán transmitidos.",
+    "httpDestAccessLogsTitle": "Registros de acceso",
+    "httpDestAccessLogsDescription": "Intentos de acceso a recursos, incluyendo solicitudes autenticadas y denegadas.",
+    "httpDestActionLogsTitle": "Registros de acción",
+    "httpDestActionLogsDescription": "Acciones administrativas realizadas por los usuarios dentro de la organización.",
+    "httpDestConnectionLogsTitle": "Registros de conexión",
+    "httpDestConnectionLogsDescription": "Eventos de conexión de sitios y túneles, incluyendo conexiones y desconexiones.",
+    "httpDestRequestLogsTitle": "Registros de Solicitud",
+    "httpDestRequestLogsDescription": "Registros de peticiones HTTP para recursos proxyficados, incluyendo método, ruta y código de respuesta.",
+    "httpDestSaveChanges": "Guardar Cambios",
+    "httpDestCreateDestination": "Crear destino",
+    "httpDestUpdatedSuccess": "Destino actualizado correctamente",
+    "httpDestCreatedSuccess": "Destino creado correctamente",
+    "httpDestUpdateFailed": "Error al actualizar destino",
+    "httpDestCreateFailed": "Error al crear el destino"
 }

From f6cdadbc2ddc4220d18dbe491148ae64d829cc97 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:02 -0700
Subject: [PATCH 210/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 2bfed7fb3..e89778322 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -148,6 +148,11 @@
     "createLink": "Bağlantı Oluştur",
     "resourcesNotFound": "Hiçbir kaynak bulunamadı",
     "resourceSearch": "Kaynak ara",
+    "machineSearch": "Makinaları ara",
+    "machinesSearch": "Makina müşteri...",
+    "machineNotFound": "Hiçbir makine bulunamadı",
+    "userDeviceSearch": "Kullanıcı cihazlarını ara",
+    "userDevicesSearch": "Kullanıcı cihazlarını ara...",
     "openMenu": "Menüyü Aç",
     "resource": "Kaynak",
     "title": "Başlık",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API Anahtarını Sil",
     "apiKeysManage": "API Anahtarlarını Yönet",
     "apiKeysDescription": "API anahtarları entegrasyon API'sini doğrulamak için kullanılır",
+    "provisioningKeysTitle": "Tedarik Anahtarı",
+    "provisioningKeysManage": "Tedarik Anahtarlarını Yönet",
+    "provisioningKeysDescription": "Tedarik anahtarları, organizasyonunuz için otomatik site sağlama işlemini doğrulamak için kullanılır.",
+    "provisioningManage": "Tedarik",
+    "provisioningDescription": "Tedarik anahtarlarını yönetin ve onay bekleyen siteleri gözden geçirin.",
+    "pendingSites": "Bekleyen Siteler",
+    "siteApproveSuccess": "Site başarıyla onaylandı",
+    "siteApproveError": "Site onaylanırken hata oluştu",
+    "provisioningKeys": "Tedarik Anahtarları",
+    "searchProvisioningKeys": "Tedarik anahtarlarını ara...",
+    "provisioningKeysAdd": "Tedarik Anahtarı Üret",
+    "provisioningKeysErrorDelete": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysErrorDeleteMessage": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysQuestionRemove": "Bu tedarik anahtarını organizasyondan kaldırmak istediğinizden emin misiniz?",
+    "provisioningKeysMessageRemove": "Kaldırıldıktan sonra, anahtar site tedariki için artık kullanılamaz.",
+    "provisioningKeysDeleteConfirm": "Tedarik Anahtarını Silmeyi Onayla",
+    "provisioningKeysDelete": "Tedarik Anahtarını Sil",
+    "provisioningKeysCreate": "Tedarik Anahtarı Üret",
+    "provisioningKeysCreateDescription": "Organizasyon için yeni bir tedarik anahtarı oluşturun",
+    "provisioningKeysSeeAll": "Tüm tedarik anahtarlarını gör",
+    "provisioningKeysSave": "Tedarik anahtarını kaydet",
+    "provisioningKeysSaveDescription": "Bunu yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyalayın.",
+    "provisioningKeysErrorCreate": "Tedarik anahtarı oluşturulurken hata oluştu",
+    "provisioningKeysList": "Yeni tedarik anahtarı",
+    "provisioningKeysMaxBatchSize": "Maksimum toplu iş boyutu",
+    "provisioningKeysUnlimitedBatchSize": "Sınırsız toplu iş boyutu (sınırlama yok)",
+    "provisioningKeysMaxBatchUnlimited": "Sınırsız",
+    "provisioningKeysMaxBatchSizeInvalid": "Geçerli bir maksimum toplu iş boyutu girin (1–1,000,000).",
+    "provisioningKeysValidUntil": "Geçerlilik tarihi",
+    "provisioningKeysValidUntilHint": "Son kullanım tarihi için boş bırakın.",
+    "provisioningKeysValidUntilInvalid": "Geçerli bir tarih ve saat girin.",
+    "provisioningKeysNumUsed": "Kullanım Sayısı",
+    "provisioningKeysLastUsed": "Son kullanım",
+    "provisioningKeysNoExpiry": "Son kullanma tarihi yok",
+    "provisioningKeysNeverUsed": "Asla",
+    "provisioningKeysEdit": "Tedarik Anahtarını Düzenle",
+    "provisioningKeysEditDescription": "Bu anahtar için maksimum toplu iş boyutunu ve son kullanma zamanını güncelleyin.",
+    "provisioningKeysApproveNewSites": "Yeni siteleri onayla",
+    "provisioningKeysApproveNewSitesDescription": "Bu anahtar ile kayıt olan siteleri otomatik olarak onayla.",
+    "provisioningKeysUpdateError": "Tedarik anahtarı güncellenirken hata oluştu",
+    "provisioningKeysUpdated": "Tedarik anahtarı güncellendi",
+    "provisioningKeysUpdatedDescription": "Değişiklikleriniz kaydedildi.",
+    "provisioningKeysBannerTitle": "Site Tedarik Anahtarları",
+    "provisioningKeysBannerDescription": "Tedarik anahtarı oluşturun ve ilk başlangıçta siteleri otomatik olarak oluşturmak için Newt konektörüyle kullanın — her site için ayrı kimlik bilgileri ayarlamaya gerek yoktur.",
+    "provisioningKeysBannerButtonText": "Daha fazla bilgi",
+    "pendingSitesBannerTitle": "Bekleyen Siteler",
+    "pendingSitesBannerDescription": "Tedarik anahtarı kullanarak bağlanan siteler burada incelenmek için görünür. Aktif hale gelmeden ve kaynaklarınıza erişim kazanmadan önce her siteyi onaylayın.",
+    "pendingSitesBannerButtonText": "Daha fazla bilgi",
     "apiKeysSettings": "{apiKeyName} Ayarları",
     "userTitle": "Tüm Kullanıcıları Yönet",
     "userDescription": "Sistemdeki tüm kullanıcıları görün ve yönetin",
@@ -509,9 +562,12 @@
     "userSaved": "Kullanıcı kaydedildi",
     "userSavedDescription": "Kullanıcı güncellenmiştir.",
     "autoProvisioned": "Otomatik Sağlandı",
+    "autoProvisionSettings": "Otomatik Tedarik Ayarları",
     "autoProvisionedDescription": "Bu kullanıcının kimlik sağlayıcısı tarafından otomatik olarak yönetilmesine izin ver",
     "accessControlsDescription": "Bu kullanıcının organizasyonda neleri erişebileceğini ve yapabileceğini yönetin",
     "accessControlsSubmit": "Erişim Kontrollerini Kaydet",
+    "singleRolePerUserPlanNotice": "Planınız yalnızca kullanıcı başına bir rol desteler.",
+    "singleRolePerUserEditionNotice": "Bu sürüm yalnızca kullanıcı başına bir rol destekler.",
     "roles": "Roller",
     "accessUsersRoles": "Kullanıcılar ve Roller Yönetin",
     "accessUsersRolesDescription": "Kullanıcılara davet gönderin ve organizasyona erişimi yönetmek için rollere ekleyin",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Sunucu konsolundan kurulum simgesini girin.",
     "setupTokenRequired": "Kurulum simgesi gerekli",
     "actionUpdateSite": "Siteyi Güncelle",
+    "actionResetSiteBandwidth": "Organizasyon Bant Genişliğini Sıfırla",
     "actionListSiteRoles": "İzin Verilen Site Rolleri Listele",
     "actionCreateResource": "Kaynak Oluştur",
     "actionDeleteResource": "Kaynağı Sil",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Kullanıcıyı Kaldır",
     "actionListUsers": "Kullanıcıları Listele",
     "actionAddUserRole": "Kullanıcı Rolü Ekle",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Kullanıcı Rolleri Belirle",
     "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
     "actionDeleteAccessToken": "Erişim Jetonunu Sil",
     "actionListAccessTokens": "Erişim Jetonlarını Listele",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roller",
     "sidebarShareableLinks": "Bağlantılar",
     "sidebarApiKeys": "API Anahtarları",
+    "sidebarProvisioning": "Tedarik",
     "sidebarSettings": "Ayarlar",
     "sidebarAllUsers": "Tüm Kullanıcılar",
     "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
@@ -1890,6 +1948,40 @@
     "exitNode": "Çıkış Düğümü",
     "country": "Ülke",
     "rulesMatchCountry": "Şu anda kaynak IP'ye dayanarak",
+    "region": "Bölge",
+    "selectRegion": "Bölgeyi seçin",
+    "searchRegions": "Bölgeleri ara...",
+    "noRegionFound": "Bölge bulunamadı.",
+    "rulesMatchRegion": "Başka ülkelerin bölgesel gruplandırmasını seçin",
+    "rulesErrorInvalidRegion": "Geçersiz bölge",
+    "rulesErrorInvalidRegionDescription": "Lütfen geçerli bir bölge seçin.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Kuzey Afrika",
+    "regionEasternAfrica": "Doğu Afrika",
+    "regionMiddleAfrica": "Orta Afrika",
+    "regionSouthernAfrica": "Güney Afrika",
+    "regionWesternAfrica": "Batı Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karayipler",
+    "regionCentralAmerica": "Orta Amerika",
+    "regionSouthAmerica": "Güney Amerika",
+    "regionNorthernAmerica": "Kuzey Amerika",
+    "regionAsia": "Asya",
+    "regionCentralAsia": "Orta Asya",
+    "regionEasternAsia": "Doğu Asya",
+    "regionSouthEasternAsia": "Güneydoğu Asya",
+    "regionSouthernAsia": "Güney Asya",
+    "regionWesternAsia": "Batı Asya",
+    "regionEurope": "Avrupa",
+    "regionEasternEurope": "Doğu Avrupa",
+    "regionNorthernEurope": "Kuzey Avrupa",
+    "regionSouthernEurope": "Güney Avrupa",
+    "regionWesternEurope": "Batı Avrupa",
+    "regionOceania": "Okyanusya",
+    "regionAustraliaAndNewZealand": "Avustralya ve Yeni Zelanda",
+    "regionMelanesia": "Melanezya",
+    "regionMicronesia": "Mikronezya",
+    "regionPolynesia": "Polinezya",
     "managedSelfHosted": {
         "title": "Yönetilen Self-Hosted",
         "description": "Daha güvenilir ve düşük bakım gerektiren, ekstra özelliklere sahip kendi kendine barındırabileceğiniz Pangolin sunucusu",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Geçersiz değer",
     "idpTypeLabel": "Kimlik Sağlayıcı Türü",
     "roleMappingExpressionPlaceholder": "örn., contains(gruplar, 'yönetici') && 'Yönetici' || 'Üye'",
+    "roleMappingModeFixedRoles": "Sabit Roller",
+    "roleMappingModeMappingBuilder": "Harita Oluşturucu",
+    "roleMappingModeRawExpression": "Ham İfade",
+    "roleMappingFixedRolesPlaceholderSelect": "Bir veya daha fazla rol seçin",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Her otomatik tedarik edilmiş kullanıcıya aynı rol setini atayın.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Varsayılan politikalar için, kullanıcıların sağlandığı her organizasyonda mevcut olan rol isimlerini yazın. İsimler tam olarak eşleşmelidir.",
+    "roleMappingClaimPath": "Hak Talep Yolu",
+    "roleMappingClaimPathPlaceholder": "gruplar",
+    "roleMappingClaimPathDescription": "Kaynak değerleri içeren belirteç yükündeki yol (örneğin, gruplar).",
+    "roleMappingMatchValue": "Eşleme Değeri",
+    "roleMappingAssignRoles": "Rolleri Ata",
+    "roleMappingAddMappingRule": "Eşleme Kuralı Ekle",
+    "roleMappingRawExpressionResultDescription": "İfade bir string veya string dizisine değerlendirilmelidir.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "İfade bir string (tek rol ismi) olarak değerlendirilmelidir.",
+    "roleMappingMatchValuePlaceholder": "Eşleme değeri (örneğin: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingBuilderFreeformRowHint": "Rol isimleri her hedef organizasyondaki bir rol ile eşleşmelidir.",
+    "roleMappingRemoveRule": "Kaldır",
     "idpGoogleConfiguration": "Google Yapılandırması",
     "idpGoogleConfigurationDescription": "Google OAuth2 kimlik bilgilerinizi yapılandırın",
     "idpGoogleClientIdDescription": "Google OAuth2 İstemci Kimliğiniz",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
     "logRetentionActionLabel": "Eylem Günlüğü Saklama",
     "logRetentionActionDescription": "Eylem günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionConnectionLabel": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
+    "logRetentionConnectionDescription": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
     "logRetentionDisabled": "Devre Dışı",
     "logRetention3Days": "3 gün",
     "logRetention7Days": "7 gün",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
     "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
     "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
+    "connectionLogs": "Bağlantı Kayıtları",
+    "connectionLogsDescription": "Bu organizasyondaki tüneller için bağlantı geçmişine bakın",
+    "sidebarLogsConnection": "Bağlantı Kayıtları",
+    "sidebarLogsStreaming": "Akış",
+    "sourceAddress": "Kaynak Adresi",
+    "destinationAddress": "Hedef Adresi",
+    "duration": "Süre",
     "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı veya <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> gereklidir. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>’da da mevcuttur. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
     "certResolver": "Sertifika Çözücü",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
     "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
     "approvalsEmptyStateButtonText": "Rolleri Yönet",
-    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz"
+    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz",
+    "idpAdminAutoProvisionPoliciesTabHint": "Rol eşleme ve organizasyon politikalarını <policiesTabLink>Otomatik Tedarik Ayarları</policiesTabLink> sekmesinde yapılandırın.",
+    "streamingTitle": "Olay Akışı",
+    "streamingDescription": "Olayları organizasyonunuzdan dış hedeflere gerçek zamanlı olarak iletin.",
+    "streamingUnnamedDestination": "Adsız hedef",
+    "streamingNoUrlConfigured": "URL yapılandırılmadı",
+    "streamingAddDestination": "Hedef Ekle",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Esnek kimlik doğrulama ve şablon oluşturmayla her HTTP uç noktasına olaylar gönderin.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Olayları S3 uyumlu bir nesne depolama kovasına iletin. Yakında gelicek.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Olayları doğrudan Datadog hesabınıza iletin. Yakında gelicek.",
+    "streamingTypePickerDescription": "Başlamak için bir hedef türü seçin.",
+    "streamingFailedToLoad": "Hedefler yüklenemedi",
+    "streamingUnexpectedError": "Beklenmeyen bir hata oluştu.",
+    "streamingFailedToUpdate": "Hedef güncellenemedi",
+    "streamingDeletedSuccess": "Hedef başarıyla silindi",
+    "streamingFailedToDelete": "Hedef silinemedi",
+    "streamingDeleteTitle": "Hedefi Sil",
+    "streamingDeleteButtonText": "Hedefi Sil",
+    "streamingDeleteDialogAreYouSure": "Silmek istediğinizden emin misiniz",
+    "streamingDeleteDialogThisDestination": "bu hedefi",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tüm yapılandırma kalıcı olarak kaldırılacak.",
+    "httpDestEditTitle": "Hedefi Düzenle",
+    "httpDestAddTitle": "HTTP Hedefi Ekle",
+    "httpDestEditDescription": "Bu HTTP olay akışı hedefine yapılandırmayı güncelleyin.",
+    "httpDestAddDescription": "Organizasyonunuzun olaylarını almak için yeni bir HTTP uç noktası yapılandırın.",
+    "httpDestTabSettings": "Ayarlar",
+    "httpDestTabHeaders": "Başlıklar",
+    "httpDestTabBody": "Gövde",
+    "httpDestTabLogs": "Kayıtlar",
+    "httpDestNamePlaceholder": "Benim HTTP hedefim",
+    "httpDestUrlLabel": "Hedef URL",
+    "httpDestUrlErrorHttpRequired": "URL http veya https kullanmalıdır",
+    "httpDestUrlErrorHttpsRequired": "Bulut dağıtımlarında HTTPS gereklidir",
+    "httpDestUrlErrorInvalid": "Geçerli bir URL girin (örn. https://example.com/webhook)",
+    "httpDestAuthTitle": "Kimlik Doğrulama",
+    "httpDestAuthDescription": "Uç noktanıza yapılan isteklerin nasıl kimlik doğrulandığını seçin.",
+    "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
+    "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
+    "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
+    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı <token> başlığı ekler.",
+    "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
+    "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
+    "httpDestAuthBasicDescription": "Authorization: Temel <belirtecikler> başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
+    "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
+    "httpDestAuthCustomTitle": "Özel Başlık",
+    "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Başlık adı (örn. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Başlık değeri",
+    "httpDestCustomHeadersTitle": "Özel HTTP Başlıkları",
+    "httpDestCustomHeadersDescription": "Her giden isteğe özel başlıklar ekleyin. Statik jetonlar veya özel bir İçerik Türü için kullanışlıdır. Varsayılan olarak İçerik Türü: application/json gönderilir.",
+    "httpDestNoHeadersConfigured": "Özel başlık yapılandırılmamış. Bir tane eklemek için \"Başlık Ekle\"ye tıklayın.",
+    "httpDestHeaderNamePlaceholder": "Başlık adı",
+    "httpDestHeaderValuePlaceholder": "Değer",
+    "httpDestAddHeader": "Başlık Ekle",
+    "httpDestBodyTemplateTitle": "Özel Gövde Şablonu",
+    "httpDestBodyTemplateDescription": "Uç noktanıza gönderilen JSON yük yapısını kontrol edin. Devre dışı bırakılırsa, her olay için varsayılan bir JSON nesnesi gönderilir.",
+    "httpDestEnableBodyTemplate": "Özel gövde şablonunu etkinleştir",
+    "httpDestBodyTemplateLabel": "Gövde Şablonu (JSON)",
+    "httpDestBodyTemplateHint": "Yükünüzdeki olay alanlarına atıfta bulunmak için şablon değişkenlerini kullanın.",
+    "httpDestPayloadFormatTitle": "Yük Formatı",
+    "httpDestPayloadFormatDescription": "Her bir istek gövdesine olayların nasıl serileştirildiği.",
+    "httpDestFormatJsonArrayTitle": "JSON Dizisi",
+    "httpDestFormatJsonArrayDescription": "Her bir toplu işte bir istek, gövde bir JSON dizisidir. Çoğu genel webhook ve Datadog ile uyumludur.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Her bir toplu işte bir istek, gövde satırlarla ayrılmış JSON'dur - her satıra bir nesne, dış dizi yoktur. Splunk HEC, Elastic / OpenSearch ve Grafana Loki tarafından gereklidir.",
+    "httpDestFormatSingleTitle": "Her İstek Başına Bir Olay",
+    "httpDestFormatSingleDescription": "Her olay için ayrı bir HTTP POST gönderir. Toplu işlere yetkemeyen uç noktalar için kullanın.",
+    "httpDestLogTypesTitle": "Kayıt Türleri",
+    "httpDestLogTypesDescription": "Bu hedefe hangi kayıt türlerinin iletileceğini seçin. Yalnızca etkin kayıt türleri yayınlanacaktır.",
+    "httpDestAccessLogsTitle": "Erişim Kayıtları",
+    "httpDestAccessLogsDescription": "Kimlik doğrulanmış ve reddedilen talepler dahil kaynak erişim denemeleri.",
+    "httpDestActionLogsTitle": "Eylem Kayıtları",
+    "httpDestActionLogsDescription": "Kullanıcılar tarafından organizasyon içerisinde yapılan yönetici eylemleri.",
+    "httpDestConnectionLogsTitle": "Bağlantı Kayıtları",
+    "httpDestConnectionLogsDescription": "Site ve tünel bağlantı olayları, bağlantılar ve bağlantı kesilmeleri dahil.",
+    "httpDestRequestLogsTitle": "İstek Kayıtları",
+    "httpDestRequestLogsDescription": "Yönlendirilmiş kaynaklar için HTTP istek kayıtları, yöntem, yol ve yanıt kodu dahil.",
+    "httpDestSaveChanges": "Değişiklikleri Kaydet",
+    "httpDestCreateDestination": "Hedef Oluştur",
+    "httpDestUpdatedSuccess": "Hedef başarıyla güncellendi",
+    "httpDestCreatedSuccess": "Hedef başarıyla oluşturuldu",
+    "httpDestUpdateFailed": "Hedef güncellenemedi",
+    "httpDestCreateFailed": "Hedef oluşturulamadı"
 }

From ff64a790140f4bb25e2d24567af358139d0d5da8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:04 -0700
Subject: [PATCH 211/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index f297d1ea9..07ffe4d5b 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -148,6 +148,11 @@
     "createLink": "创建链接",
     "resourcesNotFound": "找不到资源",
     "resourceSearch": "搜索资源",
+    "machineSearch": "搜索机",
+    "machinesSearch": "搜索机器客户端...",
+    "machineNotFound": "未找到任何机",
+    "userDeviceSearch": "搜索用户设备",
+    "userDevicesSearch": "搜索用户设备...",
     "openMenu": "打开菜单",
     "resource": "资源",
     "title": "标题",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "删除 API 密钥",
     "apiKeysManage": "管理 API 密钥",
     "apiKeysDescription": "API 密钥用于认证集成 API",
+    "provisioningKeysTitle": "置备密钥",
+    "provisioningKeysManage": "管理置备键",
+    "provisioningKeysDescription": "置备密钥用于验证您组织的自动站点配置。",
+    "provisioningManage": "置备中",
+    "provisioningDescription": "管理预配键和审查等待批准的站点。",
+    "pendingSites": "待定站点",
+    "siteApproveSuccess": "站点批准成功",
+    "siteApproveError": "批准站点出错",
+    "provisioningKeys": "置备键",
+    "searchProvisioningKeys": "搜索配备密钥...",
+    "provisioningKeysAdd": "生成置备键",
+    "provisioningKeysErrorDelete": "删除预配键时出错",
+    "provisioningKeysErrorDeleteMessage": "删除预配键时出错",
+    "provisioningKeysQuestionRemove": "您确定要从组织中删除此预配键吗？",
+    "provisioningKeysMessageRemove": "一旦移除，密钥不能再用于站点预配。",
+    "provisioningKeysDeleteConfirm": "确认删除置备键",
+    "provisioningKeysDelete": "删除置备键",
+    "provisioningKeysCreate": "生成置备键",
+    "provisioningKeysCreateDescription": "为组织生成一个新的预置密钥",
+    "provisioningKeysSeeAll": "查看所有预配键",
+    "provisioningKeysSave": "保存预配键",
+    "provisioningKeysSaveDescription": "您只能看到一次。复制它到一个安全的地方。",
+    "provisioningKeysErrorCreate": "创建预配键时出错",
+    "provisioningKeysList": "新建预配键",
+    "provisioningKeysMaxBatchSize": "最大批量大小",
+    "provisioningKeysUnlimitedBatchSize": "无限批量大小(无限制)",
+    "provisioningKeysMaxBatchUnlimited": "无限制",
+    "provisioningKeysMaxBatchSizeInvalid": "输入一个有效的最大批处理大小(1-1,000,000)。",
+    "provisioningKeysValidUntil": "有效期至",
+    "provisioningKeysValidUntilHint": "留空为无过期。",
+    "provisioningKeysValidUntilInvalid": "输入一个有效的日期和时间。",
+    "provisioningKeysNumUsed": "使用的时间",
+    "provisioningKeysLastUsed": "上次使用",
+    "provisioningKeysNoExpiry": "没有过期",
+    "provisioningKeysNeverUsed": "永不过期",
+    "provisioningKeysEdit": "编辑置备键",
+    "provisioningKeysEditDescription": "更新此密钥的最大批量大小和过期时间。",
+    "provisioningKeysApproveNewSites": "批准新站点",
+    "provisioningKeysApproveNewSitesDescription": "自动批准使用此密钥注册的站点。",
+    "provisioningKeysUpdateError": "更新预配键时出错",
+    "provisioningKeysUpdated": "置备密钥已更新",
+    "provisioningKeysUpdatedDescription": "您的更改已保存。",
+    "provisioningKeysBannerTitle": "站点置备密钥",
+    "provisioningKeysBannerDescription": "生成一个预配键并使用它来在首次启动时自动创建站点——无需为每个站点设置单独的凭证。",
+    "provisioningKeysBannerButtonText": "了解更多",
+    "pendingSitesBannerTitle": "待定站点",
+    "pendingSitesBannerDescription": "使用预配键连接的站点会出现在这里供审核。在站点开始运行之前批准并获取对您资源的访问权限。",
+    "pendingSitesBannerButtonText": "了解更多",
     "apiKeysSettings": "{apiKeyName} 设置",
     "userTitle": "管理所有用户",
     "userDescription": "查看和管理系统中的所有用户",
@@ -509,9 +562,12 @@
     "userSaved": "用户已保存",
     "userSavedDescription": "用户已更新。",
     "autoProvisioned": "自动设置",
+    "autoProvisionSettings": "自动提供设置",
     "autoProvisionedDescription": "允许此用户由身份提供商自动管理",
     "accessControlsDescription": "管理此用户在组织中可以访问和做什么",
     "accessControlsSubmit": "保存访问控制",
+    "singleRolePerUserPlanNotice": "您的计划仅支持每个用户一个角色。",
+    "singleRolePerUserEditionNotice": "此版本仅支持每个用户一个角色。",
     "roles": "角色",
     "accessUsersRoles": "管理用户和角色",
     "accessUsersRolesDescription": "邀请用户加入角色来管理访问组织",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "从服务器控制台输入设置令牌。",
     "setupTokenRequired": "需要设置令牌",
     "actionUpdateSite": "更新站点",
+    "actionResetSiteBandwidth": "重置组织带宽",
     "actionListSiteRoles": "允许站点角色列表",
     "actionCreateResource": "创建资源",
     "actionDeleteResource": "删除资源",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "删除用户",
     "actionListUsers": "列出用户",
     "actionAddUserRole": "添加用户角色",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "设置用户角色",
     "actionGenerateAccessToken": "生成访问令牌",
     "actionDeleteAccessToken": "删除访问令牌",
     "actionListAccessTokens": "访问令牌",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "角色",
     "sidebarShareableLinks": "链接",
     "sidebarApiKeys": "API密钥",
+    "sidebarProvisioning": "置备中",
     "sidebarSettings": "设置",
     "sidebarAllUsers": "所有用户",
     "sidebarIdentityProviders": "身份提供商",
@@ -1890,6 +1948,40 @@
     "exitNode": "出口节点",
     "country": "国家",
     "rulesMatchCountry": "当前基于源 IP",
+    "region": "地区",
+    "selectRegion": "选择区域",
+    "searchRegions": "搜索区域...",
+    "noRegionFound": "未找到区域。",
+    "rulesMatchRegion": "选择一个区域国家组",
+    "rulesErrorInvalidRegion": "无效区域",
+    "rulesErrorInvalidRegionDescription": "请选择一个有效的区域。",
+    "regionAfrica": "非洲",
+    "regionNorthernAfrica": "B. 北非地区",
+    "regionEasternAfrica": "东部非洲",
+    "regionMiddleAfrica": "中东",
+    "regionSouthernAfrica": "D. 南 非",
+    "regionWesternAfrica": "D. 西部非洲",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "加勒比",
+    "regionCentralAmerica": "中美洲：",
+    "regionSouthAmerica": "南 非",
+    "regionNorthernAmerica": "北美洲：",
+    "regionAsia": "亚洲",
+    "regionCentralAsia": "B. 亚 洲",
+    "regionEasternAsia": "东亚",
+    "regionSouthEasternAsia": "D. 东南亚区域",
+    "regionSouthernAsia": "D. 亚 洲",
+    "regionWesternAsia": "西亚",
+    "regionEurope": "欧洲",
+    "regionEasternEurope": "D. 欧 洲",
+    "regionNorthernEurope": "北欧洲",
+    "regionSouthernEurope": "南欧洲",
+    "regionWesternEurope": "西欧洲",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "澳大利亚和新西兰",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "托管自托管",
         "description": "更可靠和低维护自我托管的 Pangolin 服务器，带有额外的铃声和告密器",
@@ -1938,6 +2030,25 @@
     "invalidValue": "无效的值",
     "idpTypeLabel": "身份提供者类型",
     "roleMappingExpressionPlaceholder": "例如: contains(group, 'admin' &'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "固定角色",
+    "roleMappingModeMappingBuilder": "映射构建器",
+    "roleMappingModeRawExpression": "原始表达式",
+    "roleMappingFixedRolesPlaceholderSelect": "选择一个或多个角色",
+    "roleMappingFixedRolesPlaceholderFreeform": "输入角色名称 (每个组织确切匹配)",
+    "roleMappingFixedRolesDescriptionSameForAll": "将相同的角色分配给每个自动配备的用户。",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "对于缺省策略，每个提供用户的组织中存在的角色名称类型。名称必须完全匹配。",
+    "roleMappingClaimPath": "认领路径",
+    "roleMappingClaimPathPlaceholder": "组",
+    "roleMappingClaimPathDescription": "包含源值的 token 有效负载路径 (例如组)。",
+    "roleMappingMatchValue": "匹配值",
+    "roleMappingAssignRoles": "分配角色",
+    "roleMappingAddMappingRule": "添加映射规则",
+    "roleMappingRawExpressionResultDescription": "表达式必须值为字符串或字符串。",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "表达式必须计算到字符串(单个角色名称)。",
+    "roleMappingMatchValuePlaceholder": "匹配值(例如: 管理员)",
+    "roleMappingAssignRolesPlaceholderFreeform": "输入角色名称 (每个组织确切)",
+    "roleMappingBuilderFreeformRowHint": "角色名称必须匹配每个目标组织的角色。",
+    "roleMappingRemoveRule": "删除",
     "idpGoogleConfiguration": "Google 配置",
     "idpGoogleConfigurationDescription": "配置 Google OAuth2 凭据",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "保留访问日志的时间",
     "logRetentionActionLabel": "动作日志保留",
     "logRetentionActionDescription": "保留操作日志的时间",
+    "logRetentionConnectionLabel": "连接日志保留",
+    "logRetentionConnectionDescription": "保留连接日志的时间",
     "logRetentionDisabled": "已禁用",
     "logRetention3Days": "3 天",
     "logRetention7Days": "7 天",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "下一年结束",
     "actionLogsDescription": "查看此机构执行的操作历史",
     "accessLogsDescription": "查看此机构资源的访问认证请求",
+    "connectionLogs": "连接日志",
+    "connectionLogsDescription": "查看此机构隧道的连接日志",
+    "sidebarLogsConnection": "连接日志",
+    "sidebarLogsStreaming": "流流",
+    "sourceAddress": "源地址",
+    "destinationAddress": "目的地址",
+    "duration": "期限",
     "licenseRequiredToUse": "使用此功能需要<enterpriseLicenseLink>企业版</enterpriseLicenseLink>许可证或<pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>。<bookADemoLink>预约演示或POC试用</bookADemoLink>。",
     "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。 此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>上获取。 <bookADemoLink>预订演示或POC 试用</bookADemoLink>。",
     "certResolver": "证书解决器",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
     "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
     "approvalsEmptyStateButtonText": "管理角色",
-    "domainErrorTitle": "我们在验证您的域名时遇到了问题"
+    "domainErrorTitle": "我们在验证您的域名时遇到了问题",
+    "idpAdminAutoProvisionPoliciesTabHint": "在 <policiesTabLink>自动供应设置</policiesTabLink> 选项卡上配置角色映射和组织策略。",
+    "streamingTitle": "事件流",
+    "streamingDescription": "实时将事件从您的组织流到外部目的地。",
+    "streamingUnnamedDestination": "未命名目标",
+    "streamingNoUrlConfigured": "未配置URL",
+    "streamingAddDestination": "添加目标",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "将事件发送到任意HTTP端点并灵活验证和模板。",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "将事件串流到 S3 兼容的对象存储桶。即将推出。",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "直接转发事件到您的Datadog 帐户。即将推出。",
+    "streamingTypePickerDescription": "选择要开始的目标类型。",
+    "streamingFailedToLoad": "加载目的地失败",
+    "streamingUnexpectedError": "发生意外错误.",
+    "streamingFailedToUpdate": "更新目标失败",
+    "streamingDeletedSuccess": "目标删除成功",
+    "streamingFailedToDelete": "删除目标失败",
+    "streamingDeleteTitle": "删除目标",
+    "streamingDeleteButtonText": "删除目标",
+    "streamingDeleteDialogAreYouSure": "您确定要删除吗？",
+    "streamingDeleteDialogThisDestination": "这个目标",
+    "streamingDeleteDialogPermanentlyRemoved": "? 所有配置将被永久删除。",
+    "httpDestEditTitle": "编辑目标",
+    "httpDestAddTitle": "添加 HTTP 目标",
+    "httpDestEditDescription": "更新此 HTTP 事件流媒体目的地的配置。",
+    "httpDestAddDescription": "配置新的 HTTP 端点来接收您的组织事件。",
+    "httpDestTabSettings": "设置",
+    "httpDestTabHeaders": "信头",
+    "httpDestTabBody": "正文内容",
+    "httpDestTabLogs": "日志",
+    "httpDestNamePlaceholder": "我的 HTTP 目标",
+    "httpDestUrlLabel": "目标网址",
+    "httpDestUrlErrorHttpRequired": "URL 必须使用 http 或 https",
+    "httpDestUrlErrorHttpsRequired": "云端部署需要HTTPS",
+    "httpDestUrlErrorInvalid": "输入一个有效的 URL (例如，https://example.com/webhook)",
+    "httpDestAuthTitle": "认证",
+    "httpDestAuthDescription": "选择如何验证您的端点的请求。",
+    "httpDestAuthNoneTitle": "无身份验证",
+    "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
+    "httpDestAuthBearerTitle": "持有者令牌",
+    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 <token>。",
+    "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
+    "httpDestAuthBasicTitle": "基本认证",
+    "httpDestAuthBasicDescription": "添加授权：基本 <credentials> 头。提供用户名：密码的凭据。",
+    "httpDestAuthBasicPlaceholder": "用户名:密码",
+    "httpDestAuthCustomTitle": "自定义标题",
+    "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",
+    "httpDestAuthCustomHeaderNamePlaceholder": "标题名称(例如X-API-键)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "页眉值",
+    "httpDestCustomHeadersTitle": "自定义 HTTP 头",
+    "httpDestCustomHeadersDescription": "向每个输出请求添加自定义标题。用于静态令牌或自定义内容类型。默认情况下，内容类型：应用程序/json已发送。",
+    "httpDestNoHeadersConfigured": "未配置自定义头。单击\"添加头\"以添加一个。",
+    "httpDestHeaderNamePlaceholder": "标题名称",
+    "httpDestHeaderValuePlaceholder": "值",
+    "httpDestAddHeader": "添加标题",
+    "httpDestBodyTemplateTitle": "自定义实体模板",
+    "httpDestBodyTemplateDescription": "控制发送到您的端点的 JSON 有效载荷结构。如果禁用，将为每个事件发送一个 JSON 默认对象。",
+    "httpDestEnableBodyTemplate": "启用自定义实体模板",
+    "httpDestBodyTemplateLabel": "身体模板 (JSON)",
+    "httpDestBodyTemplateHint": "将模板变量用于您有效载荷中的参考事件字段。",
+    "httpDestPayloadFormatTitle": "有效载荷格式",
+    "httpDestPayloadFormatDescription": "事件如何序列化为每个请求实体。",
+    "httpDestFormatJsonArrayTitle": "JSON 数组",
+    "httpDestFormatJsonArrayDescription": "每批一个请求，实体是一个 JSON 数组。与大多数通用的 Web 钩子和数据兼容。",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "每批有一个请求，物体是换行符限制的 JSON ——每行一个对象，不是外部数组。 Sluk HEC、Elastic / OpenSearch和Grafana Loki所需。",
+    "httpDestFormatSingleTitle": "每个请求一个事件",
+    "httpDestFormatSingleDescription": "为每个事件单独发送一个 HTTP POST。仅用于无法处理批量的端点。",
+    "httpDestLogTypesTitle": "日志类型",
+    "httpDestLogTypesDescription": "选择转发到此目的地的日志类型。只有启用的日志类型才会被连续使用。",
+    "httpDestAccessLogsTitle": "访问日志",
+    "httpDestAccessLogsDescription": "资源访问尝试，包括已验证和拒绝的请求。",
+    "httpDestActionLogsTitle": "操作日志",
+    "httpDestActionLogsDescription": "组织内部用户采取的行政行动。",
+    "httpDestConnectionLogsTitle": "连接日志",
+    "httpDestConnectionLogsDescription": "站点和隧道连接事件，包括连接和断开连接。",
+    "httpDestRequestLogsTitle": "请求日志",
+    "httpDestRequestLogsDescription": "HTTP 请求代理资源日志，包括方法、路径和响应代码。",
+    "httpDestSaveChanges": "保存更改",
+    "httpDestCreateDestination": "创建目标",
+    "httpDestUpdatedSuccess": "目标已成功更新",
+    "httpDestCreatedSuccess": "目标创建成功",
+    "httpDestUpdateFailed": "更新目标失败",
+    "httpDestCreateFailed": "创建目标失败"
 }

From 1d2f1405aacf799cdbfd54cb6f13bbfd109a2683 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:05 -0700
Subject: [PATCH 212/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 50ec9a717..751f15081 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -148,6 +148,11 @@
     "createLink": "Opprett lenke",
     "resourcesNotFound": "Ingen ressurser funnet",
     "resourceSearch": "Søk i ressurser",
+    "machineSearch": "Søk etter maskiner",
+    "machinesSearch": "Søk etter maskinklienter...",
+    "machineNotFound": "Ingen maskiner funnet",
+    "userDeviceSearch": "Søk etter brukerenheter",
+    "userDevicesSearch": "Søk etter brukerenheter...",
     "openMenu": "Åpne meny",
     "resource": "Ressurs",
     "title": "Tittel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Slett API-nøkkel",
     "apiKeysManage": "Administrer API-nøkler",
     "apiKeysDescription": "API-nøkler brukes for å autentisere med integrasjons-API",
+    "provisioningKeysTitle": "Foreløpig nøkkel",
+    "provisioningKeysManage": "Behandle bestemmende nøkler",
+    "provisioningKeysDescription": "Bestemmelsesnøkler brukes til å godkjenne automatisert nettstedsløsning for din organisasjon.",
+    "provisioningManage": "Levering",
+    "provisioningDescription": "Administrer foreløpig nøkler og gjennomgå ventende nettsteder som venter på godkjenning.",
+    "pendingSites": "Ventende nettsteder",
+    "siteApproveSuccess": "Vellykket godkjenning av nettsted",
+    "siteApproveError": "Feil ved godkjenning av side",
+    "provisioningKeys": "Foreløpig nøkler",
+    "searchProvisioningKeys": "Søk varer i lagrings nøkler...",
+    "provisioningKeysAdd": "Generer fremvisende nøkkel",
+    "provisioningKeysErrorDelete": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysErrorDeleteMessage": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysQuestionRemove": "Er du sikker på at du vil fjerne denne midlertidig nøkkelen fra organisasjonen?",
+    "provisioningKeysMessageRemove": "Når nøkkelen er fjernet, kan den ikke lenger brukes til anleggsavsetning.",
+    "provisioningKeysDeleteConfirm": "Bekreft sletting av bestemmelsesnøkkel",
+    "provisioningKeysDelete": "Slett bestemmelsesnøkkel",
+    "provisioningKeysCreate": "Generer fremvisende nøkkel",
+    "provisioningKeysCreateDescription": "Generer en ny foreløpig nøkkel til organisasjonen",
+    "provisioningKeysSeeAll": "Se alle foreløpig nøkler",
+    "provisioningKeysSave": "Lagre den midlertidig nøkkelen",
+    "provisioningKeysSaveDescription": "Du kan bare se denne én gang. Kopier det til et sikkert sted.",
+    "provisioningKeysErrorCreate": "Feil under oppretting av foreløpig nøkkel",
+    "provisioningKeysList": "Ny provisorisk nøkkel",
+    "provisioningKeysMaxBatchSize": "Maks størrelse på bunt",
+    "provisioningKeysUnlimitedBatchSize": "Ubegrenset mengde bunt (ingen begrensning)",
+    "provisioningKeysMaxBatchUnlimited": "Ubegrenset",
+    "provisioningKeysMaxBatchSizeInvalid": "Angi en gyldig sjakkstørrelse (1–1 000.000).",
+    "provisioningKeysValidUntil": "Gyldig til",
+    "provisioningKeysValidUntilHint": "La stå tomt for ingen utløp.",
+    "provisioningKeysValidUntilInvalid": "Angi en gyldig dato og klokkeslett.",
+    "provisioningKeysNumUsed": "Antall ganger brukt",
+    "provisioningKeysLastUsed": "Sist brukt",
+    "provisioningKeysNoExpiry": "Ingen utløpsdato",
+    "provisioningKeysNeverUsed": "Aldri",
+    "provisioningKeysEdit": "Rediger bestemmelsesnøkkel",
+    "provisioningKeysEditDescription": "Oppdater maksimal størrelse for bunt og utløpstid for denne nøkkelen.",
+    "provisioningKeysApproveNewSites": "Godkjenn nye nettsteder",
+    "provisioningKeysApproveNewSitesDescription": "Godkjenn automatisk nettsteder som registrerer deg med denne nøkkelen.",
+    "provisioningKeysUpdateError": "Feil under oppdatering av foreløpig nøkkel",
+    "provisioningKeysUpdated": "Foreslå nøkkel oppdatert",
+    "provisioningKeysUpdatedDescription": "Dine endringer er lagret.",
+    "provisioningKeysBannerTitle": "Sidens bestemmende nøkler",
+    "provisioningKeysBannerDescription": "Generer en foreløpig nøkkel og bruk den med Nyhetskontakten for å automatisk opprette sider ved første oppstart — trenger ikke å sette opp separat innloggingsinformasjon for hver side.",
+    "provisioningKeysBannerButtonText": "Lær mer",
+    "pendingSitesBannerTitle": "Ventende nettsteder",
+    "pendingSitesBannerDescription": "Nettsteder som kobler deg til ved hjelp av en bestemmelsestekst, vises her for gjennomgang. Godkjenn hvert nettsted før det blir aktivt og får tilgang til ressursene dine.",
+    "pendingSitesBannerButtonText": "Lær mer",
     "apiKeysSettings": "{apiKeyName} Innstillinger",
     "userTitle": "Administrer alle brukere",
     "userDescription": "Vis og administrer alle brukere i systemet",
@@ -509,9 +562,12 @@
     "userSaved": "Bruker lagret",
     "userSavedDescription": "Brukeren har blitt oppdatert.",
     "autoProvisioned": "Auto avlyst",
+    "autoProvisionSettings": "Auto leveringsinnstillinger",
     "autoProvisionedDescription": "Tillat denne brukeren å bli automatisk administrert av en identitetsleverandør",
     "accessControlsDescription": "Administrer hva denne brukeren kan få tilgang til og gjøre i organisasjonen",
     "accessControlsSubmit": "Lagre tilgangskontroller",
+    "singleRolePerUserPlanNotice": "Din plan støtter bare én rolle per bruker.",
+    "singleRolePerUserEditionNotice": "Denne utgaven støtter bare én rolle per bruker.",
     "roles": "Roller",
     "accessUsersRoles": "Administrer brukere og roller",
     "accessUsersRolesDescription": "Inviter brukere og legg dem til roller for å administrere tilgang til organisasjonen",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Skriv inn oppsetttoken fra serverkonsollen.",
     "setupTokenRequired": "Oppsetttoken er nødvendig",
     "actionUpdateSite": "Oppdater område",
+    "actionResetSiteBandwidth": "Tilbakestill organisasjons-båndbredde",
     "actionListSiteRoles": "List opp tillatte områderoller",
     "actionCreateResource": "Opprett ressurs",
     "actionDeleteResource": "Slett ressurs",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Fjern bruker",
     "actionListUsers": "List opp brukere",
     "actionAddUserRole": "Legg til brukerrolle",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Angi brukerroller",
     "actionGenerateAccessToken": "Generer tilgangstoken",
     "actionDeleteAccessToken": "Slett tilgangstoken",
     "actionListAccessTokens": "List opp tilgangstokener",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roller",
     "sidebarShareableLinks": "Lenker",
     "sidebarApiKeys": "API-nøkler",
+    "sidebarProvisioning": "Levering",
     "sidebarSettings": "Innstillinger",
     "sidebarAllUsers": "Alle brukere",
     "sidebarIdentityProviders": "Identitetsleverandører",
@@ -1890,6 +1948,40 @@
     "exitNode": "Utgangsnode",
     "country": "Land",
     "rulesMatchCountry": "For tiden basert på kilde IP",
+    "region": "Fylke",
+    "selectRegion": "Velg region",
+    "searchRegions": "Søk etter områder...",
+    "noRegionFound": "Ingen region funnet.",
+    "rulesMatchRegion": "Velg en regional gruppering av land",
+    "rulesErrorInvalidRegion": "Ugyldig område",
+    "rulesErrorInvalidRegionDescription": "Vennligst velg et gyldig område.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "[country name] Nord-Afrika",
+    "regionEasternAfrica": "Øst-Afrika",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Sør-Afrika",
+    "regionWesternAfrica": "[country name] Vest-Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibia",
+    "regionCentralAmerica": "Sentral-Amerika",
+    "regionSouthAmerica": "Sør-Amerika",
+    "regionNorthernAmerica": "Nord-Amerika",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Sentral-Asia",
+    "regionEasternAsia": "Øst-Asia",
+    "regionSouthEasternAsia": "Sørøst-Asia",
+    "regionSouthernAsia": "Sørlige Asia",
+    "regionWesternAsia": "Vest-Asia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Øst-Europa",
+    "regionNorthernEurope": "Nord-Europa",
+    "regionSouthernEurope": "Sørlige Europa",
+    "regionWesternEurope": "Vest-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia og New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Administrert selv-hostet",
         "description": "Sikre og lavvedlikeholdsservere, selvbetjente Pangolin med ekstra klokker, og understell",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Ugyldig verdi",
     "idpTypeLabel": "Identitet leverandør type",
     "roleMappingExpressionPlaceholder": "F.eks. inneholder(grupper, 'admin') && 'Admin' ⋅'Medlem'",
+    "roleMappingModeFixedRoles": "Fast roller",
+    "roleMappingModeMappingBuilder": "Kartlegger bygger",
+    "roleMappingModeRawExpression": "Rå uttrykk",
+    "roleMappingFixedRolesPlaceholderSelect": "Velg en eller flere roller",
+    "roleMappingFixedRolesPlaceholderFreeform": "Skriv inn rollenavn (eksakt treff per organisasjon)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Tilordne den samme rollen som er satt til hver automatisk midlertidig bruker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For standard policyer, type rollenavn som eksisterer i hver organisasjon der brukerne tilbys. Navn må stemmer nøyaktig.",
+    "roleMappingClaimPath": "Krev sti",
+    "roleMappingClaimPathPlaceholder": "grupper",
+    "roleMappingClaimPathDescription": "Sti i i token nyttelast som inneholder kildeverdier (for eksempel grupper).",
+    "roleMappingMatchValue": "Treff verdi",
+    "roleMappingAssignRoles": "Tilordne roller",
+    "roleMappingAddMappingRule": "Legg til tilordningsregel",
+    "roleMappingRawExpressionResultDescription": "Uttrykk skal vurderes til en streng eller en tekststreng.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Uttrykk må evaluere til en streng (en rollenavn).",
+    "roleMappingMatchValuePlaceholder": "Match verdi (for eksempel: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Angi rollenavn (eksakt per org)",
+    "roleMappingBuilderFreeformRowHint": "Rollenavn må samsvare med en rolle i hver målorganisasjon.",
+    "roleMappingRemoveRule": "Fjern",
     "idpGoogleConfiguration": "Google Konfigurasjon",
     "idpGoogleConfigurationDescription": "Konfigurer Google OAuth2 legitimasjonen",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Hvor lenge du vil beholde adgangslogger",
     "logRetentionActionLabel": "Handlings logg nytt",
     "logRetentionActionDescription": "Hvor lenge handlingen skal lagres",
+    "logRetentionConnectionLabel": "Logg nyhet",
+    "logRetentionConnectionDescription": "Hvor lenge du vil beholde tilkoblingslogger",
     "logRetentionDisabled": "Deaktivert",
     "logRetention3Days": "3 dager",
     "logRetention7Days": "7 dager",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Slutt på neste år",
     "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
     "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
+    "connectionLogs": "Loggfiler for tilkobling",
+    "connectionLogsDescription": "Vis tilkoblingslogger for tunneler i denne organisasjonen",
+    "sidebarLogsConnection": "Loggfiler for tilkobling",
+    "sidebarLogsStreaming": "Strømming",
+    "sourceAddress": "Kilde adresse",
+    "destinationAddress": "Måladresse (Automatic Translation)",
+    "duration": "Varighet",
     "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens eller <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> er påkrevd for å bruke denne funksjonen. <bookADemoLink>Bestill en demo eller POC prøveversjon</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Bestill en demo eller POC studie</bookADemoLink>.",
     "certResolver": "Sertifikat løser",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
     "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
     "approvalsEmptyStateButtonText": "Administrer Roller",
-    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt"
+    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurer rollegartlegging og organisasjonspolicyer på <policiesTabLink>Auto leveringsinnstillinger</policiesTabLink> fanen.",
+    "streamingTitle": "Hendelse Strømming",
+    "streamingDescription": "Stream hendelser fra din organisasjon til eksterne destinasjoner i sanntid.",
+    "streamingUnnamedDestination": "Plassering uten navn",
+    "streamingNoUrlConfigured": "Ingen URL konfigurert",
+    "streamingAddDestination": "Legg til mål",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send hendelser til alle HTTP-endepunkter med fleksibel autentisering og maling.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Strøm hendelser til en S3-kompatibel objektlagringskjøt. Kommer snart.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Videresend arrangementer direkte til din Datadog-konto. Kommer snart.",
+    "streamingTypePickerDescription": "Velg en måltype for å komme i gang.",
+    "streamingFailedToLoad": "Kan ikke laste inn destinasjoner",
+    "streamingUnexpectedError": "En uventet feil oppstod.",
+    "streamingFailedToUpdate": "Kunne ikke oppdatere destinasjon",
+    "streamingDeletedSuccess": "Målet ble slettet",
+    "streamingFailedToDelete": "Kunne ikke slette destinasjon",
+    "streamingDeleteTitle": "Slett mål",
+    "streamingDeleteButtonText": "Slett mål",
+    "streamingDeleteDialogAreYouSure": "Er du sikker på at du vil slette",
+    "streamingDeleteDialogThisDestination": "denne destinasjonen",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle konfigurasjoner vil bli slettet permanent.",
+    "httpDestEditTitle": "Rediger mål",
+    "httpDestAddTitle": "Legg til HTTP-destinasjon",
+    "httpDestEditDescription": "Oppdater konfigurasjonen for denne HTTP-hendelsesstrømmedestinasjonen.",
+    "httpDestAddDescription": "Konfigurer et nytt HTTP endepunkt for å motta organisasjonens hendelser.",
+    "httpDestTabSettings": "Innstillinger",
+    "httpDestTabHeaders": "Overskrifter",
+    "httpDestTabBody": "Innhold",
+    "httpDestTabLogs": "Logger",
+    "httpDestNamePlaceholder": "Min HTTP destinasjon",
+    "httpDestUrlLabel": "Destinasjons URL",
+    "httpDestUrlErrorHttpRequired": "URL-adressen må bruke httpp eller https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS er nødvendig for distribusjon av sky",
+    "httpDestUrlErrorInvalid": "Skriv inn en gyldig nettadresse (f.eks. https://eksempel.com/webhook)",
+    "httpDestAuthTitle": "Autentisering",
+    "httpDestAuthDescription": "Velg hvordan ønsker til sluttpunktet ditt er autentisert.",
+    "httpDestAuthNoneTitle": "Ingen godkjenning",
+    "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
+    "httpDestAuthBearerTitle": "Bærer Symbol",
+    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer <token> header til hver forespørsel.",
+    "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
+    "httpDestAuthBasicTitle": "Standard Auth",
+    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende <credentials> overskrift. Angi legitimasjon som brukernavn:passord.",
+    "httpDestAuthBasicPlaceholder": "brukernavn:passord",
+    "httpDestAuthCustomTitle": "Egendefinert topptekst",
+    "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Topptekst navn (f.eks X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header verdi",
+    "httpDestCustomHeadersTitle": "Egendefinerte HTTP-overskrifter",
+    "httpDestCustomHeadersDescription": "Legg til egendefinerte overskrifter til hver utgående forespørsel. Nyttig for statisk tokens eller en egendefinert innholdstype. Som standard blir innholdstype: applikasjon/json sendt.",
+    "httpDestNoHeadersConfigured": "Ingen egendefinerte overskrifter konfigurert. Klikk \"Legg til topptekst\" for å legge til en.",
+    "httpDestHeaderNamePlaceholder": "Navn på topptekst",
+    "httpDestHeaderValuePlaceholder": "Verdi",
+    "httpDestAddHeader": "Legg til topptekst",
+    "httpDestBodyTemplateTitle": "Egendefinert hovedmal",
+    "httpDestBodyTemplateDescription": "Kontroller JSON nyttelaststrukturen sendt til ditt endepunkt. Hvis deaktivert, sendes et standard JSON-objekt for hver hendelse.",
+    "httpDestEnableBodyTemplate": "Aktiver egendefinert meldingsmal",
+    "httpDestBodyTemplateLabel": "Kroppsmal (JSON)",
+    "httpDestBodyTemplateHint": "Bruk designmal variabler for å referere til eventfelt i din betaling.",
+    "httpDestPayloadFormatTitle": "Mål format",
+    "httpDestPayloadFormatDescription": "Hvordan blir hendelser serialisert inn i hver forespørselsorgan.",
+    "httpDestFormatJsonArrayTitle": "JSON liste",
+    "httpDestFormatJsonArrayDescription": "Én forespørsel per batch, innholdet er en JSON-liste. Kompatibel med de mest generiske webhooks og Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Én forespørsel per sats, innholdet er nytt avgrenset JSON — et objekt per linje, ingen ytterarray. Kreves av Splunk HEC, Elastisk/OpenSearch, og Grafana Loki.",
+    "httpDestFormatSingleTitle": "En hendelse per forespørsel",
+    "httpDestFormatSingleDescription": "Sender en separat HTTP POST for hver enkelt hendelse. Bruk bare for endepunkter som ikke kan håndtere batcher.",
+    "httpDestLogTypesTitle": "Logg typer",
+    "httpDestLogTypesDescription": "Velg hvilke loggtyper som blir videresendt til dette målet. Bare aktiverte loggtyper vil bli strømmet.",
+    "httpDestAccessLogsTitle": "Tilgangslogger (Automatic Translation)",
+    "httpDestAccessLogsDescription": "Adgangsforsøk for ressurser, inkludert godkjente og nektet forespørsler.",
+    "httpDestActionLogsTitle": "Handlingslogger",
+    "httpDestActionLogsDescription": "Administrative tiltak som utføres av brukere innenfor organisasjonen.",
+    "httpDestConnectionLogsTitle": "Loggfiler for tilkobling",
+    "httpDestConnectionLogsDescription": "Utstyrs- og tunneltilkoblingshendelser, inkludert forbindelser og frakobling.",
+    "httpDestRequestLogsTitle": "Forespørselslogger (Automatic Translation)",
+    "httpDestRequestLogsDescription": "HTTP-forespørsel logger for bekreftede ressurser, inkludert metode, bane og responskode.",
+    "httpDestSaveChanges": "Lagre endringer",
+    "httpDestCreateDestination": "Opprett mål",
+    "httpDestUpdatedSuccess": "Målet er oppdatert",
+    "httpDestCreatedSuccess": "Målet er opprettet",
+    "httpDestUpdateFailed": "Kunne ikke oppdatere destinasjon",
+    "httpDestCreateFailed": "Kan ikke opprette mål"
 }

From f2abbf01e5e17dc7af48e647c97278543457b734 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 15:26:15 -0700
Subject: [PATCH 213/314] Update security

---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 6b7372c24..02fbe77d7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
 
 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) with the following information:
 
 -   Description and location of the vulnerability.
 -   Potential impact of the vulnerability.

From f34a3559be99b0e2486dd5ad2f5e387959821a4a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 16:03:22 -0700
Subject: [PATCH 214/314] Update go version

---
 .github/workflows/cicd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index d4cde4ac4..54ae22194 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -266,7 +266,7 @@ jobs:
             - name: Install Go
               uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
               with:
-                  go-version: 1.24
+                  go-version: 1.25
 
             - name: Update version in package.json
               run: |

From 3a9e79e6d56740652a26fa87e29bafe676aa84ac Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 16:17:17 -0700
Subject: [PATCH 215/314] Filter only newt sites on private resources

---
 src/components/InternalResourceForm.tsx |  1 +
 src/components/site-selector.tsx        | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 50847a489..a4a793753 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -614,6 +614,7 @@ export function InternalResourceForm({
                                         <SitesSelector
                                             orgId={orgId}
                                             selectedSite={selectedSite}
+                                            filterTypes={["newt"]}
                                             onSelectSite={(site) => {
                                                 setSelectedSite(site);
                                                 field.onChange(site.siteId);
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 4c3c97651..db23362dc 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -24,12 +24,14 @@ export type SitesSelectorProps = {
     orgId: string;
     selectedSite?: Selectedsite | null;
     onSelectSite: (selected: Selectedsite) => void;
+    filterTypes?: string[];
 };
 
 export function SitesSelector({
     orgId,
     selectedSite,
-    onSelectSite
+    onSelectSite,
+    filterTypes
 }: SitesSelectorProps) {
     const t = useTranslations();
     const [siteSearchQuery, setSiteSearchQuery] = useState("");
@@ -45,7 +47,9 @@ export function SitesSelector({
 
     // always include the selected site in the list of sites shown
     const sitesShown = useMemo(() => {
-        const allSites: Array<Selectedsite> = [...sites];
+        const allSites: Array<Selectedsite> = filterTypes
+            ? sites.filter((s) => filterTypes.includes(s.type))
+            : [...sites];
         if (
             debouncedQuery.trim().length === 0 &&
             selectedSite &&
@@ -54,7 +58,7 @@ export function SitesSelector({
             allSites.unshift(selectedSite);
         }
         return allSites;
-    }, [debouncedQuery, sites, selectedSite]);
+    }, [debouncedQuery, sites, selectedSite, filterTypes]);
 
     return (
         <Command shouldFilter={false}>

From 547865e0dab4a97c128b9d86f20462ba255c5e27 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 16:24:53 -0700
Subject: [PATCH 216/314] Mark targets unhealthy when site is down

Fix #2675
Fix #2700
Fix #1742
---
 server/routers/newt/handleNewtPingMessage.ts | 31 ++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index c2c4e7762..32f665758 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -1,4 +1,4 @@
-import { db, newts, sites } from "@server/db";
+import { db, newts, sites, targetHealthCheck, targets } from "@server/db";
 import {
     hasActiveConnections,
     getClientConfigVersion
@@ -78,6 +78,32 @@ export const startNewtOfflineChecker = (): void => {
                     .update(sites)
                     .set({ online: false })
                     .where(eq(sites.siteId, staleSite.siteId));
+
+                const healthChecksOnSite = await db
+                    .select()
+                    .from(targetHealthCheck)
+                    .innerJoin(
+                        targets,
+                        eq(targets.targetId, targetHealthCheck.targetId)
+                    )
+                    .innerJoin(sites, eq(sites.siteId, targets.siteId))
+                    .where(eq(sites.siteId, staleSite.siteId));
+
+                for (const healthCheck of healthChecksOnSite) {
+                    logger.info(
+                        `Marking health check ${healthCheck.targetHealthCheck.targetHealthCheckId} offline due to site ${staleSite.siteId} being marked offline`
+                    );
+                    await db
+                        .update(targetHealthCheck)
+                        .set({ hcHealth: "unknown" })
+                        .where(
+                            eq(
+                                targetHealthCheck.targetHealthCheckId,
+                                healthCheck.targetHealthCheck
+                                    .targetHealthCheckId
+                            )
+                        );
+                }
             }
 
             // this part only effects self hosted. Its not efficient but we dont expect people to have very many wireguard sites
@@ -102,7 +128,8 @@ export const startNewtOfflineChecker = (): void => {
 
             // loop over each one. If its offline and there is a new update then mark it online. If its online and there is no update then mark it offline
             for (const site of allWireguardSites) {
-                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate!).getTime() / 1000;
+                const lastBandwidthUpdate =
+                    new Date(site.lastBandwidthUpdate!).getTime() / 1000;
                 if (
                     lastBandwidthUpdate < wireguardOfflineThreshold &&
                     site.online

From 69aa6e2d1dc837d67499c02230dc2b4d2b0f369c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 17:00:06 -0700
Subject: [PATCH 217/314] Prevent increase in writes on reconnect

---
 .../routers/target/handleHealthcheckStatusMessage.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/routers/target/handleHealthcheckStatusMessage.ts b/server/routers/target/handleHealthcheckStatusMessage.ts
index 01cbdea81..7ea1730ce 100644
--- a/server/routers/target/handleHealthcheckStatusMessage.ts
+++ b/server/routers/target/handleHealthcheckStatusMessage.ts
@@ -77,7 +77,8 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
             const [targetCheck] = await db
                 .select({
                     targetId: targets.targetId,
-                    siteId: targets.siteId
+                    siteId: targets.siteId,
+                    hcStatus: targetHealthCheck.hcHealth
                 })
                 .from(targets)
                 .innerJoin(
@@ -85,6 +86,7 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
                     eq(targets.resourceId, resources.resourceId)
                 )
                 .innerJoin(sites, eq(targets.siteId, sites.siteId))
+                .innerJoin(targetHealthCheck, eq(targets.targetId, targetHealthCheck.targetId))
                 .where(
                     and(
                         eq(targets.targetId, targetIdNum),
@@ -101,6 +103,14 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
                 continue;
             }
 
+            // check if the status has changed
+            if (targetCheck.hcStatus === healthStatus.status) {
+                logger.debug(
+                    `Health status for target ${targetId} is already ${healthStatus.status}, skipping update`
+                );
+                continue;
+            }
+
             // Update the target's health status in the database
             await db
                 .update(targetHealthCheck)

From 08e4afaef01f33f390e69180c4e642720f7ec19b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 17:06:56 -0700
Subject: [PATCH 218/314] Update hp log message

---
 server/routers/newt/handleGetConfigMessage.ts  | 3 ++-
 server/routers/olm/handleOlmRegisterMessage.ts | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index fced51818..9c67f53ee 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -8,6 +8,7 @@ import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { convertTargetsIfNessicary } from "../client/targets";
 import { canCompress } from "@server/lib/clientVersionChecks";
+import config from "@server/lib/config";
 
 export const handleGetConfigMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;
@@ -55,7 +56,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
 
     if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 5) {
         logger.warn(
-            `handleGetConfigMessage: Site ${existingSite.siteId} last hole punch is too old, skipping`
+            `Site last hole punch is too old; skipping this register. The site is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
         return;
     }
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 26dbff1bd..01495de3b 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -20,6 +20,7 @@ import { handleFingerprintInsertion } from "./fingerprintingUtils";
 import { Alias } from "@server/lib/ip";
 import { build } from "@server/build";
 import { canCompress } from "@server/lib/clientVersionChecks";
+import config from "@server/lib/config";
 
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     logger.info("Handling register olm message!");
@@ -274,7 +275,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     // TODO: I still think there is a better way to do this rather than locking it out here but ???
     if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
         logger.warn(
-            "Client last hole punch is too old and we have sites to send; skipping this register"
+            `Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
         return;
     }

From 363c13c3878b60349caab73f19e5630032cbfb21 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 1 Apr 2026 09:53:49 -0700
Subject: [PATCH 219/314] Impvove communication

---
 README.md                                              | 2 +-
 messages/en-US.json                                    | 6 +++---
 src/app/[orgId]/settings/provisioning/pending/page.tsx | 6 ++++++
 src/components/PendingSitesTable.tsx                   | 7 +++++++
 src/components/SiteProvisioningKeysTable.tsx           | 1 +
 src/components/ui/controlled-data-table.tsx            | 4 +++-
 src/components/ui/data-table.tsx                       | 4 +++-
 7 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index bac7b7e56..28fc991c8 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
 
 | <img width=500 /> | Description |
 |-----------------|--------------|
-| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing - no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
 
diff --git a/messages/en-US.json b/messages/en-US.json
index 412d50179..51bb996af 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Provisioning key updated",
     "provisioningKeysUpdatedDescription": "Your changes have been saved.",
     "provisioningKeysBannerTitle": "Site Provisioning Keys",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Learn More",
     "pendingSitesBannerTitle": "Pending Sites",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Learn More",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
@@ -2346,7 +2346,7 @@
                 "description": "Enterprise features, 50 users, 50 sites, and priority support."
             }
         },
-        "personalUseOnly": "Personal use only (free license — no checkout)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continue to Checkout"
         },
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
index 637f828b8..4669f9160 100644
--- a/src/app/[orgId]/settings/provisioning/pending/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -9,6 +9,8 @@ import DismissableBanner from "@app/components/DismissableBanner";
 import Link from "next/link";
 import { Button } from "@app/components/ui/button";
 import { ArrowRight, Plug } from "lucide-react";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 type PendingSitesPageProps = {
     params: Promise<{ orgId: string }>;
@@ -96,6 +98,10 @@ export default async function PendingSitesPage(props: PendingSitesPageProps) {
                     </Button>
                 </Link>
             </DismissableBanner>
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
             <PendingSitesTable
                 sites={siteRows}
                 orgId={params.orgId}
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index 64417da7b..12abcf7c4 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -15,6 +15,8 @@ import { getNextSortOrder, getSortDirection } from "@app/lib/sortColumn";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { build } from "@server/build";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { type PaginationState } from "@tanstack/react-table";
 import {
     ArrowDown01Icon,
@@ -63,6 +65,10 @@ export default function PendingSitesTable({
 
     const api = createApiClient(useEnvContext());
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const canUseSiteProvisioning =
+        isPaidUser(tierMatrix[TierFeature.SiteProvisioningKeys]) &&
+        build !== "oss";
 
     const booleanSearchFilterSchema = z
         .enum(["true", "false"])
@@ -450,6 +456,7 @@ export default function PendingSitesTable({
             onSearch={handleSearchChange}
             onRefresh={refreshData}
             isRefreshing={isRefreshing || isFiltering}
+            refreshButtonDisabled={!canUseSiteProvisioning}
             rowCount={rowCount}
             columnVisibility={{
                 niceId: false,
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index fafbe725e..97c2bc215 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -311,6 +311,7 @@ export default function SiteProvisioningKeysTable({
                 addButtonDisabled={!canUseSiteProvisioning}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing}
+                refreshButtonDisabled={!canUseSiteProvisioning}
                 addButtonText={t("provisioningKeysAdd")}
                 enableColumnVisibility={true}
                 stickyLeftColumn="name"
diff --git a/src/components/ui/controlled-data-table.tsx b/src/components/ui/controlled-data-table.tsx
index a0231bb8c..34a35455c 100644
--- a/src/components/ui/controlled-data-table.tsx
+++ b/src/components/ui/controlled-data-table.tsx
@@ -69,6 +69,7 @@ type ControlledDataTableProps<TData, TValue> = {
     onAdd?: () => void;
     onRefresh?: () => void;
     isRefreshing?: boolean;
+    refreshButtonDisabled?: boolean;
     isNavigatingToAddPage?: boolean;
     searchPlaceholder?: string;
     filters?: DataTableFilter[];
@@ -91,6 +92,7 @@ export function ControlledDataTable<TData, TValue>({
     onAdd,
     onRefresh,
     isRefreshing,
+    refreshButtonDisabled = false,
     searchPlaceholder = "Search...",
     filters,
     filterDisplayMode = "label",
@@ -335,7 +337,7 @@ export function ControlledDataTable<TData, TValue>({
                                 <Button
                                     variant="outline"
                                     onClick={onRefresh}
-                                    disabled={isRefreshing}
+                                    disabled={isRefreshing || refreshButtonDisabled}
                                 >
                                     <RefreshCw
                                         className={`mr-0 sm:mr-2 h-4 w-4 ${isRefreshing ? "animate-spin" : ""}`}
diff --git a/src/components/ui/data-table.tsx b/src/components/ui/data-table.tsx
index a0c11ffdf..c62afd329 100644
--- a/src/components/ui/data-table.tsx
+++ b/src/components/ui/data-table.tsx
@@ -174,6 +174,7 @@ type DataTableProps<TData, TValue> = {
     addButtonDisabled?: boolean;
     onRefresh?: () => void;
     isRefreshing?: boolean;
+    refreshButtonDisabled?: boolean;
     searchPlaceholder?: string;
     searchColumn?: string;
     defaultSort?: {
@@ -207,6 +208,7 @@ export function DataTable<TData, TValue>({
     addButtonDisabled = false,
     onRefresh,
     isRefreshing,
+    refreshButtonDisabled = false,
     searchPlaceholder = "Search...",
     searchColumn = "name",
     defaultSort,
@@ -624,7 +626,7 @@ export function DataTable<TData, TValue>({
                                 <Button
                                     variant="outline"
                                     onClick={onRefresh}
-                                    disabled={isRefreshing}
+                                    disabled={isRefreshing || refreshButtonDisabled}
                                 >
                                     <RefreshCw
                                         className={`mr-0 sm:mr-2 h-4 w-4 ${isRefreshing ? "animate-spin" : ""}`}

From 30a756d254f2a2deb9608bedb5821ffb0bd0b0d1 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:32 -0700
Subject: [PATCH 220/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 792775fdd..abc6665ce 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Clé de provisioning mise à jour",
     "provisioningKeysUpdatedDescription": "Vos modifications ont été enregistrées.",
     "provisioningKeysBannerTitle": "Clés de provisioning du site",
-    "provisioningKeysBannerDescription": "Générez une clé de provisioning et utilisez-la avec le connecteur Newt pour créer automatiquement des sites au premier démarrage — pas besoin de configurer des identifiants distincts pour chaque site.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "En savoir plus",
     "pendingSitesBannerTitle": "Sites en attente",
-    "pendingSitesBannerDescription": "Les sites qui se connectent à l'aide d'une clé de provisioning apparaissent ici pour être revus. Approuver chaque site avant qu'il ne devienne actif et qu'il accède à vos ressources.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "En savoir plus",
     "apiKeysSettings": "Paramètres de {apiKeyName}",
     "userTitle": "Gérer tous les utilisateurs",
@@ -2346,7 +2346,7 @@
                 "description": "Fonctionnalités d'entreprise, 50 utilisateurs, 50 sites et une prise en charge prioritaire."
             }
         },
-        "personalUseOnly": "Utilisation personnelle uniquement (licence gratuite — sans checkout)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continuer vers le paiement"
         },

From ad301074dbbf4f732a9c66e2a7e6cda470cb7741 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:33 -0700
Subject: [PATCH 221/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index e841490b2..36e903993 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Ключът за осигуряване е актуализиран",
     "provisioningKeysUpdatedDescription": "Вашите промени бяха запазени.",
     "provisioningKeysBannerTitle": "Ключове за осигуряване на сайта",
-    "provisioningKeysBannerDescription": "Генерирайте ключ за осигуряване и го използвайте с Newt конектора за автоматично създаване на сайтове при първото стартиране — няма нужда от създаване на отделни идентификационни данни за всеки сайт.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Научете повече",
     "pendingSitesBannerTitle": "Чакащи сайтове",
-    "pendingSitesBannerDescription": "Сайтовете, които се свързват чрез ключ за осигуряване, се появяват тук за преглед. Одобрете всеки сайт, преди да стане активен и да получи достъп до вашите ресурси.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Научете повече",
     "apiKeysSettings": "Настройки на {apiKeyName}",
     "userTitle": "Управление на всички потребители",
@@ -2346,7 +2346,7 @@
                 "description": "Предприятие, 50 потребители, 50 сайта и приоритетна поддръжка."
             }
         },
-        "personalUseOnly": "Само за лична употреба (безплатен лиценз — без плащане)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Продължете към плащане"
         },

From 1290d6cd5cc3177292e1119962f83560fcb9a0d3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:35 -0700
Subject: [PATCH 222/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index fe5de4199..437898931 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Zajišťovací klíč byl aktualizován",
     "provisioningKeysUpdatedDescription": "Vaše změny byly uloženy.",
     "provisioningKeysBannerTitle": "Klíče pro poskytování webu",
-    "provisioningKeysBannerDescription": "Vygenerujte konfigurační klíč a používejte jej pomocí nového konektoru k automatickému vytváření stránek při prvním startu – není třeba nastavovat samostatné přihlašovací údaje pro každý web.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Zjistit více",
     "pendingSitesBannerTitle": "Nevyřízené weby",
-    "pendingSitesBannerDescription": "Zde se zobrazují stránky, které se připojují pomocí doplňovacího klíče. Schválte každý web předtím, než bude aktivní, a získejte přístup k vašim zdrojům.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Zjistit více",
     "apiKeysSettings": "Nastavení {apiKeyName}",
     "userTitle": "Spravovat všechny uživatele",
@@ -2346,7 +2346,7 @@
                 "description": "Podnikové funkce, 50 uživatelů, 50 míst a prioritní podpory."
             }
         },
-        "personalUseOnly": "Pouze osobní použití (bezplatná licence – bez platby)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Pokračovat do pokladny"
         },

From 19cef8c453c767b469464f31c59c12f372119248 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:36 -0700
Subject: [PATCH 223/314] New translations en-us.json (German)

---
 messages/de-DE.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 0b72ececd..73fa8c0a1 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
     "provisioningKeysUpdatedDescription": "Ihre Änderungen wurden gespeichert.",
     "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
-    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Konnektor, um beim ersten Start automatisch Sites zu erstellen – keine Notwendigkeit, separate Anmeldeinformationen für jede Seite einzurichten.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Mehr erfahren",
     "pendingSitesBannerTitle": "Ausstehende Seiten",
-    "pendingSitesBannerDescription": "Sites, die sich mit einem Bereitstellungsschlüssel verbinden, erscheinen hier zur Überprüfung. Bestätigen Sie jede Site, bevor sie aktiv wird und erhalten Zugriff auf Ihre Ressourcen.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Mehr erfahren",
     "apiKeysSettings": "{apiKeyName} Einstellungen",
     "userTitle": "Alle Benutzer verwalten",
@@ -2346,7 +2346,7 @@
                 "description": "Enterprise Features, 50 Benutzer, 50 Sites und Prioritätsunterstützung."
             }
         },
-        "personalUseOnly": "Nur persönliche Nutzung (kostenlose Lizenz — keine Kasse)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Weiter zur Kasse"
         },

From e28e5ebb4ef95cb510627f6d5bf8df1e184b1f21 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:38 -0700
Subject: [PATCH 224/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 990e2be66..344bc6ab6 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
     "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
     "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
-    "provisioningKeysBannerDescription": "Generare una chiave di provisioning e usarla con il connettore Newt per creare automaticamente siti al primo avvio — non è necessario impostare credenziali separate per ogni sito.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Scopri di più",
     "pendingSitesBannerTitle": "Siti In Attesa",
-    "pendingSitesBannerDescription": "I siti che si connettono utilizzando una chiave di provisioning appaiono qui per la revisione. Approva ogni sito prima che diventi attivo e ottenga l'accesso alle tue risorse.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Scopri di più",
     "apiKeysSettings": "Impostazioni {apiKeyName}",
     "userTitle": "Gestisci Tutti Gli Utenti",
@@ -2346,7 +2346,7 @@
                 "description": "Funzionalità aziendali, 50 utenti, 50 siti e supporto prioritario."
             }
         },
-        "personalUseOnly": "Solo uso personale (licenza gratuita — nessun checkout)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continua al Checkout"
         },

From 61a78ef352c17f2431ebe70c2071ad9081c00be3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:39 -0700
Subject: [PATCH 225/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index e0ae07d66..2685fa8bf 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "프로비저닝 키가 업데이트되었습니다",
     "provisioningKeysUpdatedDescription": "변경 사항이 저장되었습니다.",
     "provisioningKeysBannerTitle": "사이트 프로비저닝 키",
-    "provisioningKeysBannerDescription": "프로비저닝 키를 생성하여 Newt 커넥터와 함께 사용해 첫 실행 시 자동으로 사이트를 생성하세요 — 각 사이트마다 별도의 인증을 설정할 필요가 없습니다.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "자세히 알아보기",
     "pendingSitesBannerTitle": "대기중인 사이트",
-    "pendingSitesBannerDescription": "프로비저닝 키를 사용하여 연결하는 사이트는 검토 대기 중입니다. 사이트가 활성화되어 리소스에 액세스하기 전에 각 사이트를 승인하세요.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "자세히 알아보기",
     "apiKeysSettings": "{apiKeyName} 설정",
     "userTitle": "모든 사용자 관리",
@@ -2346,7 +2346,7 @@
                 "description": "기업 기능, 50명의 사용자, 50개의 사이트, 우선 지원."
             }
         },
-        "personalUseOnly": "개인 사용 전용 (무료 라이센스 — 체크아웃 없음)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "결제로 진행"
         },

From 58a87a986a61428f24dcff97deb4207f40df8097 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:41 -0700
Subject: [PATCH 226/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index e38aec788..808903c82 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Provisie sleutel bijgewerkt",
     "provisioningKeysUpdatedDescription": "Uw wijzigingen zijn opgeslagen.",
     "provisioningKeysBannerTitle": "Bewerkingssleutels voor websites",
-    "provisioningKeysBannerDescription": "Genereer een provisioning-sleutel en gebruik deze met de Newt-connector om automatisch sites aan te maken bij het opstarten van de eerste opstart- het is niet nodig om afzonderlijke inloggegevens in te stellen voor elke site.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Meer informatie",
     "pendingSitesBannerTitle": "Openstaande sites",
-    "pendingSitesBannerDescription": "Sites die met elkaar verbinden met behulp van een provisioning-sleutel verschijnen hier voor beoordeling. Accepteer elke site voordat deze actief wordt en krijgt toegang tot uw bronnen.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Meer informatie",
     "apiKeysSettings": "{apiKeyName} instellingen",
     "userTitle": "Alle gebruikers beheren",
@@ -2346,7 +2346,7 @@
                 "description": "Enterprise functies, 50 gebruikers, 50 sites en prioriteit ondersteuning."
             }
         },
-        "personalUseOnly": "Alleen persoonlijk gebruik (gratis licentie - geen afrekenen)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Doorgaan naar afrekenen"
         },

From 231a19b67995050696b1dbb6bd6fd237ba00966a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:43 -0700
Subject: [PATCH 227/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 3a9607e7c..aa880bba7 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Klucz zaopatrzenia zaktualizowany",
     "provisioningKeysUpdatedDescription": "Twoje zmiany zostały zapisane.",
     "provisioningKeysBannerTitle": "Klucze Zaopatrzenia witryny",
-    "provisioningKeysBannerDescription": "Wygeneruj klucz tworzenia rezerw i użyj go z konektorem Newt do automatycznego tworzenia witryn przy pierwszym uruchomieniu — nie ma potrzeby ustawiania oddzielnych poświadczeń dla każdej witryny.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Dowiedz się więcej",
     "pendingSitesBannerTitle": "Witryny oczekujące",
-    "pendingSitesBannerDescription": "Witryny, które łączą się przy użyciu klucza zaopatrzenia, pojawiają się tutaj, aby przejrzeć. Zatwierdź każdą witrynę, zanim stanie się aktywna i uzyska dostęp do twoich zasobów.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Dowiedz się więcej",
     "apiKeysSettings": "Ustawienia {apiKeyName}",
     "userTitle": "Zarządzaj wszystkimi użytkownikami",
@@ -2346,7 +2346,7 @@
                 "description": "Cechy przedsiębiorstw, 50 użytkowników, 50 obiektów i wsparcie priorytetowe."
             }
         },
-        "personalUseOnly": "Wyłącznie do użytku osobistego (bezpłatna licencja – brak zamówień)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Przejdź do zamówienia"
         },

From f41118090875238a5e8fe3ad4c03a9aac1016ee5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:44 -0700
Subject: [PATCH 228/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 2573ed6da..7a61c673d 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Chave de provisionamento atualizada",
     "provisioningKeysUpdatedDescription": "Suas alterações foram salvas.",
     "provisioningKeysBannerTitle": "Chaves de provisionamento do site",
-    "provisioningKeysBannerDescription": "Gerar uma chave de provisionamento e usá-la com o conector de Newt para criar automaticamente sites na primeira inicialização — não é necessário configurar credenciais separadas para cada site.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Saiba mais",
     "pendingSitesBannerTitle": "Sites pendentes",
-    "pendingSitesBannerDescription": "Sites que conectam usando uma chave de provisionamento aparecem aqui para revisão. Aprovar cada site antes de se tornar ativo e ganhar acesso a seus recursos.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Saiba mais",
     "apiKeysSettings": "Configurações de {apiKeyName}",
     "userTitle": "Gerir Todos os Utilizadores",
@@ -2346,7 +2346,7 @@
                 "description": "Recursos de empresa, 50 usuários, 50 sites e apoio prioritário."
             }
         },
-        "personalUseOnly": "Apenas uso pessoal (licença gratuita — sem check-out)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continuar com checkout"
         },

From a2dff0a35d1fbe3280892b5e35d80186a0d4547c Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:46 -0700
Subject: [PATCH 229/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index b44ec36ed..11f52ae39 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Ключ подготовки обновлен",
     "provisioningKeysUpdatedDescription": "Ваши изменения были сохранены.",
     "provisioningKeysBannerTitle": "Ключи подготовки сайта",
-    "provisioningKeysBannerDescription": "Генерировать подготовительный ключ и использовать его вместе с Новым коннектором для автоматического создания сайтов при первом запуске — нет необходимости настраивать отдельные учетные данные для каждого сайта.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Узнать больше",
     "pendingSitesBannerTitle": "Ожидающие сайты",
-    "pendingSitesBannerDescription": "Сайты, связанные с использованием ключа подготовки, появляются здесь для проверки. Одобрите каждый сайт, прежде чем он станет активным и получит доступ к вашим ресурсам.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Узнать больше",
     "apiKeysSettings": "Настройки {apiKeyName}",
     "userTitle": "Управление всеми пользователями",
@@ -2346,7 +2346,7 @@
                 "description": "Функции предприятия, 50 пользователей, 50 сайтов, а также приоритетная поддержка."
             }
         },
-        "personalUseOnly": "Только для личного пользования (бесплатная лицензия — без оформления)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Продолжить оформление заказа"
         },

From 1218507f7dc01d65ca2e946c8a1f667ea5d985dd Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:47 -0700
Subject: [PATCH 230/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index e89778322..1291850a0 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Tedarik anahtarı güncellendi",
     "provisioningKeysUpdatedDescription": "Değişiklikleriniz kaydedildi.",
     "provisioningKeysBannerTitle": "Site Tedarik Anahtarları",
-    "provisioningKeysBannerDescription": "Tedarik anahtarı oluşturun ve ilk başlangıçta siteleri otomatik olarak oluşturmak için Newt konektörüyle kullanın — her site için ayrı kimlik bilgileri ayarlamaya gerek yoktur.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Daha fazla bilgi",
     "pendingSitesBannerTitle": "Bekleyen Siteler",
-    "pendingSitesBannerDescription": "Tedarik anahtarı kullanarak bağlanan siteler burada incelenmek için görünür. Aktif hale gelmeden ve kaynaklarınıza erişim kazanmadan önce her siteyi onaylayın.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Daha fazla bilgi",
     "apiKeysSettings": "{apiKeyName} Ayarları",
     "userTitle": "Tüm Kullanıcıları Yönet",
@@ -2346,7 +2346,7 @@
                 "description": "Kurumsal özellikler, 50 kullanıcı, 50 site ve öncelikli destek."
             }
         },
-        "personalUseOnly": "Yalnızca kişisel kullanım (ücretsiz lisans — ödeme yapılmaz)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Ödemeye Devam Et"
         },

From 728e7252ebbcb6d791554955ad34488996b0c263 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:49 -0700
Subject: [PATCH 231/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 07ffe4d5b..ecd8e3386 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "置备密钥已更新",
     "provisioningKeysUpdatedDescription": "您的更改已保存。",
     "provisioningKeysBannerTitle": "站点置备密钥",
-    "provisioningKeysBannerDescription": "生成一个预配键并使用它来在首次启动时自动创建站点——无需为每个站点设置单独的凭证。",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "了解更多",
     "pendingSitesBannerTitle": "待定站点",
-    "pendingSitesBannerDescription": "使用预配键连接的站点会出现在这里供审核。在站点开始运行之前批准并获取对您资源的访问权限。",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "了解更多",
     "apiKeysSettings": "{apiKeyName} 设置",
     "userTitle": "管理所有用户",
@@ -2346,7 +2346,7 @@
                 "description": "企业特征、50个用户、50个站点和优先支持。"
             }
         },
-        "personalUseOnly": "仅供个人使用 (免费许可证-无签出)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "继续签出"
         },

From e8c35bec1c602f3432da664d124a36bdd154c790 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:50 -0700
Subject: [PATCH 232/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 751f15081..52f8caa2f 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Foreslå nøkkel oppdatert",
     "provisioningKeysUpdatedDescription": "Dine endringer er lagret.",
     "provisioningKeysBannerTitle": "Sidens bestemmende nøkler",
-    "provisioningKeysBannerDescription": "Generer en foreløpig nøkkel og bruk den med Nyhetskontakten for å automatisk opprette sider ved første oppstart — trenger ikke å sette opp separat innloggingsinformasjon for hver side.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Lær mer",
     "pendingSitesBannerTitle": "Ventende nettsteder",
-    "pendingSitesBannerDescription": "Nettsteder som kobler deg til ved hjelp av en bestemmelsestekst, vises her for gjennomgang. Godkjenn hvert nettsted før det blir aktivt og får tilgang til ressursene dine.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Lær mer",
     "apiKeysSettings": "{apiKeyName} Innstillinger",
     "userTitle": "Administrer alle brukere",
@@ -2346,7 +2346,7 @@
                 "description": "Enterprise features, 50 brukere, 50 nettsteder og prioritetsstøtte."
             }
         },
-        "personalUseOnly": "Kun personlig bruk (gratis lisens - ingen utsjekking)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Fortsett til kassen"
         },

From 8f3fbb94d206d3d53690569a29b7d32ba88190a5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 1 Apr 2026 09:58:52 -0700
Subject: [PATCH 233/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 39a2919f8..ef8c63db1 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Clave de aprovisionamiento actualizada",
     "provisioningKeysUpdatedDescription": "Sus cambios han sido guardados.",
     "provisioningKeysBannerTitle": "Claves de aprovisionamiento del sitio",
-    "provisioningKeysBannerDescription": "Generar una clave de aprovisionamiento y usarla con el conector Newt para crear automáticamente sitios en el primer inicio — no es necesario configurar credenciales separadas para cada sitio.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Saber más",
     "pendingSitesBannerTitle": "Sitios pendientes",
-    "pendingSitesBannerDescription": "Los sitios que se conectan usando una clave de aprovisionamiento aparecen aquí para su revisión. Aprobar cada sitio antes de que se active y obtenga acceso a sus recursos.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Saber más",
     "apiKeysSettings": "Ajustes {apiKeyName}",
     "userTitle": "Administrar todos los usuarios",
@@ -2346,7 +2346,7 @@
                 "description": "Características de la empresa, 50 usuarios, 50 sitios y soporte prioritario."
             }
         },
-        "personalUseOnly": "Solo uso personal (licencia gratuita, sin pago)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continuar con el pago"
         },

From 1bb89fce26d6ba022bbbd7d261c09ac2ac0c56fc Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Thu, 2 Apr 2026 12:21:53 +0100
Subject: [PATCH 234/314] enhance: Systemd newt unit

Add a systemd unit option directly from dashboard to prevent copy and paste mistakes
---
 messages/en-US.json                      |  3 ++
 src/components/newt-install-commands.tsx | 52 +++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 51bb996af..e4a225f70 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index ba0363e3b..d7ff57c04 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -55,7 +55,7 @@ export function NewtSiteInstallCommands({
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
         unix: {
-            All: [
+            Direct: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -64,6 +64,54 @@ export function NewtSiteInstallCommands({
                     title: t("run"),
                     command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
                 }
+            ],
+            "Systemd Service": [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("envFile"),
+                    command: `# Create the directory and environment file
+sudo install -d -m 0755 /etc/newt
+sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
+NEWT_ID=${id}
+NEWT_SECRET=${secret}
+PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
+DISABLE_CLIENTS=true` : ""}
+EOF
+sudo chmod 600 /etc/newt/newt.env`
+                },
+                {
+                    title: t("serviceFile"),
+                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
+[Unit]
+Description=Newt
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+EnvironmentFile=/etc/newt/newt.env
+ExecStart=/usr/local/bin/newt
+Restart=always
+RestartSec=2
+UMask=0077
+
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF`
+                },
+                {
+                    title: t("enableAndStart"),
+                    command: `sudo systemctl daemon-reload
+sudo systemctl enable --now newt`
+                }
             ]
         },
         windows: {
@@ -298,7 +346,7 @@ function getPlatformName(platformName: Platform) {
 function getArchitectures(platform: Platform) {
     switch (platform) {
         case "unix":
-            return ["All"];
+            return ["Direct", "Systemd Service"];
         case "windows":
             return ["x64"];
         case "docker":

From 0479ed9e7f13b3fedba33ebb9ed59fe0b579e061 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:29 -0400
Subject: [PATCH 235/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index abc6665ce..248794b95 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Clients Machines",
     "install": "Installer",
     "run": "Exécuter",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Le nom d'affichage du client qui peut être modifié plus tard.",
     "clientAddress": "Adresse du client (Avancé)",
     "setupFailedToFetchSubnet": "Impossible de récupérer le sous-réseau par défaut",

From fb4fc75bd82f2cce866be954182f2ca115703875 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:31 -0400
Subject: [PATCH 236/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 36e903993..3ab20a390 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Машинни клиенти",
     "install": "Инсталирай",
     "run": "Изпълни",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Показваното име на клиента, което може да се промени по-късно.",
     "clientAddress": "Клиентски адрес (Разширено)",
     "setupFailedToFetchSubnet": "Неуспешно извличане на подмрежа по подразбиране",

From 70b3a432a4de0b5ae368f331ebb877279801f0dc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:33 -0400
Subject: [PATCH 237/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 437898931..87a9bdc8b 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Strojoví klienti",
     "install": "Instalovat",
     "run": "Spustit",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Zobrazované jméno klienta, které lze později změnit.",
     "clientAddress": "Adresa klienta (Rozšířeno)",
     "setupFailedToFetchSubnet": "Nepodařilo se načíst výchozí podsíť",

From 184aa65c6d349e0c123f7b7b4e5df35eb662f3c2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:34 -0400
Subject: [PATCH 238/314] New translations en-us.json (German)

---
 messages/de-DE.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 73fa8c0a1..e74ae95da 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Maschinen-Clients",
     "install": "Installieren",
     "run": "Ausführen",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Der Anzeigename des Clients, der später geändert werden kann.",
     "clientAddress": "Clientadresse (Erweitert)",
     "setupFailedToFetchSubnet": "Fehler beim Abrufen des Standard-Subnetzes",

From 98b1e9546aa61a0a4519e26e2dd69db3bbe69cf4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:36 -0400
Subject: [PATCH 239/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 344bc6ab6..1122af617 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clients",
     "install": "Installa",
     "run": "Esegui",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Il nome visualizzato del client che può essere modificato in seguito.",
     "clientAddress": "Indirizzo Client (Avanzato)",
     "setupFailedToFetchSubnet": "Recupero della sottorete predefinita non riuscito",

From 2fdd332a3142a8081517a4b0ac9d6821046b900d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:38 -0400
Subject: [PATCH 240/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 2685fa8bf..60c81651d 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2607,6 +2607,9 @@
     "machineClients": "기계 클라이언트",
     "install": "설치",
     "run": "실행",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "나중에 변경할 수 있는 클라이언트의 표시 이름입니다.",
     "clientAddress": "클라이언트 주소(고급)",
     "setupFailedToFetchSubnet": "기본값 로드 실패",

From 06bb6636a17556ac1bb6dbde870df7775a1fea02 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:39 -0400
Subject: [PATCH 241/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 808903c82..a99d8e26e 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clienten",
     "install": "Installeren",
     "run": "Uitvoeren",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "De weergavenaam van de client die later gewijzigd kan worden.",
     "clientAddress": "Klant adres (Geavanceerd)",
     "setupFailedToFetchSubnet": "Kan standaard subnet niet ophalen",

From 075295184286fa6e42a847227371241c44e70222 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:41 -0400
Subject: [PATCH 242/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index aa880bba7..c0dee1fe3 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Klienci maszyn",
     "install": "Zainstaluj",
     "run": "Uruchom",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Wyświetlana nazwa klienta, która może zostać zmieniona później.",
     "clientAddress": "Adres klienta (Zaawansowany)",
     "setupFailedToFetchSubnet": "Nie udało się pobrać domyślnej podsieci",

From 7878ac9c7609b220941e4b526ff96e0400b9c3ed Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:43 -0400
Subject: [PATCH 243/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 7a61c673d..09735a431 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Clientes de máquina",
     "install": "Instale",
     "run": "Executar",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "O nome de exibição do cliente que pode ser alterado mais tarde.",
     "clientAddress": "Endereço do Cliente (Avançado)",
     "setupFailedToFetchSubnet": "Falha ao buscar a subrede padrão",

From f10b40c3b04d29097f12c2eb615b669d232055b5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:45 -0400
Subject: [PATCH 244/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 11f52ae39..353a00634 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Машинные клиенты",
     "install": "Установить",
     "run": "Запустить",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Отображаемое имя клиента, которое может быть изменено позже.",
     "clientAddress": "Адрес клиента (Дополнительно)",
     "setupFailedToFetchSubnet": "Не удалось получить подсеть по умолчанию",

From ab7b968e2814d411805d7dc90cd5cf7be7514d29 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:47 -0400
Subject: [PATCH 245/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 1291850a0..5e6a8bb61 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Makine İstemcileri",
     "install": "Yükle",
     "run": "Çalıştır",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Daha sonra değiştirilebilecek istemcinin görünen adı.",
     "clientAddress": "İstemci Adresi (Gelişmiş)",
     "setupFailedToFetchSubnet": "Varsayılan alt ağ alınamadı",

From c0a8304b91ca898a8dca7ab9813347f3f69cd8b7 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:48 -0400
Subject: [PATCH 246/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index ecd8e3386..6f2013fae 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2607,6 +2607,9 @@
     "machineClients": "机器客户端",
     "install": "安装",
     "run": "运行",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "可以稍后更改的客户端的显示名称。",
     "clientAddress": "客户端地址 (高级)",
     "setupFailedToFetchSubnet": "获取默认子网失败",

From a57dfd1d123a8c5e17c50260e0ef7459ec4d6d34 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:50 -0400
Subject: [PATCH 247/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 52f8caa2f..dd2195eef 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Maskinklienter",
     "install": "Installer",
     "run": "Kjør",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "Visningsnavnet til klienten som kan endres senere.",
     "clientAddress": "Klientadresse (avansert)",
     "setupFailedToFetchSubnet": "Kunne ikke hente standard undernett",

From f1a0bc97e33dc34ece103f04abc2df07b9b8dada Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:42:52 -0400
Subject: [PATCH 248/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index ef8c63db1..afa815cab 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Clientes de la máquina",
     "install": "Instalar",
     "run": "Ejecutar",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "El nombre mostrado del cliente que se puede cambiar más adelante.",
     "clientAddress": "Dirección del cliente (Avanzado)",
     "setupFailedToFetchSubnet": "No se pudo obtener la subred por defecto",

From a55dd769cfdc5f2fd50efa00b076e4c20dd243d4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:43:01 -0400
Subject: [PATCH 249/314] Revert "enhance: Systemd newt unit instructions"

---
 messages/en-US.json                      |  3 --
 src/components/newt-install-commands.tsx | 52 +-----------------------
 2 files changed, 2 insertions(+), 53 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index e4a225f70..51bb996af 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,9 +2607,6 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index d7ff57c04..ba0363e3b 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -55,7 +55,7 @@ export function NewtSiteInstallCommands({
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
         unix: {
-            Direct: [
+            All: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -64,54 +64,6 @@ export function NewtSiteInstallCommands({
                     title: t("run"),
                     command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
                 }
-            ],
-            "Systemd Service": [
-                {
-                    title: t("install"),
-                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
-                },
-                {
-                    title: t("envFile"),
-                    command: `# Create the directory and environment file
-sudo install -d -m 0755 /etc/newt
-sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
-NEWT_ID=${id}
-NEWT_SECRET=${secret}
-PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
-DISABLE_CLIENTS=true` : ""}
-EOF
-sudo chmod 600 /etc/newt/newt.env`
-                },
-                {
-                    title: t("serviceFile"),
-                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
-[Unit]
-Description=Newt
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-Type=simple
-User=root
-Group=root
-EnvironmentFile=/etc/newt/newt.env
-ExecStart=/usr/local/bin/newt
-Restart=always
-RestartSec=2
-UMask=0077
-
-NoNewPrivileges=true
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
-EOF`
-                },
-                {
-                    title: t("enableAndStart"),
-                    command: `sudo systemctl daemon-reload
-sudo systemctl enable --now newt`
-                }
             ]
         },
         windows: {
@@ -346,7 +298,7 @@ function getPlatformName(platformName: Platform) {
 function getArchitectures(platform: Platform) {
     switch (platform) {
         case "unix":
-            return ["Direct", "Systemd Service"];
+            return ["All"];
         case "windows":
             return ["x64"];
         case "docker":

From 122079ddb294c2a0fedbaa79e4542539afd9816a Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Thu, 2 Apr 2026 17:01:52 +0100
Subject: [PATCH 250/314] split unix to linux and macos, show method everything
 other than windows, change nixos all to flake so makes sense under method

---
 messages/en-US.json                      |   3 +
 src/components/newt-install-commands.tsx | 106 ++++++++++++++++++-----
 2 files changed, 89 insertions(+), 20 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 51bb996af..e4a225f70 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index ba0363e3b..28581794c 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -10,14 +10,14 @@ import {
 import { CheckboxWithLabel } from "./ui/checkbox";
 import { OptionSelect, type OptionSelectOption } from "./OptionSelect";
 import { useState } from "react";
-import { FaCubes, FaDocker, FaWindows } from "react-icons/fa";
-import { Terminal } from "lucide-react";
+import { FaApple, FaCubes, FaDocker, FaLinux, FaWindows } from "react-icons/fa";
 import { SiKubernetes, SiNixos } from "react-icons/si";
 
 export type CommandItem = string | { title: string; command: string };
 
 const PLATFORMS = [
-    "unix",
+    "linux",
+    "macos",
     "docker",
     "kubernetes",
     "podman",
@@ -43,7 +43,7 @@ export function NewtSiteInstallCommands({
     const t = useTranslations();
 
     const [acceptClients, setAcceptClients] = useState(true);
-    const [platform, setPlatform] = useState<Platform>("unix");
+    const [platform, setPlatform] = useState<Platform>("linux");
     const [architecture, setArchitecture] = useState(
         () => getArchitectures(platform)[0]
     );
@@ -54,8 +54,68 @@ export function NewtSiteInstallCommands({
         : "";
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
-        unix: {
-            All: [
+        linux: {
+            Run: [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("run"),
+                    command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
+                }
+            ],
+            "Systemd Service": [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("envFile"),
+                    command: `# Create the directory and environment file
+sudo install -d -m 0755 /etc/newt
+sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
+NEWT_ID=${id}
+NEWT_SECRET=${secret}
+PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
+DISABLE_CLIENTS=true` : ""}
+EOF
+sudo chmod 600 /etc/newt/newt.env`
+                },
+                {
+                    title: t("serviceFile"),
+                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
+[Unit]
+Description=Newt
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+EnvironmentFile=/etc/newt/newt.env
+ExecStart=/usr/local/bin/newt
+Restart=always
+RestartSec=2
+UMask=0077
+
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF`
+                },
+                {
+                    title: t("enableAndStart"),
+                    command: `sudo systemctl daemon-reload
+sudo systemctl enable --now newt`
+                }
+            ]
+        },
+        macos: {
+            Run: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -131,7 +191,7 @@ WantedBy=default.target`
             ]
         },
         nixos: {
-            All: [
+            Flake: [
                 `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
             ]
         }
@@ -172,9 +232,9 @@ WantedBy=default.target`
 
                 <OptionSelect<string>
                     label={
-                        ["docker", "podman"].includes(platform)
-                            ? t("method")
-                            : t("architecture")
+                        platform === "windows"
+                            ? t("architecture")
+                            : t("method")
                     }
                     options={getArchitectures(platform).map((arch) => ({
                         value: arch,
@@ -261,8 +321,10 @@ function getPlatformIcon(platformName: Platform) {
     switch (platformName) {
         case "windows":
             return <FaWindows className="h-4 w-4 mr-2" />;
-        case "unix":
-            return <Terminal className="h-4 w-4 mr-2" />;
+        case "linux":
+            return <FaLinux className="h-4 w-4 mr-2" />;
+        case "macos":
+            return <FaApple className="h-4 w-4 mr-2" />;
         case "docker":
             return <FaDocker className="h-4 w-4 mr-2" />;
         case "kubernetes":
@@ -272,7 +334,7 @@ function getPlatformIcon(platformName: Platform) {
         case "nixos":
             return <SiNixos className="h-4 w-4 mr-2" />;
         default:
-            return <Terminal className="h-4 w-4 mr-2" />;
+            return <FaLinux className="h-4 w-4 mr-2" />;
     }
 }
 
@@ -280,8 +342,10 @@ function getPlatformName(platformName: Platform) {
     switch (platformName) {
         case "windows":
             return "Windows";
-        case "unix":
-            return "Unix & macOS";
+        case "linux":
+            return "Linux";
+        case "macos":
+            return "macOS";
         case "docker":
             return "Docker";
         case "kubernetes":
@@ -291,14 +355,16 @@ function getPlatformName(platformName: Platform) {
         case "nixos":
             return "NixOS";
         default:
-            return "Unix / macOS";
+            return "Linux";
     }
 }
 
 function getArchitectures(platform: Platform) {
     switch (platform) {
-        case "unix":
-            return ["All"];
+        case "linux":
+            return ["Run", "Systemd Service"];
+        case "macos":
+            return ["Run"];
         case "windows":
             return ["x64"];
         case "docker":
@@ -308,8 +374,8 @@ function getArchitectures(platform: Platform) {
         case "podman":
             return ["Podman Quadlet", "Podman Run"];
         case "nixos":
-            return ["All"];
+            return ["Flake"];
         default:
-            return ["x64"];
+            return ["Run"];
     }
 }

From 4e7dcbd7b55bef865c9e65e3e01299e84a033c5e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:34:55 -0400
Subject: [PATCH 251/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 248794b95..8708138a8 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Veuillez entrer un numéro de port valide",
     "targetErrorNoSite": "Aucun site sélectionné",
     "targetErrorNoSiteDescription": "Veuillez sélectionner un site pour la cible",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Cible créée",
     "targetCreatedDescription": "La cible a été créée avec succès",
     "targetErrorCreate": "Impossible de créer la cible",

From c2bf50b1214efdb272120810bde63ed88b77d14d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:34:56 -0400
Subject: [PATCH 252/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 3ab20a390..e6d650681 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Моля, въведете валиден номер на порт",
     "targetErrorNoSite": "Няма избран сайт",
     "targetErrorNoSiteDescription": "Моля, изберете сайт за целта",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Целта е създадена",
     "targetCreatedDescription": "Целта беше успешно създадена",
     "targetErrorCreate": "Неуспешно създаване на целта",

From 8df41f514e0c6dc933b17199692601952103d600 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:34:58 -0400
Subject: [PATCH 253/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 87a9bdc8b..54e87e0d6 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Zadejte platné číslo portu",
     "targetErrorNoSite": "Není vybrán žádný web",
     "targetErrorNoSiteDescription": "Vyberte prosím web pro cíl",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Cíl byl vytvořen",
     "targetCreatedDescription": "Cíl byl úspěšně vytvořen",
     "targetErrorCreate": "Nepodařilo se vytvořit cíl",

From a7e9de3ac42415e553c596f89c117c960511ec8f Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:34:59 -0400
Subject: [PATCH 254/314] New translations en-us.json (German)

---
 messages/de-DE.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index e74ae95da..48280e418 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Bitte geben Sie eine gültige Portnummer ein",
     "targetErrorNoSite": "Kein Standort ausgewählt",
     "targetErrorNoSiteDescription": "Bitte wähle einen Standort für das Ziel aus",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Ziel erstellt",
     "targetCreatedDescription": "Ziel wurde erfolgreich erstellt",
     "targetErrorCreate": "Fehler beim Erstellen des Ziels",

From 8df83834684fb69c9bc92207759a5e7b171b8802 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:01 -0400
Subject: [PATCH 255/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 1122af617..415075e44 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Inserisci un numero di porta valido",
     "targetErrorNoSite": "Nessun sito selezionato",
     "targetErrorNoSiteDescription": "Si prega di selezionare un sito per l'obiettivo",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Destinazione creata",
     "targetCreatedDescription": "L'obiettivo è stato creato con successo",
     "targetErrorCreate": "Impossibile creare l'obiettivo",

From bb6605337f3d779fd2c06108674514dd27fa5d85 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:02 -0400
Subject: [PATCH 256/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 60c81651d..c7dd13ae0 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "유효한 포트 번호를 입력하세요.",
     "targetErrorNoSite": "선택된 사이트 없음",
     "targetErrorNoSiteDescription": "대상을 위해 사이트를 선택하세요.",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "대상 생성",
     "targetCreatedDescription": "대상이 성공적으로 생성되었습니다.",
     "targetErrorCreate": "대상 생성 실패",

From e848ef848b05d72d3e6a700939d094469185f7e7 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:03 -0400
Subject: [PATCH 257/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index a99d8e26e..9084e7827 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Voer een geldig poortnummer in",
     "targetErrorNoSite": "Geen site geselecteerd",
     "targetErrorNoSiteDescription": "Selecteer een site voor het doel",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Doel aangemaakt",
     "targetCreatedDescription": "Doel is succesvol aangemaakt",
     "targetErrorCreate": "Kan doel niet aanmaken",

From aa194370310a354374de6e092c081831ad3291e9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:05 -0400
Subject: [PATCH 258/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index c0dee1fe3..1cc086969 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Wprowadź prawidłowy numer portu",
     "targetErrorNoSite": "Nie wybrano witryny",
     "targetErrorNoSiteDescription": "Wybierz witrynę docelową",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Cel utworzony",
     "targetCreatedDescription": "Cel został utworzony pomyślnie",
     "targetErrorCreate": "Nie udało się utworzyć celu",

From 013cff9b6e0a03a9d11b246b956b7c7c2e0b03cd Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:06 -0400
Subject: [PATCH 259/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 09735a431..128a0cbfd 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Por favor, digite um número de porta válido",
     "targetErrorNoSite": "Nenhum site selecionado",
     "targetErrorNoSiteDescription": "Selecione um site para o destino",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Destino criado",
     "targetCreatedDescription": "O alvo foi criado com sucesso",
     "targetErrorCreate": "Falha ao criar destino",

From 9f2ced193345cb0464cafdc58efd9462293b9b3d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:08 -0400
Subject: [PATCH 260/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 353a00634..dfda9a6b1 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Пожалуйста, введите правильный номер порта",
     "targetErrorNoSite": "Сайт не выбран",
     "targetErrorNoSiteDescription": "Пожалуйста, выберите сайт для цели",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Цель создана",
     "targetCreatedDescription": "Цель была успешно создана",
     "targetErrorCreate": "Не удалось создать цель",

From bc1ea86b4e5e69a13b8b60e2dccdd4d3a2308f18 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:09 -0400
Subject: [PATCH 261/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 5e6a8bb61..f85ae5db1 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Lütfen geçerli bir port numarası girin",
     "targetErrorNoSite": "Hiçbir site seçili değil",
     "targetErrorNoSiteDescription": "Lütfen hedef için bir site seçin",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Hedef oluşturuldu",
     "targetCreatedDescription": "Hedef başarıyla oluşturuldu",
     "targetErrorCreate": "Hedef oluşturma başarısız oldu",

From 059db34a534b53380ad8db229b4cd1ba08403956 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:10 -0400
Subject: [PATCH 262/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 6f2013fae..ab0e1fe90 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "请输入有效的端口号",
     "targetErrorNoSite": "没有选择站点",
     "targetErrorNoSiteDescription": "请选择目标站点",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "目标已创建",
     "targetCreatedDescription": "目标已成功创建",
     "targetErrorCreate": "创建目标失败",

From 0b2aceafe0282882bd72518bfe6b23cd1a29310a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:11 -0400
Subject: [PATCH 263/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index dd2195eef..4614234fe 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Vennligst skriv inn et gyldig portnummer",
     "targetErrorNoSite": "Ingen nettsted valgt",
     "targetErrorNoSiteDescription": "Velg et nettsted for målet",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Mål opprettet",
     "targetCreatedDescription": "Målet har blitt opprettet",
     "targetErrorCreate": "Kunne ikke opprette målet",

From f85cfc4c681b1bd9d206a4d1ff323c9bf56fad03 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 18:35:13 -0400
Subject: [PATCH 264/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index afa815cab..6cc14f9e5 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -624,6 +624,8 @@
     "targetErrorInvalidPortDescription": "Por favor, introduzca un número de puerto válido",
     "targetErrorNoSite": "Ningún sitio seleccionado",
     "targetErrorNoSiteDescription": "Por favor, seleccione un sitio para el objetivo",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
     "targetCreated": "Objetivo creado",
     "targetCreatedDescription": "El objetivo se ha creado correctamente",
     "targetErrorCreate": "Error al crear el objetivo",

From d5837ab718729b7ff0bfc062882a12c491a7f7a6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 2 Apr 2026 21:57:59 -0400
Subject: [PATCH 265/314] Fix to use the stored data

---
 src/services/locale.ts | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/services/locale.ts b/src/services/locale.ts
index 3bdf688bf..81be42bc1 100644
--- a/src/services/locale.ts
+++ b/src/services/locale.ts
@@ -22,12 +22,21 @@ export async function getUserLocale(): Promise<Locale> {
         const res = await internal.get("/user", await authCookieHeader());
         const userLocale = res.data?.data?.locale;
         if (userLocale && locales.includes(userLocale as Locale)) {
-            // Set the cookie so subsequent requests don't need the API call
-            (await cookies()).set(COOKIE_NAME, userLocale, {
-                maxAge: COOKIE_MAX_AGE,
-                path: "/",
-                sameSite: "lax"
-            });
+            // Try to cache in a cookie so subsequent requests skip the API
+            // call. cookies().set() is only permitted in Server Actions and
+            // Route Handlers — not during rendering — so we isolate it so
+            // that a write failure doesn't prevent the locale from being
+            // returned for the current request.
+            try {
+                (await cookies()).set(COOKIE_NAME, userLocale, {
+                    maxAge: COOKIE_MAX_AGE,
+                    path: "/",
+                    sameSite: "lax"
+                });
+            } catch {
+                // Cannot set cookies in this context (e.g. during rendering);
+                // the correct locale is still returned below.
+            }
             return userLocale as Locale;
         }
     } catch {

From d83fa63af587013cba18496938c97fd5db7defe3 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 2 Apr 2026 21:58:14 -0400
Subject: [PATCH 266/314] Fix to null out the rewrite on the frontend too

---
 .../settings/resources/proxy/[niceId]/proxy/page.tsx | 12 ++++++++++--
 .../[orgId]/settings/resources/proxy/create/page.tsx | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 3001491f1..3d6e6186b 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -400,7 +400,11 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
@@ -424,7 +428,11 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
diff --git a/src/app/[orgId]/settings/resources/proxy/create/page.tsx b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
index b651a06bb..f057c07c4 100644
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -776,7 +776,11 @@ export default function Page() {
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
@@ -800,7 +804,11 @@ export default function Page() {
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button

From dab38ff82cfae28fb6783ba7e605fec52e6473ad Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 3 Apr 2026 11:16:56 -0400
Subject: [PATCH 267/314] use debug log on log stream start

---
 server/private/lib/logStreaming/LogStreamingManager.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index 04e35ad00..0067c0690 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -127,7 +127,7 @@ export class LogStreamingManager {
     start(): void {
         if (this.isRunning) return;
         this.isRunning = true;
-        logger.info("LogStreamingManager: started");
+        logger.debug("LogStreamingManager: started");
         this.schedulePoll(POLL_INTERVAL_MS);
     }
 
@@ -770,4 +770,4 @@ export class LogStreamingManager {
 
 function sleep(ms: number): Promise<void> {
     return new Promise((resolve) => setTimeout(resolve, ms));
-}
\ No newline at end of file
+}

From 5056cba85d9be418c815b2f02a74357442851680 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 11:25:12 -0400
Subject: [PATCH 268/314] Add siem to migration

---
 server/setup/scriptsPg/1.17.0.ts | 44 ++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index ea66948ab..21dd3a224 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -104,6 +104,42 @@ export default async function migration() {
                	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
             );
         `);
+
+        await db.execute(sql`
+            CREATE TABLE "eventStreamingCursors" (
+               	"cursorId" serial PRIMARY KEY NOT NULL,
+               	"destinationId" integer NOT NULL,
+               	"logType" varchar(50) NOT NULL,
+               	"lastSentId" bigint DEFAULT 0 NOT NULL,
+               	"lastSentAt" bigint
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "eventStreamingDestinations" (
+               	"destinationId" serial PRIMARY KEY NOT NULL,
+               	"orgId" varchar(255) NOT NULL,
+               	"sendConnectionLogs" boolean DEFAULT false NOT NULL,
+               	"sendRequestLogs" boolean DEFAULT false NOT NULL,
+               	"sendActionLogs" boolean DEFAULT false NOT NULL,
+               	"sendAccessLogs" boolean DEFAULT false NOT NULL,
+               	"type" varchar(50) NOT NULL,
+               	"config" text NOT NULL,
+               	"enabled" boolean DEFAULT true NOT NULL,
+               	"createdAt" bigint NOT NULL,
+               	"updatedAt" bigint NOT NULL
+            );
+        `);
+
+        await db.execute(
+            sql`ALTER TABLE "eventStreamingCursors" ADD CONSTRAINT "eventStreamingCursors_destinationId_eventStreamingDestinations_destinationId_fk" FOREIGN KEY ("destinationId") REFERENCES "public"."eventStreamingDestinations"("destinationId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "eventStreamingDestinations" ADD CONSTRAINT "eventStreamingDestinations_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`CREATE UNIQUE INDEX "idx_eventStreamingCursors_dest_type" ON "eventStreamingCursors" USING btree ("destinationId","logType");`
+        );
         await db.execute(
             sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`
         );
@@ -177,8 +213,12 @@ export default async function migration() {
             sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
-        await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
-        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`);
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`
+        );
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");

From fee780cb81a3763ada7a015e34fb01093f313cfe Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 11:29:08 -0400
Subject: [PATCH 269/314] Add siem to migration

---
 server/setup/scriptsSqlite/1.17.0.ts | 56 +++++++++++++++++++++++++---
 1 file changed, 51 insertions(+), 5 deletions(-)

diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 28877f16e..28929fc63 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -76,9 +76,15 @@ export default async function migration() {
             `
             ).run();
 
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`).run();
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`).run();
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`
+            ).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`
+            ).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`
+            ).run();
 
             db.prepare(
                 `
@@ -168,6 +174,42 @@ export default async function migration() {
                 );
             `
             ).run();
+
+            db.prepare(
+                `
+                CREATE TABLE 'eventStreamingCursors' (
+                   	'cursorId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'destinationId' integer NOT NULL,
+                   	'logType' text NOT NULL,
+                   	'lastSentId' integer DEFAULT 0 NOT NULL,
+                   	'lastSentAt' integer,
+                   	FOREIGN KEY ('destinationId') REFERENCES 'eventStreamingDestinations'('destinationId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE UNIQUE INDEX 'idx_eventStreamingCursors_dest_type' ON 'eventStreamingCursors' ('destinationId','logType');--> statement-breakpoint
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'eventStreamingDestinations' (
+                   	'destinationId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'sendConnectionLogs' integer DEFAULT false NOT NULL,
+                   	'sendRequestLogs' integer DEFAULT false NOT NULL,
+                   	'sendActionLogs' integer DEFAULT false NOT NULL,
+                   	'sendAccessLogs' integer DEFAULT false NOT NULL,
+                   	'type' text NOT NULL,
+                   	'config' text NOT NULL,
+                   	'enabled' integer DEFAULT true NOT NULL,
+                   	'createdAt' integer NOT NULL,
+                   	'updatedAt' integer NOT NULL,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
             db.prepare(
                 `INSERT INTO '__new_userInvites'("inviteId", "orgId", "email", "expiresAt", "token") SELECT "inviteId", "orgId", "email", "expiresAt", "token" FROM 'userInvites';`
             ).run();
@@ -191,8 +233,12 @@ export default async function migration() {
                 `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
-            db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
-            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`).run();
+            db.prepare(
+                `ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`
+            ).run();
+            db.prepare(
+                `ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`
+            ).run();
         })();
 
         db.pragma("foreign_keys = ON");

From 382a46dfff4488c34ee9db03854295c2f7caddff Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 3 Apr 2026 11:44:56 -0400
Subject: [PATCH 270/314] fix text formatting in delete dialog

---
 .../[orgId]/settings/logs/streaming/page.tsx  | 46 ++++++++++---------
 1 file changed, 25 insertions(+), 21 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 44ec39fcd..7e48d7566 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -106,7 +106,9 @@ function DestinationCard({
             {/* URL preview */}
             <p className="text-xs text-muted-foreground truncate">
                 {cfg.url || (
-                    <span className="italic">{t("streamingNoUrlConfigured")}</span>
+                    <span className="italic">
+                        {t("streamingNoUrlConfigured")}
+                    </span>
                 )}
             </p>
 
@@ -160,7 +162,9 @@ function AddDestinationCard({ onClick }: { onClick: () => void }) {
                 <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
                     <Plus className="h-4 w-4" />
                 </div>
-                <span className="text-sm font-medium">{t("streamingAddDestination")}</span>
+                <span className="text-sm font-medium">
+                    {t("streamingAddDestination")}
+                </span>
             </div>
         </button>
     );
@@ -186,7 +190,9 @@ function DestinationTypePicker({
     const t = useTranslations();
     const [selected, setSelected] = useState<DestinationType>("http");
 
-    const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
+    const destinationTypeOptions: ReadonlyArray<
+        StrategyOption<DestinationType>
+    > = [
         {
             id: "http",
             title: t("streamingHttpWebhookTitle"),
@@ -233,13 +239,19 @@ function DestinationTypePicker({
         <Credenza open={open} onOpenChange={onOpenChange}>
             <CredenzaContent className="sm:max-w-lg">
                 <CredenzaHeader>
-                    <CredenzaTitle>{t("streamingAddDestination")}</CredenzaTitle>
+                    <CredenzaTitle>
+                        {t("streamingAddDestination")}
+                    </CredenzaTitle>
                     <CredenzaDescription>
                         {t("streamingTypePickerDescription")}
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
-                    <div className={isPaywalled ? "pointer-events-none opacity-50" : ""}>
+                    <div
+                        className={
+                            isPaywalled ? "pointer-events-none opacity-50" : ""
+                        }
+                    >
                         <StrategySelect
                             options={destinationTypeOptions}
                             value={selected}
@@ -301,10 +313,7 @@ export default function StreamingDestinationsPage() {
             toast({
                 variant: "destructive",
                 title: t("streamingFailedToLoad"),
-                description: formatAxiosError(
-                    e,
-                    t("streamingUnexpectedError")
-                )
+                description: formatAxiosError(e, t("streamingUnexpectedError"))
             });
         } finally {
             setLoading(false);
@@ -341,10 +350,7 @@ export default function StreamingDestinationsPage() {
             toast({
                 variant: "destructive",
                 title: t("streamingFailedToUpdate"),
-                description: formatAxiosError(
-                    e,
-                    t("streamingUnexpectedError")
-                )
+                description: formatAxiosError(e, t("streamingUnexpectedError"))
             });
         } finally {
             setTogglingIds((prev) => {
@@ -375,10 +381,7 @@ export default function StreamingDestinationsPage() {
             toast({
                 variant: "destructive",
                 title: t("streamingFailedToDelete"),
-                description: formatAxiosError(
-                    e,
-                    t("streamingUnexpectedError")
-                )
+                description: formatAxiosError(e, t("streamingUnexpectedError"))
             });
         } finally {
             setDeleting(false);
@@ -459,13 +462,14 @@ export default function StreamingDestinationsPage() {
                         if (!v) setDeleteTarget(null);
                     }}
                     string={
-                        parseHttpConfig(deleteTarget.config).name || t("streamingDeleteDialogThisDestination")
+                        parseHttpConfig(deleteTarget.config).name ||
+                        t("streamingDeleteDialogThisDestination")
                     }
                     title={t("streamingDeleteTitle")}
                     dialog={
-                        <p className="text-sm text-muted-foreground">
+                        <p>
                             {t("streamingDeleteDialogAreYouSure")}{" "}
-                            <span className="font-semibold text-foreground">
+                            <span>
                                 {parseHttpConfig(deleteTarget.config).name ||
                                     t("streamingDeleteDialogThisDestination")}
                             </span>
@@ -478,4 +482,4 @@ export default function StreamingDestinationsPage() {
             )}
         </>
     );
-}
\ No newline at end of file
+}

From b8194295ec0dd6e2af4cdcd42e3732715a4149f8 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 3 Apr 2026 11:47:54 -0400
Subject: [PATCH 271/314] fix translation syntax err

---
 messages/bg-BG.json | 4 ++--
 messages/cs-CZ.json | 4 ++--
 messages/de-DE.json | 4 ++--
 messages/en-US.json | 4 ++--
 messages/es-ES.json | 4 ++--
 messages/fr-FR.json | 4 ++--
 messages/it-IT.json | 4 ++--
 messages/ko-KR.json | 4 ++--
 messages/nb-NO.json | 4 ++--
 messages/nl-NL.json | 4 ++--
 messages/pl-PL.json | 4 ++--
 messages/pt-PT.json | 4 ++--
 messages/ru-RU.json | 4 ++--
 messages/tr-TR.json | 4 ++--
 messages/zh-CN.json | 4 ++--
 15 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index e841490b2..81ca4b091 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Без удостоверяване",
     "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
     "httpDestAuthBearerTitle": "Bearer Токен",
-    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer <token> към всяка заявка.",
+    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer '<token>' към всяка заявка.",
     "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
     "httpDestAuthBasicTitle": "Основно удостоверяване",
-    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic <credentials> към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
+    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic '<credentials>' към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
     "httpDestAuthBasicPlaceholder": "потребителско име:парола",
     "httpDestAuthCustomTitle": "Персонализирано заглавие",
     "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",
diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index fe5de4199..520a80f29 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Žádné ověření",
     "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
     "httpDestAuthBearerTitle": "Token na doručitele",
-    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer <token> ke každému požadavku.",
+    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer '<token>' ke každému požadavku.",
     "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
     "httpDestAuthBasicTitle": "Základní ověření",
-    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní <credentials> hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
+    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní '<credentials>' hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
     "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
     "httpDestAuthCustomTitle": "Vlastní záhlaví",
     "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",
diff --git a/messages/de-DE.json b/messages/de-DE.json
index 0b72ececd..d511aa59b 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Keine Authentifizierung",
     "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
     "httpDestAuthBearerTitle": "Bären-Token",
-    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer <token> Header zu jeder Anfrage.",
+    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer '<token>' Header zu jeder Anfrage.",
     "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
     "httpDestAuthBasicTitle": "Einfacher Auth",
-    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic <credentials> Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
+    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic '<credentials>' Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
     "httpDestAuthBasicPlaceholder": "benutzername:password",
     "httpDestAuthCustomTitle": "Eigene Kopfzeile",
     "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",
diff --git a/messages/en-US.json b/messages/en-US.json
index 3f5567d99..7642419c6 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "No Authentication",
     "httpDestAuthNoneDescription": "Sends requests without an Authorization header.",
     "httpDestAuthBearerTitle": "Bearer Token",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer <token> header to each request.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Your API key or token",
     "httpDestAuthBasicTitle": "Basic Auth",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic <credentials> header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "username:password",
     "httpDestAuthCustomTitle": "Custom Header",
     "httpDestAuthCustomDescription": "Specify a custom HTTP header name and value for authentication (e.g. X-API-Key).",
diff --git a/messages/es-ES.json b/messages/es-ES.json
index 39a2919f8..212e1e2fb 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Sin autenticación",
     "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
     "httpDestAuthBearerTitle": "Tóken de portador",
-    "httpDestAuthBearerDescription": "Añade una autorización: portador <token> encabezado a cada solicitud.",
+    "httpDestAuthBearerDescription": "Añade una autorización: portador '<token>' encabezado a cada solicitud.",
     "httpDestAuthBearerPlaceholder": "Tu clave o token API",
     "httpDestAuthBasicTitle": "Auth Básica",
-    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico <credentials> . Proporcione credenciales como nombre de usuario: contraseña.",
+    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico '<credentials>' . Proporcione credenciales como nombre de usuario: contraseña.",
     "httpDestAuthBasicPlaceholder": "usuario:contraseña",
     "httpDestAuthCustomTitle": "Cabecera personalizada",
     "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",
diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 792775fdd..ec097ee04 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Aucune authentification",
     "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
     "httpDestAuthBearerTitle": "Jeton de Porteur",
-    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer <token> à chaque requête.",
+    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer '<token>' à chaque requête.",
     "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
     "httpDestAuthBasicTitle": "Authentification basique",
-    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base <credentials> . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
+    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base '<credentials>' . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
     "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
     "httpDestAuthCustomTitle": "En-tête personnalisé",
     "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",
diff --git a/messages/it-IT.json b/messages/it-IT.json
index 990e2be66..3d6579987 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Nessuna Autenticazione",
     "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
     "httpDestAuthBearerTitle": "Token Del Portatore",
-    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer <token> ad ogni richiesta.",
+    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer '<token>' ad ogni richiesta.",
     "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
     "httpDestAuthBasicTitle": "Autenticazione Base",
-    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base <credentials> . Fornisce le credenziali come username:password.",
+    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base '<credentials>' . Fornisce le credenziali come username:password.",
     "httpDestAuthBasicPlaceholder": "username:password",
     "httpDestAuthCustomTitle": "Intestazione Personalizzata",
     "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",
diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index e0ae07d66..34a977d2a 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "인증 없음",
     "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
     "httpDestAuthBearerTitle": "Bearer 토큰",
-    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer <token> 헤더를 추가합니다.",
+    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer '<token>' 헤더를 추가합니다.",
     "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
     "httpDestAuthBasicTitle": "기본 인증",
-    "httpDestAuthBasicDescription": "Authorization: Basic <credentials> 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
+    "httpDestAuthBasicDescription": "Authorization: Basic '<credentials>' 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
     "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
     "httpDestAuthCustomTitle": "사용자 정의 헤더",
     "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",
diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 751f15081..2dbde67c7 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Ingen godkjenning",
     "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
     "httpDestAuthBearerTitle": "Bærer Symbol",
-    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer <token> header til hver forespørsel.",
+    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer '<token>' header til hver forespørsel.",
     "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
     "httpDestAuthBasicTitle": "Standard Auth",
-    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende <credentials> overskrift. Angi legitimasjon som brukernavn:passord.",
+    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende '<credentials>' overskrift. Angi legitimasjon som brukernavn:passord.",
     "httpDestAuthBasicPlaceholder": "brukernavn:passord",
     "httpDestAuthCustomTitle": "Egendefinert topptekst",
     "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",
diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index e38aec788..a28205146 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Geen authenticatie",
     "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
     "httpDestAuthBearerTitle": "Betere Token",
-    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager <token> header aan elke aanvraag.",
+    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager '<token>' header aan elke aanvraag.",
     "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
     "httpDestAuthBasicTitle": "Basis authenticatie",
-    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis <credentials> kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
+    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis '<credentials>' kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
     "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
     "httpDestAuthCustomTitle": "Aangepaste koptekst",
     "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",
diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 3a9607e7c..4f379528d 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Brak uwierzytelniania",
     "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
     "httpDestAuthBearerTitle": "Token Bearer",
-    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer <token> do każdego żądania.",
+    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer '<token>' do każdego żądania.",
     "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
     "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
-    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic <credentials> . Podaj poświadczenia jako nazwę użytkownika: hasło.",
+    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic '<credentials>' . Podaj poświadczenia jako nazwę użytkownika: hasło.",
     "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
     "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
     "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",
diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 2573ed6da..b32365d88 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Sem Autenticação",
     "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
     "httpDestAuthBearerTitle": "Token do portador",
-    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer <token> header a cada requisição.",
+    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer '<token>' header a cada requisição.",
     "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
     "httpDestAuthBasicTitle": "Autenticação básica",
-    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho <credentials> básico. Forneça credenciais como nome de usuário:senha.",
+    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho '<credentials>' básico. Forneça credenciais como nome de usuário:senha.",
     "httpDestAuthBasicPlaceholder": "Usuário:password",
     "httpDestAuthCustomTitle": "Cabeçalho personalizado",
     "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index b44ec36ed..9214572b7 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Нет аутентификации",
     "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
     "httpDestAuthBearerTitle": "Жетон носителя",
-    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer <token> к каждому запросу.",
+    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer '<token>' к каждому запросу.",
     "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
     "httpDestAuthBasicTitle": "Базовая авторизация",
-    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic <credentials> header. Предоставьте учетные данные в качестве имени пользователя:password.",
+    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic '<credentials>' header. Предоставьте учетные данные в качестве имени пользователя:password.",
     "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
     "httpDestAuthCustomTitle": "Пользовательский заголовок",
     "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",
diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index e89778322..26ac580fa 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
     "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
     "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
-    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı <token> başlığı ekler.",
+    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı '<token>' başlığı ekler.",
     "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
     "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
-    "httpDestAuthBasicDescription": "Authorization: Temel <belirtecikler> başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
+    "httpDestAuthBasicDescription": "Authorization: Temel '<belirtecikler>' başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
     "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
     "httpDestAuthCustomTitle": "Özel Başlık",
     "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",
diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 07ffe4d5b..1935dde63 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2845,10 +2845,10 @@
     "httpDestAuthNoneTitle": "无身份验证",
     "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
     "httpDestAuthBearerTitle": "持有者令牌",
-    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 <token>。",
+    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 '<token>'。",
     "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
     "httpDestAuthBasicTitle": "基本认证",
-    "httpDestAuthBasicDescription": "添加授权：基本 <credentials> 头。提供用户名：密码的凭据。",
+    "httpDestAuthBasicDescription": "添加授权：基本 '<credentials>' 头。提供用户名：密码的凭据。",
     "httpDestAuthBasicPlaceholder": "用户名:密码",
     "httpDestAuthCustomTitle": "自定义标题",
     "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",

From 73e96b1b280f02b30428650d0186d16d66ae2a89 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 12:15:30 -0400
Subject: [PATCH 272/314] Type cast data

---
 server/routers/gerbil/receiveBandwidth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b4cce8c4e..8bd7b90aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -173,7 +173,7 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
                 // PostgreSQL: batch UPDATE … FROM (VALUES …) — single round-trip per chunk.
                 const valuesList = chunk.map(
                     ([publicKey, { bytesIn, bytesOut }]) =>
-                        sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+                        sql`(${publicKey}, ${bytesIn}::bigint, ${bytesOut}::bigint)`
                 );
                 const valuesClause = sql.join(valuesList, sql`, `);
                 return dbQueryRows<{ orgId: string; pubKey: string }>(sql`

From 8ce45a1acdc912fd48dc67dfafc7ec61a85ec4f2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 12:34:37 -0400
Subject: [PATCH 273/314] Update casting again

---
 server/routers/gerbil/receiveBandwidth.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 8bd7b90aa..dcd897471 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -171,9 +171,8 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
                 }
 
                 // PostgreSQL: batch UPDATE … FROM (VALUES …) — single round-trip per chunk.
-                const valuesList = chunk.map(
-                    ([publicKey, { bytesIn, bytesOut }]) =>
-                        sql`(${publicKey}, ${bytesIn}::bigint, ${bytesOut}::bigint)`
+                const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+                    sql`(${publicKey}::text, ${bytesIn}::real, ${bytesOut}::real)`
                 );
                 const valuesClause = sql.join(valuesList, sql`, `);
                 return dbQueryRows<{ orgId: string; pubKey: string }>(sql`

From 03c905a7afc00e8c20d27d08f807772fb613eaba Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:22 -0400
Subject: [PATCH 274/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 4305595d9..4f6d9c6df 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Aucune authentification",
     "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
     "httpDestAuthBearerTitle": "Jeton de Porteur",
-    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer '<token>' à chaque requête.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
     "httpDestAuthBasicTitle": "Authentification basique",
-    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base '<credentials>' . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
     "httpDestAuthCustomTitle": "En-tête personnalisé",
     "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",

From c2ebc0a0ff101570e239a966282f40adb9339188 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:24 -0400
Subject: [PATCH 275/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 84a8e68cf..be4304edd 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Без удостоверяване",
     "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
     "httpDestAuthBearerTitle": "Bearer Токен",
-    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer '<token>' към всяка заявка.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
     "httpDestAuthBasicTitle": "Основно удостоверяване",
-    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic '<credentials>' към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "потребителско име:парола",
     "httpDestAuthCustomTitle": "Персонализирано заглавие",
     "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",

From 8eee0ca5a5aed7fc559a69beecb6393fafa42f98 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:26 -0400
Subject: [PATCH 276/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index a38e8a554..8ce05660f 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Žádné ověření",
     "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
     "httpDestAuthBearerTitle": "Token na doručitele",
-    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer '<token>' ke každému požadavku.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
     "httpDestAuthBasicTitle": "Základní ověření",
-    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní '<credentials>' hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
     "httpDestAuthCustomTitle": "Vlastní záhlaví",
     "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",

From 2e6f74a6f883da4a814043fb516855310146de50 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:28 -0400
Subject: [PATCH 277/314] New translations en-us.json (German)

---
 messages/de-DE.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index e80f085eb..ada257527 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Keine Authentifizierung",
     "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
     "httpDestAuthBearerTitle": "Bären-Token",
-    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer '<token>' Header zu jeder Anfrage.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
     "httpDestAuthBasicTitle": "Einfacher Auth",
-    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic '<credentials>' Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "benutzername:password",
     "httpDestAuthCustomTitle": "Eigene Kopfzeile",
     "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",

From b25e3499d871b81d608085f98dccb09c35539a0e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:30 -0400
Subject: [PATCH 278/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 5624d763c..903d3c813 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Nessuna Autenticazione",
     "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
     "httpDestAuthBearerTitle": "Token Del Portatore",
-    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer '<token>' ad ogni richiesta.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
     "httpDestAuthBasicTitle": "Autenticazione Base",
-    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base '<credentials>' . Fornisce le credenziali come username:password.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "username:password",
     "httpDestAuthCustomTitle": "Intestazione Personalizzata",
     "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",

From e04f17c9aa0fdd1c1904ee5cb8268745edceba2a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:32 -0400
Subject: [PATCH 279/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index e2c4642c5..a6045f912 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "인증 없음",
     "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
     "httpDestAuthBearerTitle": "Bearer 토큰",
-    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer '<token>' 헤더를 추가합니다.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
     "httpDestAuthBasicTitle": "기본 인증",
-    "httpDestAuthBasicDescription": "Authorization: Basic '<credentials>' 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
     "httpDestAuthCustomTitle": "사용자 정의 헤더",
     "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",

From 87464d53bdd97311fd6dd2a64934c43b12e9568e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:33 -0400
Subject: [PATCH 280/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index d6b178048..1b28ac099 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Geen authenticatie",
     "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
     "httpDestAuthBearerTitle": "Betere Token",
-    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager '<token>' header aan elke aanvraag.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
     "httpDestAuthBasicTitle": "Basis authenticatie",
-    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis '<credentials>' kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
     "httpDestAuthCustomTitle": "Aangepaste koptekst",
     "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",

From aa8954366ca20808c87532ada52f0c2df7d2e235 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:35 -0400
Subject: [PATCH 281/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index efd10b5e5..53d8ea813 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Brak uwierzytelniania",
     "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
     "httpDestAuthBearerTitle": "Token Bearer",
-    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer '<token>' do każdego żądania.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
     "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
-    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic '<credentials>' . Podaj poświadczenia jako nazwę użytkownika: hasło.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
     "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
     "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",

From daff59c93f66f09ad51dbc7162bf3be6e2d1330c Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:36 -0400
Subject: [PATCH 282/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index a49285607..f267605b2 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Sem Autenticação",
     "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
     "httpDestAuthBearerTitle": "Token do portador",
-    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer '<token>' header a cada requisição.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
     "httpDestAuthBasicTitle": "Autenticação básica",
-    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho '<credentials>' básico. Forneça credenciais como nome de usuário:senha.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "Usuário:password",
     "httpDestAuthCustomTitle": "Cabeçalho personalizado",
     "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",

From f00b9794f52ad3d3a6a39a8b93190e8d12766217 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:38 -0400
Subject: [PATCH 283/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 9fde8085b..a1df99de1 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Нет аутентификации",
     "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
     "httpDestAuthBearerTitle": "Жетон носителя",
-    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer '<token>' к каждому запросу.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
     "httpDestAuthBasicTitle": "Базовая авторизация",
-    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic '<credentials>' header. Предоставьте учетные данные в качестве имени пользователя:password.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
     "httpDestAuthCustomTitle": "Пользовательский заголовок",
     "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",

From d17e0c9f50726065542525cbbae5a6e71329a2ca Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:39 -0400
Subject: [PATCH 284/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index f0bd3bc32..dc7102fc1 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
     "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
     "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
-    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı '<token>' başlığı ekler.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
     "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
-    "httpDestAuthBasicDescription": "Authorization: Temel '<belirtecikler>' başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
     "httpDestAuthCustomTitle": "Özel Başlık",
     "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",

From 700c92efcbd89a61efb967b391b61cfa1c1dac26 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:41 -0400
Subject: [PATCH 285/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index f5af25854..be910aee8 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "无身份验证",
     "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
     "httpDestAuthBearerTitle": "持有者令牌",
-    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 '<token>'。",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
     "httpDestAuthBasicTitle": "基本认证",
-    "httpDestAuthBasicDescription": "添加授权：基本 '<credentials>' 头。提供用户名：密码的凭据。",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "用户名:密码",
     "httpDestAuthCustomTitle": "自定义标题",
     "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",

From 76d8f44779b0e38ae02ecfa51b52d8ad62a39053 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:43 -0400
Subject: [PATCH 286/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 6473644b7..147817713 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Ingen godkjenning",
     "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
     "httpDestAuthBearerTitle": "Bærer Symbol",
-    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer '<token>' header til hver forespørsel.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
     "httpDestAuthBasicTitle": "Standard Auth",
-    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende '<credentials>' overskrift. Angi legitimasjon som brukernavn:passord.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "brukernavn:passord",
     "httpDestAuthCustomTitle": "Egendefinert topptekst",
     "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",

From 6f80cf3db20b88870b609557ab5db94f0c8e0072 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 13:03:44 -0400
Subject: [PATCH 287/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 0a1827387..766099ffe 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Sin autenticación",
     "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
     "httpDestAuthBearerTitle": "Tóken de portador",
-    "httpDestAuthBearerDescription": "Añade una autorización: portador '<token>' encabezado a cada solicitud.",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
     "httpDestAuthBearerPlaceholder": "Tu clave o token API",
     "httpDestAuthBasicTitle": "Auth Básica",
-    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico '<credentials>' . Proporcione credenciales como nombre de usuario: contraseña.",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
     "httpDestAuthBasicPlaceholder": "usuario:contraseña",
     "httpDestAuthCustomTitle": "Cabecera personalizada",
     "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",

From 9da9974adfc490adee29828c03850f7b0465a94f Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:38 -0400
Subject: [PATCH 288/314] New translations en-us.json (French)

---
 messages/fr-FR.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 4f6d9c6df..20d764f75 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Clé de provisioning mise à jour",
     "provisioningKeysUpdatedDescription": "Vos modifications ont été enregistrées.",
     "provisioningKeysBannerTitle": "Clés de provisioning du site",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Générez une clé de provisionnement et utilisez-la avec le connecteur Newt pour créer automatiquement des sites lors du premier démarrage - sans besoin de configurer des identifiants séparés pour chaque site.",
     "provisioningKeysBannerButtonText": "En savoir plus",
     "pendingSitesBannerTitle": "Sites en attente",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Les sites qui se connectent en utilisant une clé de provisionnement apparaissent ici pour révision.",
     "pendingSitesBannerButtonText": "En savoir plus",
     "apiKeysSettings": "Paramètres de {apiKeyName}",
     "userTitle": "Gérer tous les utilisateurs",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Veuillez entrer un numéro de port valide",
     "targetErrorNoSite": "Aucun site sélectionné",
     "targetErrorNoSiteDescription": "Veuillez sélectionner un site pour la cible",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Cibles effacées",
+    "targetTargetsClearedDescription": "Toutes les cibles ont été retirées de cette ressource",
     "targetCreated": "Cible créée",
     "targetCreatedDescription": "La cible a été créée avec succès",
     "targetErrorCreate": "Impossible de créer la cible",
@@ -2348,7 +2348,7 @@
                 "description": "Fonctionnalités d'entreprise, 50 utilisateurs, 50 sites et une prise en charge prioritaire."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Usage personnel uniquement (licence gratuite - pas de validation)",
         "buttons": {
             "continueToCheckout": "Continuer vers le paiement"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Clients Machines",
     "install": "Installer",
     "run": "Exécuter",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Fichier Environnement",
+    "serviceFile": "Fichier de Service",
+    "enableAndStart": "Activer et Démarrer",
     "clientNameDescription": "Le nom d'affichage du client qui peut être modifié plus tard.",
     "clientAddress": "Adresse du client (Avancé)",
     "setupFailedToFetchSubnet": "Impossible de récupérer le sous-réseau par défaut",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Aucune authentification",
     "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
     "httpDestAuthBearerTitle": "Jeton de Porteur",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer '<token>' à chaque requête.",
     "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
     "httpDestAuthBasicTitle": "Authentification basique",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Ajoute un en-tête Authorization: Basic '<credentials>'. Fournissez les identifiants sous la forme nom d'utilisateur:mot de passe.",
     "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
     "httpDestAuthCustomTitle": "En-tête personnalisé",
     "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",

From 8b03484ade146f06b285b28aa2ad144943534362 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:39 -0400
Subject: [PATCH 289/314] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index be4304edd..15a2d36db 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Ключът за осигуряване е актуализиран",
     "provisioningKeysUpdatedDescription": "Вашите промени бяха запазени.",
     "provisioningKeysBannerTitle": "Ключове за осигуряване на сайта",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Генерирайте ключ за осигуряване и го използвайте със съединителя Newt за автоматично създаване на сайтове при първоначално стартиране - не е необходимо да се създават отделни идентификационни данни за всеки сайт.",
     "provisioningKeysBannerButtonText": "Научете повече",
     "pendingSitesBannerTitle": "Чакащи сайтове",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Сайтовете, които се свързват с ключ за осигуряване, ще се появят тук за преглед.",
     "pendingSitesBannerButtonText": "Научете повече",
     "apiKeysSettings": "Настройки на {apiKeyName}",
     "userTitle": "Управление на всички потребители",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Моля, въведете валиден номер на порт",
     "targetErrorNoSite": "Няма избран сайт",
     "targetErrorNoSiteDescription": "Моля, изберете сайт за целта",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Мишените са премахнати",
+    "targetTargetsClearedDescription": "Всички цели са били премахнати от този ресурс",
     "targetCreated": "Целта е създадена",
     "targetCreatedDescription": "Целта беше успешно създадена",
     "targetErrorCreate": "Неуспешно създаване на целта",
@@ -2348,7 +2348,7 @@
                 "description": "Предприятие, 50 потребители, 50 сайта и приоритетна поддръжка."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Само за лична употреба (безплатен лиценз - без проверка)",
         "buttons": {
             "continueToCheckout": "Продължете към плащане"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Машинни клиенти",
     "install": "Инсталирай",
     "run": "Изпълни",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Файл за среда",
+    "serviceFile": "Файл за услуга",
+    "enableAndStart": "Активиране и стартиране",
     "clientNameDescription": "Показваното име на клиента, което може да се промени по-късно.",
     "clientAddress": "Клиентски адрес (Разширено)",
     "setupFailedToFetchSubnet": "Неуспешно извличане на подмрежа по подразбиране",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Без удостоверяване",
     "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
     "httpDestAuthBearerTitle": "Bearer Токен",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Добавя заглавие Authorization: Bearer '<token>' към всяка заявка.",
     "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
     "httpDestAuthBasicTitle": "Основно удостоверяване",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Добавя заглавие Authorization: Basic '<credentials>'. Осигурете идентификационни данни като потребителско име:парола.",
     "httpDestAuthBasicPlaceholder": "потребителско име:парола",
     "httpDestAuthCustomTitle": "Персонализирано заглавие",
     "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",

From 16a0e1ce7be1638547e83c29700a107a4c1bb7c9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:41 -0400
Subject: [PATCH 290/314] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 8ce05660f..aa564ae5b 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Zajišťovací klíč byl aktualizován",
     "provisioningKeysUpdatedDescription": "Vaše změny byly uloženy.",
     "provisioningKeysBannerTitle": "Klíče pro poskytování webu",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Vygenerujte klíč pro zřízení a použijte ho s Newt konektorem k automatickému vytvoření stránek při prvním spuštění – není potřeba nastavit samostatné přihlašovací údaje pro každou stránku.",
     "provisioningKeysBannerButtonText": "Zjistit více",
     "pendingSitesBannerTitle": "Nevyřízené weby",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Stránky, které se připojují pomocí klíče pro zřízení, se zde objeví ke kontrole.",
     "pendingSitesBannerButtonText": "Zjistit více",
     "apiKeysSettings": "Nastavení {apiKeyName}",
     "userTitle": "Spravovat všechny uživatele",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Zadejte platné číslo portu",
     "targetErrorNoSite": "Není vybrán žádný web",
     "targetErrorNoSiteDescription": "Vyberte prosím web pro cíl",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Cíle vymazány",
+    "targetTargetsClearedDescription": "Všechny cíle byly odstraněny z tohoto zdroje",
     "targetCreated": "Cíl byl vytvořen",
     "targetCreatedDescription": "Cíl byl úspěšně vytvořen",
     "targetErrorCreate": "Nepodařilo se vytvořit cíl",
@@ -2348,7 +2348,7 @@
                 "description": "Podnikové funkce, 50 uživatelů, 50 míst a prioritní podpory."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Pouze pro osobní použití (zdarma licence - bez ověření)",
         "buttons": {
             "continueToCheckout": "Pokračovat do pokladny"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Strojoví klienti",
     "install": "Instalovat",
     "run": "Spustit",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Konfigurační soubor prostředí",
+    "serviceFile": "Služební soubor",
+    "enableAndStart": "Povolit a spustit",
     "clientNameDescription": "Zobrazované jméno klienta, které lze později změnit.",
     "clientAddress": "Adresa klienta (Rozšířeno)",
     "setupFailedToFetchSubnet": "Nepodařilo se načíst výchozí podsíť",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Žádné ověření",
     "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
     "httpDestAuthBearerTitle": "Token na doručitele",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Přidává hlavičku Authorization: Bearer '<token>' k každému požadavku.",
     "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
     "httpDestAuthBasicTitle": "Základní ověření",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Přidává hlavičku Authorization: Basic '<credentials>'. Poskytněte přihlašovací údaje ve formátu uživatelské jméno:heslo.",
     "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
     "httpDestAuthCustomTitle": "Vlastní záhlaví",
     "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",

From 5e08779ab0b0a9c0cb76f6ecc4c35b5200a83de4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:42 -0400
Subject: [PATCH 291/314] New translations en-us.json (German)

---
 messages/de-DE.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index ada257527..7518ba5ff 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
     "provisioningKeysUpdatedDescription": "Ihre Änderungen wurden gespeichert.",
     "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Connector, um Standorte beim ersten Start automatisch zu erstellen - keine Notwendigkeit, separate Anmeldedaten für jede Seite einzurichten.",
     "provisioningKeysBannerButtonText": "Mehr erfahren",
     "pendingSitesBannerTitle": "Ausstehende Seiten",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Websites, die mit einem Bereitstellungsschlüssel verbunden sind, erscheinen hier zur Überprüfung.",
     "pendingSitesBannerButtonText": "Mehr erfahren",
     "apiKeysSettings": "{apiKeyName} Einstellungen",
     "userTitle": "Alle Benutzer verwalten",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Bitte geben Sie eine gültige Portnummer ein",
     "targetErrorNoSite": "Kein Standort ausgewählt",
     "targetErrorNoSiteDescription": "Bitte wähle einen Standort für das Ziel aus",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Ziele gelöscht",
+    "targetTargetsClearedDescription": "Alle Ziele wurden aus dieser Ressource entfernt",
     "targetCreated": "Ziel erstellt",
     "targetCreatedDescription": "Ziel wurde erfolgreich erstellt",
     "targetErrorCreate": "Fehler beim Erstellen des Ziels",
@@ -2348,7 +2348,7 @@
                 "description": "Enterprise Features, 50 Benutzer, 50 Sites und Prioritätsunterstützung."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Nur persönliche Nutzung (kostenlose Lizenz - kein Checkout)",
         "buttons": {
             "continueToCheckout": "Weiter zur Kasse"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Maschinen-Clients",
     "install": "Installieren",
     "run": "Ausführen",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Umgebungsdatei",
+    "serviceFile": "Servicedatei",
+    "enableAndStart": "Aktivieren und Starten",
     "clientNameDescription": "Der Anzeigename des Clients, der später geändert werden kann.",
     "clientAddress": "Clientadresse (Erweitert)",
     "setupFailedToFetchSubnet": "Fehler beim Abrufen des Standard-Subnetzes",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Keine Authentifizierung",
     "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
     "httpDestAuthBearerTitle": "Bären-Token",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Fügt jedem Anfrage-Header eine \"Authorization: Bearer '<token>'\" hinzu.",
     "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
     "httpDestAuthBasicTitle": "Einfacher Auth",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Fügt einen \"Authorization: Basic '<credentials>'\"-Header hinzu. Geben Sie die Anmeldedaten als Benutzername:Passwort an.",
     "httpDestAuthBasicPlaceholder": "benutzername:password",
     "httpDestAuthCustomTitle": "Eigene Kopfzeile",
     "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",

From 36ef9cd44258aeb33c2c65cb13edd0c3bc8254a3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:44 -0400
Subject: [PATCH 292/314] New translations en-us.json (Italian)

---
 messages/it-IT.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 903d3c813..7aa39bb74 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
     "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
     "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Genera una chiave di provisioning e usala con il connettore Newt per creare automaticamente i siti al primo avvio - non è necessario configurare credenziali separate per ogni sito.",
     "provisioningKeysBannerButtonText": "Scopri di più",
     "pendingSitesBannerTitle": "Siti In Attesa",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "I siti che si connettono utilizzando una chiave di provisioning vengono visualizzati qui per la revisione.",
     "pendingSitesBannerButtonText": "Scopri di più",
     "apiKeysSettings": "Impostazioni {apiKeyName}",
     "userTitle": "Gestisci Tutti Gli Utenti",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Inserisci un numero di porta valido",
     "targetErrorNoSite": "Nessun sito selezionato",
     "targetErrorNoSiteDescription": "Si prega di selezionare un sito per l'obiettivo",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Obiettivi cancellati",
+    "targetTargetsClearedDescription": "Tutti gli obiettivi sono stati rimossi da questa risorsa",
     "targetCreated": "Destinazione creata",
     "targetCreatedDescription": "L'obiettivo è stato creato con successo",
     "targetErrorCreate": "Impossibile creare l'obiettivo",
@@ -2348,7 +2348,7 @@
                 "description": "Funzionalità aziendali, 50 utenti, 50 siti e supporto prioritario."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Uso personale esclusivo (licenza gratuita - nessun pagamento)",
         "buttons": {
             "continueToCheckout": "Continua al Checkout"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Machine Clients",
     "install": "Installa",
     "run": "Esegui",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "File di ambiente",
+    "serviceFile": "File di servizio",
+    "enableAndStart": "Abilita e avvia",
     "clientNameDescription": "Il nome visualizzato del client che può essere modificato in seguito.",
     "clientAddress": "Indirizzo Client (Avanzato)",
     "setupFailedToFetchSubnet": "Recupero della sottorete predefinita non riuscito",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Nessuna Autenticazione",
     "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
     "httpDestAuthBearerTitle": "Token Del Portatore",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Authorization: Bearer '<token>' a ogni richiesta.",
     "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
     "httpDestAuthBasicTitle": "Autenticazione Base",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Aggiunge un'intestazione Authorization: Basic '<credentials>'. Fornire le credenziali come username:password.",
     "httpDestAuthBasicPlaceholder": "username:password",
     "httpDestAuthCustomTitle": "Intestazione Personalizzata",
     "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",

From c9a00420a02c37e451103332fbe9ffac32a4c8b9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:45 -0400
Subject: [PATCH 293/314] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index a6045f912..666ffecb1 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "프로비저닝 키가 업데이트되었습니다",
     "provisioningKeysUpdatedDescription": "변경 사항이 저장되었습니다.",
     "provisioningKeysBannerTitle": "사이트 프로비저닝 키",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "프로비저닝 키를 생성하고 Newt 커넥터와 함께 사용하여 첫 시작 시 사이트를 자동 생성 - 각 사이트에 대한 별도 자격 증명이 필요 없습니다.",
     "provisioningKeysBannerButtonText": "자세히 알아보기",
     "pendingSitesBannerTitle": "대기중인 사이트",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "프로비저닝 키를 사용하여 연결된 사이트가 검토를 위해 여기에 표시됩니다.",
     "pendingSitesBannerButtonText": "자세히 알아보기",
     "apiKeysSettings": "{apiKeyName} 설정",
     "userTitle": "모든 사용자 관리",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "유효한 포트 번호를 입력하세요.",
     "targetErrorNoSite": "선택된 사이트 없음",
     "targetErrorNoSiteDescription": "대상을 위해 사이트를 선택하세요.",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "대상이 제거됨",
+    "targetTargetsClearedDescription": "이 리소스에서 모든 대상이 제거되었습니다",
     "targetCreated": "대상 생성",
     "targetCreatedDescription": "대상이 성공적으로 생성되었습니다.",
     "targetErrorCreate": "대상 생성 실패",
@@ -2348,7 +2348,7 @@
                 "description": "기업 기능, 50명의 사용자, 50개의 사이트, 우선 지원."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "개인용으로만 사용 (무료 라이선스 - 결제 없음)",
         "buttons": {
             "continueToCheckout": "결제로 진행"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "기계 클라이언트",
     "install": "설치",
     "run": "실행",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "환경 파일",
+    "serviceFile": "서비스 파일",
+    "enableAndStart": "활성화 및 시작",
     "clientNameDescription": "나중에 변경할 수 있는 클라이언트의 표시 이름입니다.",
     "clientAddress": "클라이언트 주소(고급)",
     "setupFailedToFetchSubnet": "기본값 로드 실패",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "인증 없음",
     "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
     "httpDestAuthBearerTitle": "Bearer 토큰",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "각 요청에 Authorization: Bearer '<token>' 헤더를 추가합니다.",
     "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
     "httpDestAuthBasicTitle": "기본 인증",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Authorization: Basic '<credentials>' 헤더를 추가합니다. 자격 증명은 사용자 이름:비밀번호로 제공합니다.",
     "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
     "httpDestAuthCustomTitle": "사용자 정의 헤더",
     "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",

From c4b82c69f86059521213c967ecfdd5f1b3661e9b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:47 -0400
Subject: [PATCH 294/314] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 1b28ac099..66d67abd7 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Provisie sleutel bijgewerkt",
     "provisioningKeysUpdatedDescription": "Uw wijzigingen zijn opgeslagen.",
     "provisioningKeysBannerTitle": "Bewerkingssleutels voor websites",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Genereer een inrichtingssleutel en gebruik deze met de Newt-connector om automatisch sites te maken bij de eerste opstart - er is geen behoefte om aparte inloggegevens voor elke site in te stellen.",
     "provisioningKeysBannerButtonText": "Meer informatie",
     "pendingSitesBannerTitle": "Openstaande sites",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Sites die verbinding maken met een inrichtingssleutel verschijnen hier voor beoordeling.",
     "pendingSitesBannerButtonText": "Meer informatie",
     "apiKeysSettings": "{apiKeyName} instellingen",
     "userTitle": "Alle gebruikers beheren",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Voer een geldig poortnummer in",
     "targetErrorNoSite": "Geen site geselecteerd",
     "targetErrorNoSiteDescription": "Selecteer een site voor het doel",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Doelen gewist",
+    "targetTargetsClearedDescription": "Alle doelen zijn verwijderd van deze bron",
     "targetCreated": "Doel aangemaakt",
     "targetCreatedDescription": "Doel is succesvol aangemaakt",
     "targetErrorCreate": "Kan doel niet aanmaken",
@@ -2348,7 +2348,7 @@
                 "description": "Enterprise functies, 50 gebruikers, 50 sites en prioriteit ondersteuning."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Alleen voor persoonlijk gebruik (gratis licentie - geen afrekening)",
         "buttons": {
             "continueToCheckout": "Doorgaan naar afrekenen"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Machine Clienten",
     "install": "Installeren",
     "run": "Uitvoeren",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Omgevingsbestand",
+    "serviceFile": "Servicebestand",
+    "enableAndStart": "Inschakelen en Starten",
     "clientNameDescription": "De weergavenaam van de client die later gewijzigd kan worden.",
     "clientAddress": "Klant adres (Geavanceerd)",
     "setupFailedToFetchSubnet": "Kan standaard subnet niet ophalen",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Geen authenticatie",
     "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
     "httpDestAuthBearerTitle": "Betere Token",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Voegt een Authorization: Bearer '<token>' header toe aan elk verzoek.",
     "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
     "httpDestAuthBasicTitle": "Basis authenticatie",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Voegt een Authorization: Basic '<credentials>' header toe. Verstrek inloggegevens als gebruikersnaam:wachtwoord.",
     "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
     "httpDestAuthCustomTitle": "Aangepaste koptekst",
     "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",

From b375d20598109eecbd71c26a2e3ff745ef24d20a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:48 -0400
Subject: [PATCH 295/314] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 53d8ea813..88aebc81d 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Klucz zaopatrzenia zaktualizowany",
     "provisioningKeysUpdatedDescription": "Twoje zmiany zostały zapisane.",
     "provisioningKeysBannerTitle": "Klucze Zaopatrzenia witryny",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Wygeneruj klucz provisioning i użyj go z konektorem Newt do automatycznego tworzenia witryn przy pierwszym uruchomieniu - nie ma potrzeby konfigurowania oddzielnych poświadczeń dla każdej witryny.",
     "provisioningKeysBannerButtonText": "Dowiedz się więcej",
     "pendingSitesBannerTitle": "Witryny oczekujące",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Witryny, które łączą się za pomocą klucza provisioning, pojawią się tutaj do przeglądu.",
     "pendingSitesBannerButtonText": "Dowiedz się więcej",
     "apiKeysSettings": "Ustawienia {apiKeyName}",
     "userTitle": "Zarządzaj wszystkimi użytkownikami",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Wprowadź prawidłowy numer portu",
     "targetErrorNoSite": "Nie wybrano witryny",
     "targetErrorNoSiteDescription": "Wybierz witrynę docelową",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Cele wyczyszczone",
+    "targetTargetsClearedDescription": "Wszystkie cele zostały usunięte z tego zasobu",
     "targetCreated": "Cel utworzony",
     "targetCreatedDescription": "Cel został utworzony pomyślnie",
     "targetErrorCreate": "Nie udało się utworzyć celu",
@@ -2348,7 +2348,7 @@
                 "description": "Cechy przedsiębiorstw, 50 użytkowników, 50 obiektów i wsparcie priorytetowe."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Tylko do użytku osobistego (darmowa licencja - bez płatności)",
         "buttons": {
             "continueToCheckout": "Przejdź do zamówienia"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Klienci maszyn",
     "install": "Zainstaluj",
     "run": "Uruchom",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Plik środowiska",
+    "serviceFile": "Plik serwisu",
+    "enableAndStart": "Włącz i Uruchom",
     "clientNameDescription": "Wyświetlana nazwa klienta, która może zostać zmieniona później.",
     "clientAddress": "Adres klienta (Zaawansowany)",
     "setupFailedToFetchSubnet": "Nie udało się pobrać domyślnej podsieci",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Brak uwierzytelniania",
     "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
     "httpDestAuthBearerTitle": "Token Bearer",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Dodaje nagłówek Authorization: Bearer '<token>' do każdego żądania.",
     "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
     "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Dodaje nagłówek Authorization: Basic '<credentials>'. Podaj poświadczenia w formacie użytkownik:hasło.",
     "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
     "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
     "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",

From e11dfbd29cd1fe02690e756895666544d876b409 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:49 -0400
Subject: [PATCH 296/314] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index f267605b2..32ca8e34d 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Chave de provisionamento atualizada",
     "provisioningKeysUpdatedDescription": "Suas alterações foram salvas.",
     "provisioningKeysBannerTitle": "Chaves de provisionamento do site",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Gere uma chave de provisionamento e use-a com o conector Newt para criar sites automaticamente na primeira inicialização - sem necessidade de configurar credenciais separadas para cada site.",
     "provisioningKeysBannerButtonText": "Saiba mais",
     "pendingSitesBannerTitle": "Sites pendentes",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Sites que se conectam usando uma chave de provisionamento aparecem aqui para revisão.",
     "pendingSitesBannerButtonText": "Saiba mais",
     "apiKeysSettings": "Configurações de {apiKeyName}",
     "userTitle": "Gerir Todos os Utilizadores",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Por favor, digite um número de porta válido",
     "targetErrorNoSite": "Nenhum site selecionado",
     "targetErrorNoSiteDescription": "Selecione um site para o destino",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Alvos limpos",
+    "targetTargetsClearedDescription": "Todos os alvos foram removidos deste recurso",
     "targetCreated": "Destino criado",
     "targetCreatedDescription": "O alvo foi criado com sucesso",
     "targetErrorCreate": "Falha ao criar destino",
@@ -2348,7 +2348,7 @@
                 "description": "Recursos de empresa, 50 usuários, 50 sites e apoio prioritário."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Uso pessoal apenas (licença gratuita - sem checkout)",
         "buttons": {
             "continueToCheckout": "Continuar com checkout"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Clientes de máquina",
     "install": "Instale",
     "run": "Executar",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Arquivo de Ambiente",
+    "serviceFile": "Arquivo de Serviço",
+    "enableAndStart": "Ativar e Iniciar",
     "clientNameDescription": "O nome de exibição do cliente que pode ser alterado mais tarde.",
     "clientAddress": "Endereço do Cliente (Avançado)",
     "setupFailedToFetchSubnet": "Falha ao buscar a subrede padrão",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Sem Autenticação",
     "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
     "httpDestAuthBearerTitle": "Token do portador",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Adiciona um cabeçalho Authorization: Bearer '<token>' a cada solicitação.",
     "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
     "httpDestAuthBasicTitle": "Autenticação básica",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Adiciona um cabeçalho Authorization: Basic '<credentials>'. Forneça as credenciais como username:password.",
     "httpDestAuthBasicPlaceholder": "Usuário:password",
     "httpDestAuthCustomTitle": "Cabeçalho personalizado",
     "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",

From c8208f0a888a01f81bb85008def88ad9bbb73fa7 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:50 -0400
Subject: [PATCH 297/314] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index a1df99de1..1e9ad7d2e 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Ключ подготовки обновлен",
     "provisioningKeysUpdatedDescription": "Ваши изменения были сохранены.",
     "provisioningKeysBannerTitle": "Ключи подготовки сайта",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Создайте ключ настройки и используйте его с соединителем Newt для автоматического создания сайтов при первом запуске — нет необходимости настраивать отдельные учетные данные для каждого сайта.",
     "provisioningKeysBannerButtonText": "Узнать больше",
     "pendingSitesBannerTitle": "Ожидающие сайты",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Сайты, подключающиеся с помощью ключа настройки, отображаются здесь для проверки.",
     "pendingSitesBannerButtonText": "Узнать больше",
     "apiKeysSettings": "Настройки {apiKeyName}",
     "userTitle": "Управление всеми пользователями",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Пожалуйста, введите правильный номер порта",
     "targetErrorNoSite": "Сайт не выбран",
     "targetErrorNoSiteDescription": "Пожалуйста, выберите сайт для цели",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Цели очищены",
+    "targetTargetsClearedDescription": "Все цели удалены из этого ресурса",
     "targetCreated": "Цель создана",
     "targetCreatedDescription": "Цель была успешно создана",
     "targetErrorCreate": "Не удалось создать цель",
@@ -2348,7 +2348,7 @@
                 "description": "Функции предприятия, 50 пользователей, 50 сайтов, а также приоритетная поддержка."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Только для личного использования (бесплатная лицензия - без оформления на кассе)",
         "buttons": {
             "continueToCheckout": "Продолжить оформление заказа"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Машинные клиенты",
     "install": "Установить",
     "run": "Запустить",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Файл окружения",
+    "serviceFile": "Сервисный файл",
+    "enableAndStart": "Включить и запустить",
     "clientNameDescription": "Отображаемое имя клиента, которое может быть изменено позже.",
     "clientAddress": "Адрес клиента (Дополнительно)",
     "setupFailedToFetchSubnet": "Не удалось получить подсеть по умолчанию",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Нет аутентификации",
     "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
     "httpDestAuthBearerTitle": "Жетон носителя",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer '<token>' к каждому запросу.",
     "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
     "httpDestAuthBasicTitle": "Базовая авторизация",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Добавляет заголовок Authorization: Basic '<credentials>'. Укажите учетные данные в формате username:password.",
     "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
     "httpDestAuthCustomTitle": "Пользовательский заголовок",
     "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",

From ae2c37a2f6f9573e46736180354beaf30d7128bd Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:52 -0400
Subject: [PATCH 298/314] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index dc7102fc1..ee14bc2d9 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Tedarik anahtarı güncellendi",
     "provisioningKeysUpdatedDescription": "Değişiklikleriniz kaydedildi.",
     "provisioningKeysBannerTitle": "Site Tedarik Anahtarları",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Bir sağlama anahtarı oluşturun ve ilk başlangıçta siteleri otomatik olarak oluşturmak için Newt bağlayıcısını kullanın - her site için ayrı kimlik bilgileri ayarlamaya gerek yok.",
     "provisioningKeysBannerButtonText": "Daha fazla bilgi",
     "pendingSitesBannerTitle": "Bekleyen Siteler",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Bir sağlama anahtarı kullanarak bağlanan siteler, inceleme için burada görünür.",
     "pendingSitesBannerButtonText": "Daha fazla bilgi",
     "apiKeysSettings": "{apiKeyName} Ayarları",
     "userTitle": "Tüm Kullanıcıları Yönet",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Lütfen geçerli bir port numarası girin",
     "targetErrorNoSite": "Hiçbir site seçili değil",
     "targetErrorNoSiteDescription": "Lütfen hedef için bir site seçin",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Hedefler temizlendi",
+    "targetTargetsClearedDescription": "Bu kaynaktan tüm hedefler kaldırıldı",
     "targetCreated": "Hedef oluşturuldu",
     "targetCreatedDescription": "Hedef başarıyla oluşturuldu",
     "targetErrorCreate": "Hedef oluşturma başarısız oldu",
@@ -2348,7 +2348,7 @@
                 "description": "Kurumsal özellikler, 50 kullanıcı, 50 site ve öncelikli destek."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Kişisel kullanım için (ücretsiz lisans - ödeme yok)",
         "buttons": {
             "continueToCheckout": "Ödemeye Devam Et"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Makine İstemcileri",
     "install": "Yükle",
     "run": "Çalıştır",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Ortam Dosyası",
+    "serviceFile": "Servis Dosyası",
+    "enableAndStart": "Etkinleştir ve Başlat",
     "clientNameDescription": "Daha sonra değiştirilebilecek istemcinin görünen adı.",
     "clientAddress": "İstemci Adresi (Gelişmiş)",
     "setupFailedToFetchSubnet": "Varsayılan alt ağ alınamadı",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
     "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
     "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı '<token>' üst bilgisi ekler.",
     "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
     "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Bir Yetkilendirme: Temel '<credentials>' üst bilgisi ekler. Kimlik bilgilerini kullanıcı adı:şifre olarak sağlayın.",
     "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
     "httpDestAuthCustomTitle": "Özel Başlık",
     "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",

From 91471a4acae7bb67c78813aa7bac200f62264f5a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:53 -0400
Subject: [PATCH 299/314] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index be910aee8..0d21cda66 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "置备密钥已更新",
     "provisioningKeysUpdatedDescription": "您的更改已保存。",
     "provisioningKeysBannerTitle": "站点置备密钥",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "生成一个供应密钥，并将其与 Newt 连接器一起使用，以在首次启动时自动创建站点 - 无需为每个站点设置单独的凭据。",
     "provisioningKeysBannerButtonText": "了解更多",
     "pendingSitesBannerTitle": "待定站点",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "使用供应密钥连接的站点将在此显示以供审核。",
     "pendingSitesBannerButtonText": "了解更多",
     "apiKeysSettings": "{apiKeyName} 设置",
     "userTitle": "管理所有用户",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "请输入有效的端口号",
     "targetErrorNoSite": "没有选择站点",
     "targetErrorNoSiteDescription": "请选择目标站点",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "目标已清除",
+    "targetTargetsClearedDescription": "所有目标已从此资源中移除",
     "targetCreated": "目标已创建",
     "targetCreatedDescription": "目标已成功创建",
     "targetErrorCreate": "创建目标失败",
@@ -2348,7 +2348,7 @@
                 "description": "企业特征、50个用户、50个站点和优先支持。"
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "仅限个人使用（免费许可 - 无需结账）",
         "buttons": {
             "continueToCheckout": "继续签出"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "机器客户端",
     "install": "安装",
     "run": "运行",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "环境文件",
+    "serviceFile": "服务文件",
+    "enableAndStart": "启用并启动",
     "clientNameDescription": "可以稍后更改的客户端的显示名称。",
     "clientAddress": "客户端地址 (高级)",
     "setupFailedToFetchSubnet": "获取默认子网失败",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "无身份验证",
     "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
     "httpDestAuthBearerTitle": "持有者令牌",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "在每个请求中添加授权：Bearer “<token>” 头。",
     "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
     "httpDestAuthBasicTitle": "基本认证",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "添加一个Authorization: Basic \"<凭据>\" 标头。 以用户名：密码形式提供凭据。",
     "httpDestAuthBasicPlaceholder": "用户名:密码",
     "httpDestAuthCustomTitle": "自定义标题",
     "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",

From 8edcc4503314619644fc4f35f6dfa94332b5be7f Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:55 -0400
Subject: [PATCH 300/314] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 147817713..3458d86b8 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Foreslå nøkkel oppdatert",
     "provisioningKeysUpdatedDescription": "Dine endringer er lagret.",
     "provisioningKeysBannerTitle": "Sidens bestemmende nøkler",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Generer en provisjonsnøkkel og bruk den med Newt-kontakten for automatisk opprettelse av nettsteder ved første oppstart - ingen behov for å sette opp separate legitimasjoner for hvert nettsted.",
     "provisioningKeysBannerButtonText": "Lær mer",
     "pendingSitesBannerTitle": "Ventende nettsteder",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Nettsteder som kobler seg til ved bruk av en provisjonsnøkkel vises her for vurdering.",
     "pendingSitesBannerButtonText": "Lær mer",
     "apiKeysSettings": "{apiKeyName} Innstillinger",
     "userTitle": "Administrer alle brukere",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Vennligst skriv inn et gyldig portnummer",
     "targetErrorNoSite": "Ingen nettsted valgt",
     "targetErrorNoSiteDescription": "Velg et nettsted for målet",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Mål ryddet",
+    "targetTargetsClearedDescription": "Alle mål har blitt fjernet fra denne ressursen",
     "targetCreated": "Mål opprettet",
     "targetCreatedDescription": "Målet har blitt opprettet",
     "targetErrorCreate": "Kunne ikke opprette målet",
@@ -2348,7 +2348,7 @@
                 "description": "Enterprise features, 50 brukere, 50 nettsteder og prioritetsstøtte."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Kun personlig bruk (gratis lisens - ingen kasse)",
         "buttons": {
             "continueToCheckout": "Fortsett til kassen"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Maskinklienter",
     "install": "Installer",
     "run": "Kjør",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Miljøfil",
+    "serviceFile": "Tjenestefil",
+    "enableAndStart": "Aktiver og start",
     "clientNameDescription": "Visningsnavnet til klienten som kan endres senere.",
     "clientAddress": "Klientadresse (avansert)",
     "setupFailedToFetchSubnet": "Kunne ikke hente standard undernett",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Ingen godkjenning",
     "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
     "httpDestAuthBearerTitle": "Bærer Symbol",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Legger til en Autorisasjon: Bearer '<token>' header til hver forespørsel.",
     "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
     "httpDestAuthBasicTitle": "Standard Auth",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Legger til en Autorisasjon: Basic '<credentials>' header. Gi legitimasjon som brukernavn:passord.",
     "httpDestAuthBasicPlaceholder": "brukernavn:passord",
     "httpDestAuthCustomTitle": "Egendefinert topptekst",
     "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",

From f3fe2dd33be9e6ec4bcc9351864221350b1eed98 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Fri, 3 Apr 2026 14:58:56 -0400
Subject: [PATCH 301/314] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 766099ffe..e2e9bdf51 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Clave de aprovisionamiento actualizada",
     "provisioningKeysUpdatedDescription": "Sus cambios han sido guardados.",
     "provisioningKeysBannerTitle": "Claves de aprovisionamiento del sitio",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Genere una clave de aprovisionamiento y utilícela con el conector Newt para crear automáticamente sitios en el primer inicio: no es necesario configurar credenciales separadas para cada sitio.",
     "provisioningKeysBannerButtonText": "Saber más",
     "pendingSitesBannerTitle": "Sitios pendientes",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
+    "pendingSitesBannerDescription": "Los sitios que se conectan utilizando una clave de aprovisionamiento aparecerán aquí para su revisión.",
     "pendingSitesBannerButtonText": "Saber más",
     "apiKeysSettings": "Ajustes {apiKeyName}",
     "userTitle": "Administrar todos los usuarios",
@@ -624,8 +624,8 @@
     "targetErrorInvalidPortDescription": "Por favor, introduzca un número de puerto válido",
     "targetErrorNoSite": "Ningún sitio seleccionado",
     "targetErrorNoSiteDescription": "Por favor, seleccione un sitio para el objetivo",
-    "targetTargetsCleared": "Targets cleared",
-    "targetTargetsClearedDescription": "All targets have been removed from this resource",
+    "targetTargetsCleared": "Objetivos eliminados",
+    "targetTargetsClearedDescription": "Todos los objetivos han sido eliminados de este recurso",
     "targetCreated": "Objetivo creado",
     "targetCreatedDescription": "El objetivo se ha creado correctamente",
     "targetErrorCreate": "Error al crear el objetivo",
@@ -2348,7 +2348,7 @@
                 "description": "Características de la empresa, 50 usuarios, 50 sitios y soporte prioritario."
             }
         },
-        "personalUseOnly": "Personal use only (free license - no checkout)",
+        "personalUseOnly": "Solo uso personal (licencia gratuita - sin salida)",
         "buttons": {
             "continueToCheckout": "Continuar con el pago"
         },
@@ -2609,9 +2609,9 @@
     "machineClients": "Clientes de la máquina",
     "install": "Instalar",
     "run": "Ejecutar",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
+    "envFile": "Archivo de Entorno",
+    "serviceFile": "Archivo de Servicio",
+    "enableAndStart": "Habilitar y empezar",
     "clientNameDescription": "El nombre mostrado del cliente que se puede cambiar más adelante.",
     "clientAddress": "Dirección del cliente (Avanzado)",
     "setupFailedToFetchSubnet": "No se pudo obtener la subred por defecto",
@@ -2850,10 +2850,10 @@
     "httpDestAuthNoneTitle": "Sin autenticación",
     "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
     "httpDestAuthBearerTitle": "Tóken de portador",
-    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
+    "httpDestAuthBearerDescription": "Añade un encabezado Authorization: Bearer '<token>' a cada solicitud.",
     "httpDestAuthBearerPlaceholder": "Tu clave o token API",
     "httpDestAuthBasicTitle": "Auth Básica",
-    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
+    "httpDestAuthBasicDescription": "Añade un encabezado Authorization: Basic '<credenciales>'. Proporcione las credenciales como nombredeusuario:contraseña.",
     "httpDestAuthBasicPlaceholder": "usuario:contraseña",
     "httpDestAuthCustomTitle": "Cabecera personalizada",
     "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",

From c45308f234ba499ddb311aa36a6a0bf9c3fc330a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 15:10:48 -0400
Subject: [PATCH 302/314] Send to the right place

---
 src/app/[orgId]/settings/logs/connection/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index dff42faac..e15708f8e 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -491,7 +491,7 @@ export default function ConnectionLogsPage() {
                 );
             },
             cell: ({ row }) => {
-                const clientType = row.original.clientType === "olm" ? "machine" : "user";
+                const clientType = row.original.userId ? "user" : "machine";
                 if (row.original.clientName && row.original.clientNiceId) {
                     return (
                         <Link

From e89e60d50b870ec858d2c68424cbcfdc73412664 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 15:33:20 -0400
Subject: [PATCH 303/314] Encrypt the streaming data

---
 .../lib/logStreaming/LogStreamingManager.ts   | 24 ++++++++++++++--
 .../createEventStreamingDestination.ts        |  9 +++++-
 .../listEventStreamingDestinations.ts         | 28 ++++++++++++++++++-
 .../updateEventStreamingDestination.ts        |  8 +++++-
 4 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index 0067c0690..a531d9b80 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -23,6 +23,8 @@ import {
 } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, gt, desc, max, sql } from "drizzle-orm";
+import { decryptData } from "@server/lib/encryption";
+import privateConfig from "#private/lib/config";
 import {
     LogType,
     LOG_TYPES,
@@ -34,6 +36,21 @@ import { LogDestinationProvider } from "./providers/LogDestinationProvider";
 import { HttpLogDestination } from "./providers/HttpLogDestination";
 import type { EventStreamingDestination } from "@server/db";
 
+// ---------------------------------------------------------------------------
+// Encryption helpers
+// ---------------------------------------------------------------------------
+
+let encryptionKey: Buffer | undefined;
+
+function getEncryptionKey(): Buffer {
+    if (!encryptionKey) {
+        const keyHex =
+            privateConfig.getRawPrivateConfig().server.encryption_key;
+        encryptionKey = Buffer.from(keyHex, "hex");
+    }
+    return encryptionKey;
+}
+
 // ---------------------------------------------------------------------------
 // Configuration
 // ---------------------------------------------------------------------------
@@ -272,13 +289,14 @@ export class LogStreamingManager {
             return;
         }
 
-        // Parse config – skip destination if config is unparseable
+        // Decrypt and parse config – skip destination if either step fails
         let config: HttpConfig;
         try {
-            config = JSON.parse(dest.config) as HttpConfig;
+            const decryptedConfig = decryptData(dest.config, getEncryptionKey());
+            config = JSON.parse(decryptedConfig) as HttpConfig;
         } catch (err) {
             logger.error(
-                `LogStreamingManager: destination ${dest.destinationId} has invalid JSON config`,
+                `LogStreamingManager: destination ${dest.destinationId} has invalid or undecryptable config`,
                 err
             );
             return;
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
index 623f2d9e0..19a39a03d 100644
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -22,6 +22,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
+import { encryptData } from "@server/lib/encryption";
+import privateConfig from "#private/lib/config";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -89,6 +91,11 @@ export async function createEventStreamingDestination(
 
         const { type, config, enabled } = parsedBody.data;
 
+        const encryptionKeyHex =
+            privateConfig.getRawPrivateConfig().server.encryption_key;
+        const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
+        const encryptedConfig = encryptData(config, encryptionKey);
+
         const now = Date.now();
 
         const [destination] = await db
@@ -96,7 +103,7 @@ export async function createEventStreamingDestination(
             .values({
                 orgId,
                 type,
-                config,
+                config: encryptedConfig,
                 enabled,
                 createdAt: now,
                 updatedAt: now,
diff --git a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
index b3f5ff149..46cfb6b9c 100644
--- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -22,6 +22,19 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
+import { decryptData } from "@server/lib/encryption";
+import privateConfig from "#private/lib/config";
+
+let encryptionKey: Buffer;
+
+function getEncryptionKey(): Buffer {
+    if (!encryptionKey) {
+        const keyHex =
+            privateConfig.getRawPrivateConfig().server.encryption_key;
+        encryptionKey = Buffer.from(keyHex, "hex");
+    }
+    return encryptionKey;
+}
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -121,9 +134,22 @@ export async function listEventStreamingDestinations(
             .from(eventStreamingDestinations)
             .where(eq(eventStreamingDestinations.orgId, orgId));
 
+        const key = getEncryptionKey();
+        const decryptedList = list.map((dest) => {
+            try {
+                return { ...dest, config: decryptData(dest.config, key) };
+            } catch (err) {
+                logger.error(
+                    `listEventStreamingDestinations: failed to decrypt config for destination ${dest.destinationId}`,
+                    err
+                );
+                return { ...dest, config: "" };
+            }
+        });
+
         return response<ListEventStreamingDestinationsResponse>(res, {
             data: {
-                destinations: list,
+                destinations: decryptedList,
                 pagination: {
                     total: count,
                     limit,
diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
index 3d3321824..1f7cb1007 100644
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,6 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
+import { encryptData } from "@server/lib/encryption";
+import privateConfig from "#private/lib/config";
 
 
 const paramsSchema = z
@@ -117,7 +119,11 @@ export async function updateEventStreamingDestination(
         };
 
         if (type !== undefined) updateData.type = type;
-        if (config !== undefined) updateData.config = config;
+        if (config !== undefined) {
+            const encryptionKeyHex = privateConfig.getRawPrivateConfig().server.encryption_key;
+            const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
+            updateData.config = encryptData(config, encryptionKey);
+        }
         if (enabled !== undefined) updateData.enabled = enabled;
         if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;
         if (sendActionLogs !== undefined) updateData.sendActionLogs = sendActionLogs;

From 8cbc8dec89f9cbf4777f8a3bc9e5af12cf1e4bf0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 17:25:39 -0400
Subject: [PATCH 304/314] Generate address

---
 server/routers/newt/registerNewt.ts | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 954acca92..de68ab2de 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -27,7 +27,7 @@ import { build } from "@server/build";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 import { INSPECT_MAX_BYTES } from "buffer";
-import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
+import { getNextAvailableClientSubnet } from "@server/lib/ip";
 
 const bodySchema = z.object({
     provisioningKey: z.string().nonempty(),
@@ -152,6 +152,11 @@ export async function registerNewt(
                 createHttpError(HttpCode.NOT_FOUND, "Organization not found")
             );
         }
+        if (!org.subnet) {
+            return next(
+                createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "Organization subnet not found")
+            );
+        }
 
         // SaaS billing check
         if (build == "saas") {
@@ -190,6 +195,20 @@ export async function registerNewt(
         let newSiteId: number | undefined;
 
         await db.transaction(async (trx) => {
+
+            const newClientAddress = await getNextAvailableClientSubnet(orgId);
+            if (!newClientAddress) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "No available subnet found"
+                    )
+                );
+            }
+
+            let clientAddress = newClientAddress.split("/")[0];
+            clientAddress = `${clientAddress}/${org.subnet!.split("/")[1]}`; // we want the block size of the whole org
+
             // Create the site (type "newt", name = niceId)
             const [newSite] = await trx
                 .insert(sites)
@@ -197,6 +216,7 @@ export async function registerNewt(
                     orgId,
                     name: name || niceId,
                     niceId,
+                    address: clientAddress,
                     type: "newt",
                     dockerSocketEnabled: true,
                     status: keyRecord.approveNewSites ? "approved" : "pending",

From eb4b2daaaba66fc61a5b21167273f09d973f9d20 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 17:59:21 -0400
Subject: [PATCH 305/314] Use the right encryption

---
 .../lib/logStreaming/LogStreamingManager.ts   | 27 +++++--------------
 .../createEventStreamingDestination.ts        | 12 ++++-----
 .../listEventStreamingDestinations.ts         | 19 +++----------
 .../updateEventStreamingDestination.ts        | 14 +++++-----
 4 files changed, 21 insertions(+), 51 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index a531d9b80..39eae031a 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -23,8 +23,8 @@ import {
 } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, gt, desc, max, sql } from "drizzle-orm";
-import { decryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 import {
     LogType,
     LOG_TYPES,
@@ -36,21 +36,6 @@ import { LogDestinationProvider } from "./providers/LogDestinationProvider";
 import { HttpLogDestination } from "./providers/HttpLogDestination";
 import type { EventStreamingDestination } from "@server/db";
 
-// ---------------------------------------------------------------------------
-// Encryption helpers
-// ---------------------------------------------------------------------------
-
-let encryptionKey: Buffer | undefined;
-
-function getEncryptionKey(): Buffer {
-    if (!encryptionKey) {
-        const keyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        encryptionKey = Buffer.from(keyHex, "hex");
-    }
-    return encryptionKey;
-}
-
 // ---------------------------------------------------------------------------
 // Configuration
 // ---------------------------------------------------------------------------
@@ -290,10 +275,10 @@ export class LogStreamingManager {
         }
 
         // Decrypt and parse config – skip destination if either step fails
-        let config: HttpConfig;
+        let configFromDb: HttpConfig;
         try {
-            const decryptedConfig = decryptData(dest.config, getEncryptionKey());
-            config = JSON.parse(decryptedConfig) as HttpConfig;
+            const decryptedConfig = decrypt(dest.config, config.getRawConfig().server.secret!);
+            configFromDb = JSON.parse(decryptedConfig) as HttpConfig;
         } catch (err) {
             logger.error(
                 `LogStreamingManager: destination ${dest.destinationId} has invalid or undecryptable config`,
@@ -302,7 +287,7 @@ export class LogStreamingManager {
             return;
         }
 
-        const provider = this.createProvider(dest.type, config);
+        const provider = this.createProvider(dest.type, configFromDb);
         if (!provider) {
             logger.warn(
                 `LogStreamingManager: unsupported destination type "${dest.type}" ` +
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
index 19a39a03d..bef7ba7e9 100644
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -22,8 +22,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -89,12 +89,10 @@ export async function createEventStreamingDestination(
             );
         }
 
-        const { type, config, enabled } = parsedBody.data;
+        const { type, config: configToSet, enabled } = parsedBody.data;
 
-        const encryptionKeyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-        const encryptedConfig = encryptData(config, encryptionKey);
+        const key = config.getRawConfig().server.secret!;
+        const encryptedConfig = encrypt(configToSet, key);
 
         const now = Date.now();
 
diff --git a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
index 46cfb6b9c..ac3f14e62 100644
--- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -22,19 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
-import { decryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
-let encryptionKey: Buffer;
-
-function getEncryptionKey(): Buffer {
-    if (!encryptionKey) {
-        const keyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        encryptionKey = Buffer.from(keyHex, "hex");
-    }
-    return encryptionKey;
-}
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -134,10 +123,10 @@ export async function listEventStreamingDestinations(
             .from(eventStreamingDestinations)
             .where(eq(eventStreamingDestinations.orgId, orgId));
 
-        const key = getEncryptionKey();
+        const key = config.getRawConfig().server.secret!;
         const decryptedList = list.map((dest) => {
             try {
-                return { ...dest, config: decryptData(dest.config, key) };
+                return { ...dest, config: decrypt(dest.config, key) };
             } catch (err) {
                 logger.error(
                     `listEventStreamingDestinations: failed to decrypt config for destination ${dest.destinationId}`,
diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
index 1f7cb1007..24dc68aef 100644
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,9 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 
 const paramsSchema = z
     .object({
@@ -112,17 +111,16 @@ export async function updateEventStreamingDestination(
             );
         }
 
-        const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
+        const { type, config: configToUpdate, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
 
         const updateData: Record<string, unknown> = {
             updatedAt: Date.now()
         };
 
         if (type !== undefined) updateData.type = type;
-        if (config !== undefined) {
-            const encryptionKeyHex = privateConfig.getRawPrivateConfig().server.encryption_key;
-            const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-            updateData.config = encryptData(config, encryptionKey);
+        if (configToUpdate !== undefined) {
+            const key = config.getRawConfig().server.secret!;
+            updateData.config = encrypt(configToUpdate, key);
         }
         if (enabled !== undefined) updateData.enabled = enabled;
         if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;

From ba9794c067e68d189eb113293635233b76d3f563 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 22:16:14 -0400
Subject: [PATCH 306/314] Put middleware back

Fix #2781
---
 install/config/crowdsec/traefik_config.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/config/crowdsec/traefik_config.yml b/install/config/crowdsec/traefik_config.yml
index b3e4f0839..c1145934d 100644
--- a/install/config/crowdsec/traefik_config.yml
+++ b/install/config/crowdsec/traefik_config.yml
@@ -86,6 +86,8 @@ entryPoints:
     http:
       tls:
         certResolver: "letsencrypt"
+      middlewares:
+        - crowdsec@file
       encodedCharacters:
         allowEncodedSlash: true
         allowEncodedQuestionMark: true

From 6b8a3c8d7755077dbc15d0b7f7364e05dd224574 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 22:37:42 -0400
Subject: [PATCH 307/314] Revert #2570

Fix #2782
---
 server/lib/traefik/getTraefikConfig.ts         | 14 ++++----------
 server/private/lib/traefik/getTraefikConfig.ts | 10 ++--------
 2 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts
index abd0a8de0..7379cad7f 100644
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -479,10 +479,7 @@ export async function getTraefikConfig(
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
                         const anySitesOnline = targets.some(
-                            (target) =>
-                            target.site.online ||
-                            target.site.type === "local" ||
-                            target.site.type === "wireguard"
+                            (target) => target.site.online
                         );
 
                         return (
@@ -495,7 +492,7 @@ export async function getTraefikConfig(
                                     if (target.health == "unhealthy") {
                                         return false;
                                     }
-                                    
+
                                     // If any sites are online, exclude offline sites
                                     if (anySitesOnline && !target.site.online) {
                                         return false;
@@ -610,10 +607,7 @@ export async function getTraefikConfig(
                     servers: (() => {
                         // Check if any sites are online
                         const anySitesOnline = targets.some(
-                            (target) =>
-                            target.site.online ||
-                            target.site.type === "local" ||
-                            target.site.type === "wireguard"
+                            (target) => target.site.online
                         );
 
                         return targets
@@ -621,7 +615,7 @@ export async function getTraefikConfig(
                                 if (!target.enabled) {
                                     return false;
                                 }
-                                
+
                                 // If any sites are online, exclude offline sites
                                 if (anySitesOnline && !target.site.online) {
                                     return false;
diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts
index 7fc0ae647..adc3d965b 100644
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -671,10 +671,7 @@ export async function getTraefikConfig(
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
                         const anySitesOnline = targets.some(
-                            (target) =>
-                            target.site.online ||
-                            target.site.type === "local" ||
-                            target.site.type === "wireguard"
+                            (target) => target.site.online
                         );
 
                         return (
@@ -802,10 +799,7 @@ export async function getTraefikConfig(
                     servers: (() => {
                         // Check if any sites are online
                         const anySitesOnline = targets.some(
-                            (target) =>
-                            target.site.online ||
-                            target.site.type === "local" ||
-                            target.site.type === "wireguard"
+                            (target) => target.site.online
                         );
 
                         return targets

From d948d2ec335f92f3498c642b25d08cbffb497f77 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 22:55:04 -0400
Subject: [PATCH 308/314] Try to prevent deadlocks

---
 server/routers/newt/pingAccumulator.ts | 186 +++++++++++++------------
 1 file changed, 98 insertions(+), 88 deletions(-)

diff --git a/server/routers/newt/pingAccumulator.ts b/server/routers/newt/pingAccumulator.ts
index 83afd613e..fe2cde216 100644
--- a/server/routers/newt/pingAccumulator.ts
+++ b/server/routers/newt/pingAccumulator.ts
@@ -1,6 +1,6 @@
 import { db } from "@server/db";
 import { sites, clients, olms } from "@server/db";
-import { eq, inArray } from "drizzle-orm";
+import { inArray } from "drizzle-orm";
 import logger from "@server/logger";
 
 /**
@@ -21,7 +21,7 @@ import logger from "@server/logger";
  */
 
 const FLUSH_INTERVAL_MS = 10_000; // Flush every 10 seconds
-const MAX_RETRIES = 2;
+const MAX_RETRIES = 5;
 const BASE_DELAY_MS = 50;
 
 // ── Site (newt) pings ──────────────────────────────────────────────────
@@ -36,6 +36,14 @@ const pendingOlmArchiveResets: Set<string> = new Set();
 
 let flushTimer: NodeJS.Timeout | null = null;
 
+/**
+ * Guard that prevents two flush cycles from running concurrently.
+ * setInterval does not await async callbacks, so without this a slow flush
+ * (e.g. due to DB latency) would overlap with the next scheduled cycle and
+ * the two concurrent bulk UPDATEs would deadlock each other.
+ */
+let isFlushing = false;
+
 // ── Public API ─────────────────────────────────────────────────────────
 
 /**
@@ -72,6 +80,12 @@ export function recordClientPing(
 
 /**
  * Flush all accumulated site pings to the database.
+ *
+ * Each batch of up to BATCH_SIZE rows is written with a **single** UPDATE
+ * statement. We use the maximum timestamp across the batch so that `lastPing`
+ * reflects the most recent ping seen for any site in the group. This avoids
+ * the multi-statement transaction that previously created additional
+ * row-lock ordering hazards.
  */
 async function flushSitePingsToDb(): Promise<void> {
     if (pendingSitePings.size === 0) {
@@ -83,55 +97,35 @@ async function flushSitePingsToDb(): Promise<void> {
     const pingsToFlush = new Map(pendingSitePings);
     pendingSitePings.clear();
 
-    // Sort by siteId for consistent lock ordering (prevents deadlocks)
-    const sortedEntries = Array.from(pingsToFlush.entries()).sort(
-        ([a], [b]) => a - b
-    );
+    const entries = Array.from(pingsToFlush.entries());
 
     const BATCH_SIZE = 50;
-    for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
-        const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+    for (let i = 0; i < entries.length; i += BATCH_SIZE) {
+        const batch = entries.slice(i, i + BATCH_SIZE);
+
+        // Use the latest timestamp in the batch so that `lastPing` always
+        // moves forward. Using a single timestamp for the whole batch means
+        // we only ever need one UPDATE statement (no transaction).
+        const maxTimestamp = Math.max(...batch.map(([, ts]) => ts));
+        const siteIds = batch.map(([id]) => id);
 
         try {
             await withRetry(async () => {
-                // Group by timestamp for efficient bulk updates
-                const byTimestamp = new Map<number, number[]>();
-                for (const [siteId, timestamp] of batch) {
-                    const group = byTimestamp.get(timestamp) || [];
-                    group.push(siteId);
-                    byTimestamp.set(timestamp, group);
-                }
-
-                if (byTimestamp.size === 1) {
-                    const [timestamp, siteIds] = Array.from(
-                        byTimestamp.entries()
-                    )[0];
-                    await db
-                        .update(sites)
-                        .set({
-                            online: true,
-                            lastPing: timestamp
-                        })
-                        .where(inArray(sites.siteId, siteIds));
-                } else {
-                    await db.transaction(async (tx) => {
-                        for (const [timestamp, siteIds] of byTimestamp) {
-                            await tx
-                                .update(sites)
-                                .set({
-                                    online: true,
-                                    lastPing: timestamp
-                                })
-                                .where(inArray(sites.siteId, siteIds));
-                        }
-                    });
-                }
+                await db
+                    .update(sites)
+                    .set({
+                        online: true,
+                        lastPing: maxTimestamp
+                    })
+                    .where(inArray(sites.siteId, siteIds));
             }, "flushSitePingsToDb");
         } catch (error) {
             logger.error(
                 `Failed to flush site ping batch (${batch.length} sites), re-queuing for next cycle`,
                 { error }
             );
+            // Re-queue only if the preserved timestamp is newer than any
+            // update that may have landed since we snapshotted.
             for (const [siteId, timestamp] of batch) {
                 const existing = pendingSitePings.get(siteId);
                 if (!existing || existing < timestamp) {
@@ -144,6 +138,8 @@ async function flushSitePingsToDb(): Promise<void> {
 
 /**
  * Flush all accumulated client (OLM) pings to the database.
+ *
+ * Same single-UPDATE-per-batch approach as `flushSitePingsToDb`.
  */
 async function flushClientPingsToDb(): Promise<void> {
     if (pendingClientPings.size === 0 && pendingOlmArchiveResets.size === 0) {
@@ -159,51 +155,25 @@ async function flushClientPingsToDb(): Promise<void> {
 
     // ── Flush client pings ─────────────────────────────────────────────
     if (pingsToFlush.size > 0) {
-        const sortedEntries = Array.from(pingsToFlush.entries()).sort(
-            ([a], [b]) => a - b
-        );
+        const entries = Array.from(pingsToFlush.entries());
 
         const BATCH_SIZE = 50;
-        for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
-            const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+        for (let i = 0; i < entries.length; i += BATCH_SIZE) {
+            const batch = entries.slice(i, i + BATCH_SIZE);
+
+            const maxTimestamp = Math.max(...batch.map(([, ts]) => ts));
+            const clientIds = batch.map(([id]) => id);
 
             try {
                 await withRetry(async () => {
-                    const byTimestamp = new Map<number, number[]>();
-                    for (const [clientId, timestamp] of batch) {
-                        const group = byTimestamp.get(timestamp) || [];
-                        group.push(clientId);
-                        byTimestamp.set(timestamp, group);
-                    }
-
-                    if (byTimestamp.size === 1) {
-                        const [timestamp, clientIds] = Array.from(
-                            byTimestamp.entries()
-                        )[0];
-                        await db
-                            .update(clients)
-                            .set({
-                                lastPing: timestamp,
-                                online: true,
-                                archived: false
-                            })
-                            .where(inArray(clients.clientId, clientIds));
-                    } else {
-                        await db.transaction(async (tx) => {
-                            for (const [timestamp, clientIds] of byTimestamp) {
-                                await tx
-                                    .update(clients)
-                                    .set({
-                                        lastPing: timestamp,
-                                        online: true,
-                                        archived: false
-                                    })
-                                    .where(
-                                        inArray(clients.clientId, clientIds)
-                                    );
-                            }
-                        });
-                    }
+                    await db
+                        .update(clients)
+                        .set({
+                            lastPing: maxTimestamp,
+                            online: true,
+                            archived: false
+                        })
+                        .where(inArray(clients.clientId, clientIds));
                 }, "flushClientPingsToDb");
             } catch (error) {
                 logger.error(
@@ -260,7 +230,12 @@ export async function flushPingsToDb(): Promise<void> {
 
 /**
  * Simple retry wrapper with exponential backoff for transient errors
- * (connection timeouts, unexpected disconnects).
+ * (deadlocks, connection timeouts, unexpected disconnects).
+ *
+ * PostgreSQL deadlocks (40P01) are always safe to retry: the database
+ * guarantees exactly one winner per deadlock pair, so the loser just needs
+ * to try again. MAX_RETRIES is intentionally higher than typical connection
+ * retry budgets to give deadlock victims enough chances to succeed.
  */
 async function withRetry<T>(
     operation: () => Promise<T>,
@@ -277,7 +252,8 @@ async function withRetry<T>(
                 const jitter = Math.random() * baseDelay;
                 const delay = baseDelay + jitter;
                 logger.warn(
-                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`,
+                    { code: error?.code ?? error?.cause?.code }
                 );
                 await new Promise((resolve) => setTimeout(resolve, delay));
                 continue;
@@ -288,14 +264,14 @@ async function withRetry<T>(
 }
 
 /**
- * Detect transient connection errors that are safe to retry.
+ * Detect transient errors that are safe to retry.
  */
 function isTransientError(error: any): boolean {
     if (!error) return false;
 
     const message = (error.message || "").toLowerCase();
     const causeMessage = (error.cause?.message || "").toLowerCase();
-    const code = error.code || "";
+    const code = error.code || error.cause?.code || "";
 
     // Connection timeout / terminated
     if (
@@ -308,12 +284,17 @@ function isTransientError(error: any): boolean {
         return true;
     }
 
-    // PostgreSQL deadlock
+    // PostgreSQL deadlock detected — always safe to retry (one winner guaranteed)
     if (code === "40P01" || message.includes("deadlock")) {
         return true;
     }
 
-    // ECONNRESET, ECONNREFUSED, EPIPE
+    // PostgreSQL serialization failure
+    if (code === "40001") {
+        return true;
+    }
+
+    // ECONNRESET, ECONNREFUSED, EPIPE, ETIMEDOUT
     if (
         code === "ECONNRESET" ||
         code === "ECONNREFUSED" ||
@@ -337,12 +318,26 @@ export function startPingAccumulator(): void {
     }
 
     flushTimer = setInterval(async () => {
+        // Skip this tick if the previous flush is still in progress.
+        // setInterval does not await async callbacks, so without this guard
+        // two flush cycles can run concurrently and deadlock each other on
+        // overlapping bulk UPDATE statements.
+        if (isFlushing) {
+            logger.debug(
+                "Ping accumulator: previous flush still in progress, skipping cycle"
+            );
+            return;
+        }
+
+        isFlushing = true;
         try {
             await flushPingsToDb();
         } catch (error) {
             logger.error("Unhandled error in ping accumulator flush", {
                 error
             });
+        } finally {
+            isFlushing = false;
         }
     }, FLUSH_INTERVAL_MS);
 
@@ -364,7 +359,22 @@ export async function stopPingAccumulator(): Promise<void> {
         flushTimer = null;
     }
 
-    // Final flush to persist any remaining pings
+    // Final flush to persist any remaining pings.
+    // Wait for any in-progress flush to finish first so we don't race.
+    if (isFlushing) {
+        logger.debug(
+            "Ping accumulator: waiting for in-progress flush before stopping…"
+        );
+        await new Promise<void>((resolve) => {
+            const poll = setInterval(() => {
+                if (!isFlushing) {
+                    clearInterval(poll);
+                    resolve();
+                }
+            }, 50);
+        });
+    }
+
     try {
         await flushPingsToDb();
     } catch (error) {
@@ -379,4 +389,4 @@ export async function stopPingAccumulator(): Promise<void> {
  */
 export function getPendingPingCount(): number {
     return pendingSitePings.size + pendingClientPings.size;
-}
\ No newline at end of file
+}

From 28ef5238c9437dbe0141539afbe203bbfce96162 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 7 Apr 2026 11:36:02 -0400
Subject: [PATCH 309/314] Add CODEOWNERS

---
 .github/CODEOWNERS | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 000000000..c5f140320
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @oschwartz10612 @miloschwartz

From 466f1375907cc45435a6cf8a1493acc1651f2841 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 9 Apr 2026 10:29:51 -0400
Subject: [PATCH 310/314] Fix migration by testing for orphans

---
 server/setup/scriptsPg/1.17.0.ts     |  9 +++++++--
 server/setup/scriptsSqlite/1.17.0.ts | 17 ++++++++++++-----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 21dd3a224..c92152863 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -235,7 +235,9 @@ export default async function migration() {
             for (const row of existingUserInviteRoles) {
                 await db.execute(sql`
                     INSERT INTO "userInviteRoles" ("inviteId", "roleId")
-                    VALUES (${row.inviteId}, ${row.roleId})
+                    SELECT ${row.inviteId}, ${row.roleId}
+                    WHERE EXISTS (SELECT 1 FROM "userInvites" WHERE "inviteId" = ${row.inviteId})
+                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }
@@ -258,7 +260,10 @@ export default async function migration() {
             for (const row of existingUserOrgRoles) {
                 await db.execute(sql`
                     INSERT INTO "userOrgRoles" ("userId", "orgId", "roleId")
-                    VALUES (${row.userId}, ${row.orgId}, ${row.roleId})
+                    SELECT ${row.userId}, ${row.orgId}, ${row.roleId}
+                    WHERE EXISTS (SELECT 1 FROM "user" WHERE "id" = ${row.userId})
+                      AND EXISTS (SELECT 1 FROM "orgs" WHERE "orgId" = ${row.orgId})
+                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 28929fc63..ecf40b7a8 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -145,7 +145,7 @@ export default async function migration() {
             ).run();
 
             db.prepare(
-                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs';`
+                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs' WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = userOrgs.userId) AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = userOrgs.orgId);`
             ).run();
             db.prepare(`DROP TABLE 'userOrgs';`).run();
             db.prepare(
@@ -246,12 +246,15 @@ export default async function migration() {
         // Re-insert the preserved invite role assignments into the new userInviteRoles table
         if (existingUserInviteRoles.length > 0) {
             const insertUserInviteRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId") VALUES (?, ?)`
+                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId")
+                 SELECT ?, ?
+                 WHERE EXISTS (SELECT 1 FROM 'userInvites' WHERE inviteId = ?)
+                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserInviteRoles) {
-                    insertUserInviteRole.run(row.inviteId, row.roleId);
+                    insertUserInviteRole.run(row.inviteId, row.roleId, row.inviteId, row.roleId);
                 }
             });
 
@@ -265,12 +268,16 @@ export default async function migration() {
         // Re-insert the preserved role assignments into the new userOrgRoles table
         if (existingUserOrgRoles.length > 0) {
             const insertUserOrgRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId") VALUES (?, ?, ?)`
+                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId")
+                 SELECT ?, ?, ?
+                 WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = ?)
+                   AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = ?)
+                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserOrgRoles) {
-                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId);
+                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId, row.userId, row.orgId, row.roleId);
                 }
             });
 

From eaa70da4ddd9d50b4966f4e3d6710e4490cab1d6 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 9 Apr 2026 16:14:46 -0400
Subject: [PATCH 311/314] add pluto

---
 src/components/SitesTable.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/components/SitesTable.tsx b/src/components/SitesTable.tsx
index cc02e5d37..6cca706a6 100644
--- a/src/components/SitesTable.tsx
+++ b/src/components/SitesTable.tsx
@@ -342,7 +342,8 @@ export default function SitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune"
+                        "neptune",
+                        "pluto"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {

From 80f5914fdd7a280bdb82ddec01527f0fc02f42b7 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 9 Apr 2026 16:14:46 -0400
Subject: [PATCH 312/314] add pluto

---
 src/components/PendingSitesTable.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index 12abcf7c4..c65cb218e 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -333,7 +333,8 @@ export default function PendingSitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune"
+                        "neptune",
+                        "pluto"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {

From 34387d9859623a63639c3497c12bc97ed61d3256 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 9 Apr 2026 17:04:28 -0400
Subject: [PATCH 313/314] simplify wildcard domain on non pangolin-dns

---
 .../settings/domains/[domainId]/page.tsx      | 15 +++++----
 src/components/CreateDomainForm.tsx           | 33 ++++++++++---------
 2 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/src/app/[orgId]/settings/domains/[domainId]/page.tsx b/src/app/[orgId]/settings/domains/[domainId]/page.tsx
index cf23e81be..23a79737d 100644
--- a/src/app/[orgId]/settings/domains/[domainId]/page.tsx
+++ b/src/app/[orgId]/settings/domains/[domainId]/page.tsx
@@ -10,6 +10,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { GetDNSRecordsResponse } from "@server/routers/domain";
 import DNSRecordsTable from "@app/components/DNSRecordTable";
 import DomainCertForm from "@app/components/DomainCertForm";
+import { build } from "@server/build";
 
 interface DomainSettingsPageProps {
     params: Promise<{ domainId: string; orgId: string }>;
@@ -65,12 +66,14 @@ export default async function DomainSettingsPage({
                 )}
             </div>
             <div className="space-y-6">
-                <DomainInfoCard
-                    failed={domain.failed}
-                    verified={domain.verified}
-                    type={domain.type}
-                    errorMessage={domain.errorMessage}
-                />
+                {build != "oss" && env.flags.usePangolinDns ? (
+                    <DomainInfoCard
+                        failed={domain.failed}
+                        verified={domain.verified}
+                        type={domain.type}
+                        errorMessage={domain.errorMessage}
+                    />
+                ) : null}
 
                 <DNSRecordsTable records={dnsRecords} type={domain.type} />
 
diff --git a/src/components/CreateDomainForm.tsx b/src/components/CreateDomainForm.tsx
index 9a187f1ed..f11038d26 100644
--- a/src/components/CreateDomainForm.tsx
+++ b/src/components/CreateDomainForm.tsx
@@ -239,21 +239,24 @@ export default function CreateDomainForm({
                             className="space-y-4"
                             id="create-domain-form"
                         >
-                            <FormField
-                                control={form.control}
-                                name="type"
-                                render={({ field }) => (
-                                    <FormItem>
-                                        <StrategySelect
-                                            options={domainOptions}
-                                            defaultValue={field.value}
-                                            onChange={field.onChange}
-                                            cols={1}
-                                        />
-                                        <FormMessage />
-                                    </FormItem>
-                                )}
-                            />
+                            {build != "oss" && env.flags.usePangolinDns ? (
+                                <FormField
+                                    control={form.control}
+                                    name="type"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <StrategySelect
+                                                options={domainOptions}
+                                                defaultValue={field.value}
+                                                onChange={field.onChange}
+                                                cols={1}
+                                            />
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            ) : null}
+
                             <FormField
                                 control={form.control}
                                 name="baseDomain"

From f57012eb9082c0a18cd584eb41db86eef411d9b4 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 9 Apr 2026 17:06:04 -0400
Subject: [PATCH 314/314] dont show international domain warning when capital
 letter present

---
 src/components/CreateDomainForm.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/CreateDomainForm.tsx b/src/components/CreateDomainForm.tsx
index f11038d26..8840d2f93 100644
--- a/src/components/CreateDomainForm.tsx
+++ b/src/components/CreateDomainForm.tsx
@@ -154,7 +154,7 @@ export default function CreateDomainForm({
 
     const punycodePreview = useMemo(() => {
         if (!baseDomain) return "";
-        const punycode = toPunycode(baseDomain);
+        const punycode = toPunycode(baseDomain.toLowerCase());
         return punycode !== baseDomain.toLowerCase() ? punycode : "";
     }, [baseDomain]);